Email Encryption

Email Encryption

Don't take privacy for granted...

Avoid compliance issues and send confidential data with confidence. Get CipherPost Pro™ from AppRiver and experience true user-to-user encryption with just one click.


Email can travel a long way before it hits your inbox. With CipherPost Pro from AppRiver, you'll avoid prying eyes along the way. With one click, CipherPost Pro encrypts your message when it leaves your mailbox. Only the authorized recipient – with the proper password – can read the message.

Other services protect your message only from one server to another. Access to the server means access to your private information. CipherPost Pro email encryption gives you true mailbox-to-mailbox security, no matter where your email goes in between. That keeps your confidential information safe and helps your business remain compliant.

Features and benefits

  • Secure, fast and easy to use
  • Protects confidential information and helps ensure regulatory compliance
  • Provides delivery slip and registered mail options
  • Features centralized management and reporting
  • Enables large file attachment encryption and delivery
  • One-click encryption
  • Includes Outlook plug-in, Windows and Mac desktop agents, browser plug-ins
  • Full-featured functionality for mobile devices including iPhones, iPads, BlackBerry, Windows Phone, Android and more
  • Compatible with Office 365
  • Includes Phenomenal Care from our US-based team, 24 hours a day, every day

AppRiver's Phenomenal Sales advisors can provide information on which features are available with CipherPost Pro email encryption service. Contact for more information.

How does it work?

CipherPost Pro protects your messages even when a secure connection like TLS isn't available. If you do have TLS, AppRiver's CipherPost Products provide an additional layer of security with true mailbox-to-mailbox encryption.

CipherPost Pro Guides

Mobile device support

You need to access your secure messages no matter where you are, and CipherPost Pro has you covered.

CipherPost Pro allows you to send and receive encrypted email, track your sent messages, and open secure attachments from anywhere. Create, read and reply to secure messages on iOS, Android, Windows Phone 8 and BlackBerry platforms. All of the features of CipherPost Pro email encryption, including real-time tracking, large file transfers, compliance services and many others, are available on your mobile device.

Optimized to minimize device battery and bandwidth consumption, CipherPost Pro provides easy and secure access to your encrypted messages without the need to store confidential and sensitive data on your mobile device. That means losing your phone doesn't mean losing critical information. And administrators can quickly enable or disable access from the Secure Message Center (Webmail) so no one can use a lost or stolen device to access your account.

And here's another benefit: CipherPost Pro mobile apps are free to licensed users.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a number of requirements on the healthcare industry to assure that individuals’ health information is properly protected while allowing the swift flow of health information needed to provide ‘high quality’ health care.

As electronic health records (EHR) are becoming an industry standard for maintaining and transmitting health information, email emerges as the obvious choice for exchanging EHR quickly and efficiently among healthcare organizations. Such uses include:

  • Provider-to-Provider Communication: Healthcare providers often need to communicate with other providers efficiently and effectively, transferring patients’ medical histories, lab results, and the like to provide quality care to patients.
  • Requesting Health Consultation or Appointment: With patients’ busy schedules, and crowded waiting rooms, patients use email to request consultation and appointments before visiting a physician.
  • Submitting Health Claims to Plan Providers: Healthcare plan providers are accepting and responding to claims submissions via email to streamline and expedite the claims process.
  • Medical Billing and Invoicing: with email healthcare providers can streamline and reduce the cost of paper billing.

However, email has its weaknesses. Data can be leaked or lost through a variety of means from malware to phishing to user-error. In the case of healthcare organizations, this can mean the loss or unauthorized disclosure of patient medical files or other patient information exchanged via email.

As email is the choice means for exchanging patient information, HIPAA’s aim to secure patient data underscores the need for healthcare organizations to secure their email communications.

Who is affected?

HIPAA applies to all organizations that directly maintain and transmit personally identifiable health information, referred to by HIPAA as protected health information (PHI), or e-PHI in electronic form.

These include hospitals, physician and dental practices, health insurance brokers and carriers, laboratories, and pharmacies. Additionally, HIPAA applies to third party vendors and business partners that exchange data with organizations that directly maintain and transmit PHI in any form.

Non-compliance can be costly, or even crippling to your business. Under HIPAA, healthcare organizations that fail to secure PHI against loss or unauthorized disclosure face fines of up to $250,000 per incident while individuals responsible can face up to 10 years in prison for noncompliance.

In addition to harsh financial penalties and criminal proceedings, violators are required by the Department of Health and Human Services to report their compliance breaches to affected parties as well as the media if a breach affects 500 or more individuals.

