Skip to Content
EmailSecure Mail (NTA 7516)

Secure Mail

Secure Mail is EUnifyer’s sealed-envelope email channel for confidential correspondence — built to meet the substantive requirements of NTA 7516, the Dutch standard for ad-hoc secure email used in healthcare, legal, and government work.

Unlike a normal email, the body and attachments are never sent over SMTP. The recipient gets a short notification email with a one-time link. Clicking the link opens the message in their browser, after they verify who they are.

When to Use It

Use Secure Mail when you need to send any of these to someone outside your organisation:

  • Patient records, treatment plans, diagnoses
  • Tax filings, payslips, client financial documents
  • Legal correspondence with citizens
  • Identity documents (passport, BSN, ID copies)
  • Anything covered by the AVG/GDPR where SMTP plaintext is not appropriate

Use regular email for everything else — Secure Mail adds friction for the recipient (an extra click + identity verification), so save it for what genuinely warrants it.

How It Works (for the sender)

  1. From your mailbox, open Secure mail in the sidebar.
  2. Click New secure message.
  3. Enter recipient address(es), subject, and the message body.
  4. Choose how the recipient will prove their identity:
    • Password — you set a password and share it with them out of band (Signal, phone, in person). Strong recommendation: don’t email the password.
    • Email one-time code — we email them a 6-digit code at the moment they click the link. Lower friction for one-shot exchanges with someone you’ve never spoken to.
  5. Pick how long the link stays active — 1 day, 7 days, or 30 days.
  6. Add attachments (encrypted before they leave your browser session).
  7. Click Send securely.

The recipient gets a plain notification email saying “You have a secure message from [your name]. Click here to read it.” The notification contains no subject preview and no body content.

How It Works (for the recipient)

The recipient does not need an EUnifyer account or any software installed.

  1. They open the notification email and click the link.
  2. The portal page opens — branded with your organisation’s name so they can confirm the sender.
  3. They prove who they are:
    • Password method: they enter the password you shared out of band.
    • Email OTP method: they click Send code, we email a 6-digit code, they enter it.
  4. The message and attachments render in their browser. They can download attachments and reply — the reply travels back through the same sealed channel.

After 5 failed attempts, the recipient is locked out for 15 minutes.

After Sending

Open Secure mail to see your sent messages. Each row shows:

  • Status — sent / delivered / opened / replied / expired / revoked
  • How many recipients have opened it
  • Expiry date

You can:

  • Revoke a message — invalidates the link instantly, even before expiry. Use this if you sent to the wrong person or shared the wrong document.
  • Delete a message — purges the encrypted body, attachments, and key from our servers (right-to-erasure / AVG). The audit log entry remains so the deletion itself is recorded.

Compliance Notes

  • NTA 7516 — Secure Mail meets the substantive requirements (confidentiality, integrity, recipient authentication, audit, retention, usability). Formal NEN certification + CPA listing is on the roadmap and will be pursued when customer demand justifies the audit cost.
  • GDPR / AVG — the delete action purges ciphertext and the encryption key; what’s left is metadata (sender, recipient address, timestamps) needed for the audit trail.
  • Audit log — every send, notification, identity-verification attempt (success or failure), open, reply, revoke, and expiry is recorded with a tamper-evident hash chain. Administrators can export the log as NDJSON from the admin panel.
  • Encryption — AES-256-GCM with a fresh key per message, wrapped by a per-organisation key. Passwords are hashed with argon2id.
  • Hosting — encrypted content stays on the EUnifyer infrastructure (EU data residency by default for cloud customers; on-prem for self-hosted licensees).

Limits

ItemLimit
Maximum attachment size50 MB per file
Link lifetime1 day / 7 days / 30 days
Recipient lockout5 failed attempts → 15 minute lockout
Identity verification methodsPassword, email OTP (SMS OTP available on request)

Frequently Asked Questions

For cross-cutting questions, see the main FAQ.

Does the recipient need an EUnifyer account? No. The portal is open to anyone with the link — they only need to pass the identity check you chose when sending.

Can I send to multiple recipients? Yes. Each recipient gets their own one-time link and their own identity check; their actions are tracked separately in the audit log.

Why don’t you use S/MIME or PGP? NTA 7516 explicitly does not require S/MIME or PGP — they require key infrastructure that the average citizen doesn’t have. The sealed-envelope model works for anyone with an email address and a browser.

Can I edit a secure message after sending? No. You can revoke and resend, but the original cannot be edited.

What happens at expiry? A retention job runs every 10 minutes. Once a message passes its expiry, the encrypted body, attachments, and per-message key are deleted from our servers. The link returns a “no longer available” page. The audit log remains.

Is the recipient’s reply also encrypted? Yes — replies use the same sealed channel. They appear in the original sender’s Secure mail list as a follow-up message.

Is Secure Mail certified to NTA 7516? We are compatible with NTA 7516, meaning we meet the technical and procedural requirements. We have not yet pursued formal NEN audit and CPA listing — those are scheduled when customer procurements require them.

How do I enable Secure Mail on a self-hosted deployment? Set SECURE_MAIL_ENABLED=true and provide a SECURE_MAIL_MASTER_KEY (32+ random bytes) in your .env. See the deployment runbook for the master-key generation command and rotation procedure.

Shared Mailboxes & AliasesUse with Desktop Client