Layer 01
Local encryption before upload
The document is protected on the sender device before it is stored or shared. The delivery system handles encrypted material, not readable file contents.
Technical infrastructure
How identity-bound secure document delivery works
HermesLock is designed around a simple promise: only the intended recipient, on a trusted device, can open the confidential file. This page explains the sharing process without exposing private implementation details.
Start secure workspaceSharing process
A controlled path from sender to verified recipient
Inspired by the Stitch technical dashboards, this page presents the secure delivery process: protect the file locally, bind access to the recipient, adapt cryptographic profiles over time, and keep clear evidence for review.
Layer 02
Recipient-bound access
Access is prepared for the intended recipient and trusted device instead of relying on a reusable public link that anyone can forward.
Layer 03
Passkey recipient verification
WebAuthn proves the user and device before local decryption. Passkeys authenticate; separate device encryption keys protect document access.
Layer 04
Adaptive cryptographic profiles
Each protected object carries a versioned crypto profile so algorithms can evolve toward stronger post-quantum protection without changing the user workflow.
Request path
What happens when a confidential file is opened
A recipient link or QR code carries only an opaque token. HermesLock validates the share policy and the trusted device opens the encrypted file locally.
01 Validate token
Hash lookup without exposing raw tokens
QR and share tokens are stored as hashes and validated against expiration, revocation, and usage policy.
02 Verify identity
Passkey assertion with user verification
The recipient proves control of the trusted device before document key material is released for local unwrap.
03 Open locally
Decrypt in browser memory
The document is decrypted on the recipient device, while audit evidence is recorded for compliance review.
Implementation ready
Post-quantum ready without changing how recipients open files
HermesLock keeps the recipient flow simple while the protection model can rotate cryptographic profiles, expire access, revoke shares, and preserve audit evidence.