Without question, the ensuing legal entanglements, reputation damage and financial cost of HIPAA violations threaten your business’s bottom line and may critically impact your organization’s ability to do future business.

HIPPA and your email

Two provisions under HIPAA directly impact healthcare organizations’ email policy and security: The Privacy Rule and the Security Rule. Together they identify what information is to be protected and provide a framework for safeguards organizations must put in place to ensure email compliance.

The Privacy rule defines what patient information is to be protected and places healthcare organizations responsible for the confidentiality of PHI in any form, including EHR. Under HIPAA, protected health information (PHI) is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual.

Consequently, the Security Rule mandates that affected organizations implement appropriate policies, technical and physical safeguards for information systems that maintain e-PHI, including email, to ensure the security and confidentiality of e-PHI against loss or unauthorized disclosure. Specifically HIPAA requires that affected organizations:

  • Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
  • Identify and protect e-PHI against reasonably anticipated threats to the security or integrity of the information.
  • Protect e-PHI against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.

Considering the prevalence of accessing, sending and receiving e-PHI via email, and the vulnerabilities of doing so, it is obvious that HIPAA’s call for safeguards extend to email security.

While the Safeguards Rule fails to explicitly detail the technologies and solutions organizations should implement to secure their messaging systems, it does outline a framework of technical controls. These include:

  • Access Controls. A covered entity must implement technical policies and procedures that allow only authorized persons to access e-PHI.
  • Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls. A covered entity must implement policies and electronic measure to ensure that e-PHI tis not improperly altered or destroyed.
  • Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

CipherPost Pro can help

CipherPost Pro is a cloud solution for email encryption, secure file transfer and DLP that helps address HIPAA technical security safeguard standards, and lets you use your email just the way it is. In addition, CipherPost Pro:

  • Helps address HIPAA technical security safeguard standards for secure and confidential email transmission of ePHI.
  • Simplifies the complexity of secure electronic communications, integrating seamlessly with any email platform including MS Outlook, MS Office 365, Gmail and Zimbra (for both sender and recipients regardless of their network configuration).
  • Eliminates size limitations for secure file transfer, enabling transmission of medical scans (X-rays) and other large files.
  • Enables secure web forms for capturing information from directly your website such as doctor consultations via email, insurance claims.
  • Enables Secure e-Statements for secure and traceable invoicing for medical services.
  • Automates and securely delivers messages and file attachments decrypted to any email archive database or third party application through a secure API.
  • Enables anytime, anywhere secure communication and collaboration by allowing users to send, track and receive secure email and medical files on any mobile device including iPhone, iPad, Android and BlackBerry.

AppRiver believes that email security should complement your email, not complicate it. Our cloud-based solutions for secure file transfer and email encryption work seamlessly with any email to enable secure communication and collaboration anytime, anywhere.

Can I send a secure message to anybody?

Yes, if you are a CipherPost Pro subscriber. When you send a secure message outside of your organization each recipient will be able to login to the Secure Messaging center to read, reply, and in some cases create new messages to CipherPost Pro subscribers who have communicated with you before.


Can I attach files to secure messages?

Yes. File attachments are transferred via HTTPS through the use of your Secure Messaging Platform instead of across regular SMTP connections, unreliable FTP or unsecure third party websites, which are very limited in security, speed and size limit.

Using the Secure Messaging Platform to exchange file attachments is safer, allows for up to 5GB size file transfer, is trackable and auditable, and so it becomes easier to manage each file attachment, directly in the Secure Message Center's Attachment Library, or directly in MS Outlook.


Can I continue to use my existing Email Address?

Yes. CipherPost Pro allows you to continue using your existing email address, email address aliases, email client, and server infrastructure. You can even integrate CipherPost Pro seamlessly in Outlook using the Secure MS Outlook Toolbar. If you use a different email program, you have full access to all of your secure messages by using the Secure Message Center (Webmail).


Do all our email accounts need to be enabled to get started?

No, only the employees that need to communicate securely need to be enabled.


Will email be automatically encrypted if we send out secure information, or must we manually encrypt it?

Yes. With data-leak prevention (DLP) rules enabled, CipherPost Pro can automatically encrypt information like Social Security, credit card or account numbers.


If the recipient forwards an encrypted message, will it remain encrypted?

Yes. Once an email has been encrypted, the entire thread will continue to be encrypted.


Is there a limit to the number of encrypted emails I can send per month?



Is there a way to set it to encrypt all emails to certain recipients?

Currently, no.


Can you encrypt imbedded images in your emails?

No, images must be attached.


