How It Works

SendBond is an integrated solution combining software, encryption technologies, and services that protect the security of enterprise email communications

1- Key Generation and Authentication

The encryption process begins when a SendBond client authenticates with KDM. The client generates a new pair of PKI public and private 2048-bit keys:


  • The public key is sent to KDM through an SSL-secured connection and stored in KDM’s Azure SQL Encryption-at-Rest Database.
  • The private key is encrypted and securely stored on the client’s platform (iOS Keychain or Android Keystore), ensuring it is never shared with KDM

2. Email Encryption Process

When a SendBond client initiates email encryption, the following steps are executed.


  • Step 1: The sender’s client authenticates and requests an encryption password from KDM, providing necessary details such as user ID, client ID, email ID, and recipient’s email address.
  • Step 2: KDM validates the sender’s request using a SHA-256 Hash-based Message Authentication Code (HMAC), ensuring message integrity and authenticity.
  • Step 3: KDM generates an encryption password and.
    • Encrypts the password with the sender’s public key, sending it back within the SSL tunnel (encryption within encryption).
    • Encrypts the same password using each recipient’s clients’ public key and stores these in the database, enabling each recipient to have multiple clients (e.g., desktop, laptop, mobile)
  • Step 4: After decrypting the password, the sender’s client encrypts all message content and attachments into an AES-256 encrypted ZIP file, secured with the provided password.
  • Step 5: The SendBond Outlook client reconstructs the email message with a custom body, attaches the encrypted ZIP file, and sends it through the enterprise’s standard email channels.
  • Step 6: Mobile clients (iphone & Android) allow users to send the encrypted ZIP file via mobile email apps or share it through social media apps like WhatsApp, Viber, and Telegram.

3. Email Decryption Process

When an encrypted message reaches the recipient’s client, it initiates a secure SSL call to KDM to request the decryption password. The following steps ensure security and verify the recipient’s identity.


  • Step 7: KDM verifies the recipient’s request using HMAC, with additional options for two-factor and three-factor authentication:
    • SMS-based two-factor authentication.
    • Time-based one-time passcodes (e.g., Google Authenticator).
    • Hardware security tokens (e.g., YubiKey).
    • Biometric authentication (e.g., Apple FaceID or fingerprint recognition).
  • Step 8: Once authenticated, KDM provides the encryption password, encrypted with the recipient’s public key, through a secure SSL call
  • Step 9: The recipient’s client decrypts the password using its private key and unzips the email to restore it with all original content and attachments

Key Security Principles

Compatible with all types of emails and attachments, including large files—no need for additional file-sharing or cloud storage solutions.


  • Data Privacy: SendBond only exchanges encryption keys with KDM; the actual email content is never accessed by SendBond servers.
  • Double Encryption: All keys are doubly encrypted at KDM, both with user public keys and using Azure’s Encryption-at-Rest for added security.