Secure file requests β encryption, access and retention
How to send a secure file request in 2026: skip the email attachment, use a tokenised portal link, encrypt at rest, restrict access by role, and define retention up front.
Why email attachments are not secure
Email attachments expose sensitive client data in mailboxes that may be shared with personal devices, indexed by third-party plugins or persisted forever in archives. They also lack an audit trail of who saw what.
Tokenised portal links
Instead, send a request via a tokenised portal link. The recipient does not need an account. The link can expire, can be revoked, and every action is logged.
Encryption in transit and at rest
All RequestLoops traffic is over TLS. Files are encrypted at rest. Access to backend storage is restricted to a small number of operators under audit.
Role-based access for your team
Set roles per team member. Members can be limited to specific requests or org-wide visibility. Owners and admins can rotate roles as the team changes.
Retention and deletion
Define retention up front. RequestLoops stores submissions as long as the request exists; deleting the request removes them within 30 days, with up to 90 days in encrypted backups. Document this in your data map.
FAQ
- Are tokenised links safe?
- Yes, when implemented correctly. RequestLoops uses long random tokens, ties them to specific recipients, and lets you revoke them at any time.
- How long are files retained?
- For the duration of the request. Deleting the request removes them within 30 days; encrypted backups can hold up to 90 days.
- Can I require ID verification on the portal?
- Recipients verify with the tokenised link. For higher assurance, pair RequestLoops with an external identity check tool β let us know what you use.
Run this workflow on RequestLoops
Try RequestLoops free for 7 days. From $11/month per organisation.