For years, our customers have asked us the same question in different words:
"How do I let my lawyer, my investor, or my auditor read this file — without giving up the protection I built around it?"
Today, we have a real answer. We're introducing Secure Sharing (Beta) — a new module that lets you share certified digital assets on a strict need-to-know basis, without ever breaking encryption.
Try Secure Sharing on bernstein.io →
The problem we're solving
Sharing is the weakest link in IP protection. You can encrypt your files, certify them on the blockchain, and build a clean audit trail — but the moment you actually share a file, by email, cloud storage, or messaging, you typically decrypt it, duplicate it, lose control over access, and lose visibility over who saw it. In other words, you undo the very protections you put in place.
Secure Sharing exists to fix exactly that.
What it does
Secure Sharing turns any certified asset in your Bernstein vault into a controlled access point. The file never leaves its encrypted state, the infrastructure doesn't change, and only the right to access is delegated.
Each share is time-bound, with configurable expiration dates, and can be revoked at any moment. Recipients are identity-verified through an email OTP, and every session is framed by mandatory terms-and-conditions acceptance, timestamped and recorded. From the first link click to the final download, every interaction becomes part of a complete, auditable trail.
No account is required for the recipient. No re-upload. No workaround.
Two modes, one invariant: we never see your data
Secure Sharing is built on Bernstein's zero-knowledge architecture, meaning encryption happens client-side and plaintext never touches our servers. Under the hood, a Data Encryption Key (DEK) protects the file content, and a fresh Key Encryption Key (KEK) wraps the DEK for transmission. All cryptographic operations run locally in the recipient's browser via the Web Crypto API, using AES-256-GCM.
This architecture supports two delivery modes, designed for different sensitivity levels.
Keycard (zero-knowledge by construction)
In Keycard mode, the decryption key is delivered out-of-band as a PDF document. It never transits through Bernstein servers, which makes it the natural choice for high-stakes or regulated contexts where maximum separation between data and access is required.
Direct Share (frictionless access)
In Direct Share mode, the decryption key is embedded in the URL fragment — the part of a URL that, by browser design, is never transmitted to the server. Recipients get one-click access from a single email link, with the same client-side decryption guarantees as Keycard. Different UX, same security model.
Real-world use cases
Secure Sharing is not a theoretical feature — it's built for situations where disclosure must be controlled, provable, and reversible.
In litigation and legal evidence, counsel can review a specific certified version of a sealed document, with a signed acknowledgement of receipt. In due diligence, investors and auditors can be granted temporary, read-only access for the duration of a deal, with the access window closing automatically when the process ends. Client deliverables — final reports, drafts, designs, code — can be handed over with proof of integrity and proof of delivery in a single step.
The same logic applies to insurance claims, where adjusters need controlled disclosure with traceable interactions, and to confidential collaboration between co-authors, advisors, or partners who need to review early drafts without the file ever landing in an inbox or a cloud drive.
Why this matters (more than it seems)
Most tools solve storage. Some solve certification. Very few solve controlled disclosure — and yet, in practice, this is where risk actually materializes. Leaks happen at sharing time. Disputes happen after sharing. Legal exposure depends almost entirely on what you can prove about the act of sharing itself.
Secure Sharing bridges that gap:
From "I sent you something"
to "I can prove exactly what you accessed, when, and under which conditions."
This is a beta — and a foundation
Secure Sharing is available today as a beta. The core is production-grade — encryption, certification, access control, revocation, and audit trails are all in place — but a few capabilities are deliberately staged for the next releases. Multi-recipient sharing, bulk operations, and blockchain-anchored access logs are coming next. We're shipping the foundation first, and building the surface on top.
What this unlocks next
Secure Sharing is not just a feature. It's the first building block of a broader system, and the next pieces are already on the roadmap.
Secure Dataroom
The natural extension of point-to-point sharing is a structured environment for transactions, litigation, or audits — multiple assets, role-based permissions, structured navigation, and the same encryption guarantees applied at scale rather than to a single file.
Zero-Knowledge Dataroom
From there, we go one step further. The Zero-Knowledge Dataroom is what a virtual data room should have been from day one: a deal room with no server-side visibility, no master key, and no insider risk — a room where even the operator cannot read the data inside. Today's VDR market is worth billions, yet not a single mainstream provider is genuinely zero-knowledge. We intend to change that.
Tracking, Access & Notice
On top of every share, we are building a formal layer of evidence generation. Every interaction — who accessed what, when, and under which terms — becomes a verifiable, structured event, ready to be produced as evidence whenever it matters.
Trade Secret EONA
The end-game for unregistered IP. Trade secret law — in the US under the DTSA, in the EU under Directive 2016/943, and in most jurisdictions worldwide — protects only the secrets you can prove you actively kept secret. The legal test is "reasonable measures," and very few companies can produce, on demand, a defensible record of those measures.
EONA — Evidence of Notice & Acknowledgement — is the module we are designing precisely to close that gap. It combines certified existence (what), secure sharing (who), terms acceptance (under what conditions), and access tracking (when and how) into a single, court-ready evidentiary trail. A trade secret protected with EONA is not just a secret — it is a defensible one.
Try it today
Secure Sharing is now live in beta for all Bernstein users. We're actively looking for feedback — especially where things break, where friction appears, or where assumptions fail.
Want early access to what's next? Secure Dataroom, Zero-Knowledge Dataroom, and EONA are rolling out progressively.