thesend.app

Back to Help

Secure Send

End-to-end encrypted transfers

thesend Secure is a separate paid add-on for medical, legal and other high-trust workflows. Your browser encrypts files with AES-256-GCM before upload. Our servers never see the plaintext, the PIN, or the original filename.

01

Zero-knowledge encryption

AES-256-GCM in the browser, PBKDF2-SHA-256 (300k) key derivation. The decryption key lives in the URL fragment (#…) and never touches our servers.

02

PIN on top of the link

A 6+ digit PIN is baked into the key derivation. The link alone is never enough. 5 wrong PINs → 15-minute lock.

03

Mandatory recipient verification

Each invited email must confirm ownership with a 6-digit one-time code (10-min validity, 5 attempts) before decryption metadata is released.

04

Per-transfer audit log

Every open, OTP request, PIN attempt and download is logged with hashed IP/UA. Export to CSV from /account/secure.

05

Sensible defaults

1–10 recipients per transfer, per-recipient download quota (default 3, max 10), expiry up to 30 days, 5 GB payload cap.