If I encounter an issue or have any feedback who should I contact?

You can reach our support team anytime at 866-223-4645 or you can create a ticket by submitting an email to



1. Definitions

"Customer" shall mean you or the entity you represent that is purchasing the Service and agreeing to the terms of this Agreement.

"Documentation" shall mean the published user guide for the Service.

"Downtime" is defined as any time during which the Service is unavailable from all AppRiver Email Encryption Service data centers, measured from the time of actual interruption of the Service, until the time such Service is restored.

"AppRiver" shall mean AppRiver, LLC.

"AppRiver Network" shall mean the network of data centers, data connections and equipment that AppRiver maintains to provide the Services.

"Service" shall be defined as CipherPost Pro, AppRiver's Email Encryption Service, including the Documentation, subscribed to by Customer consisting of Email Encryption technologies as more particularly described in the Documentation.

"Term" shall be defined as the initial subscription period purchased by Customer (as set forth in the ordering process) and any subsequent renewals of the subscription by Customer.

"User" shall be defined as an Internet user (an individual who has access to the Internet) on behalf of whom Services are being provided.

2. 30-Day Free Trial

AppRiver provides the first 30 days of CipherPost Pro Email Encryption Service free of charge to allow ample time for a thorough evaluation. During this period AppRiver will provide multiple opportunities to communicate your intent to continue the Service or cancel it. Without clear direction regarding your intent to continue the Service on or before the end of the trial period, your use of CipherPost Pro will automatically stop functioning at the end of the Trial period.

3. Subscription Options

During the Trial period, you will be given the opportunity to review and select one of the available subscription options. The subscription options are monthly, yearly, and biennially. The Service is billed at the start of each month for the following month if the monthly subscription option is selected. The Yearly and Biennial options are pay-in-advance Subscriptions which include prepayment discounts. Clients choosing either of these options will be contacted by AppRiver approximately 45 days prior to the end of the subscription period with the available options for continuing the Service.

4. Confirmation of Payment

You acknowledge and agree that after the Trial Period, the Service cannot be provided unless and until you have established an account, through the ordering process, and selected either the monthly, One-Year, or Biennial Subscription option. Further, you acknowledge and agree that if AppRiver does not receive payment for your account, as required, AppRiver may terminate your account without liability to you. Furthermore, your payment constitutes your consent to be bound by this Agreement.

5. Termination

Subscription Agreements are effective until terminated and can be cancelled at anytime and for any reason. Agreements will automatically expire if the Customer stops payment for the Service, or if Customer doesn't comply with this Agreement. If the cancellation request is for a One-Year or Biennial subscription, and is requested prior to the end of the active subscription period, AppRiver will refund the unused portion of the fees paid, net of the One-Year or Biennial Subscription period discount. AppRiver does not provide refunds for partial month's service. Requests for cancellation must be submitted via email to with the words: "Cancel CipherPost Pro Subscription" in the subject line of the email.

6. Right to use the Service

Subject to the terms of this Agreement and proper payment to AppRiver, AppRiver hereby grants Customer a non-exclusive, non-transferable right to use the Service solely for Customer's own internal business purposes for the Term and number of Users specified during the ordering process between Customer and AppRiver.

7. Restriction on Use

Customer may not: (1) copy, distribute, rent, lease, transfer or sublicense all or any portion of the Service to any third party; (2) modify or prepare derivative works of the Service; (3) use the Service in any commercial context or for any commercial purpose or in any commercial product including reselling the Service; (4) use the Service in any manner that threatens the integrity, performance or availability of the Service; or (5) reverse engineer, decompile, or disassemble the Service.

8. Ownership

Customer acknowledges that the Service is the exclusive property of AppRiver. AppRiver and its suppliers retain all rights, title and interest in and to all patents, copyrights, trade secrets, trademarks and other intellectual property rights in the Service and Customer shall not acquire hereunder any right, title, or interest in the Service, except the right to use it in accordance with this Agreement and the EULA available at the time of purchase.

9. Customer Obligations

During the Term of the Agreement, Customer shall have the following obligations, in addition to those set forth elsewhere in this Agreement:

  • Customer shall be solely responsible for its activities in using the Service including the activities of its employees and contractors.

  • Customer's use of the Service is subject to all applicable local, state, national and foreign laws and regulations. Customer agrees to comply with such laws and regulations.

10. Acceptable Use Policy

Customer shall ensure that its Users must not under any circumstances whatsoever commit, or attempt to commit, nor aid or abet any action that may threaten the Service, whether deliberate, negligently or innocently, which shall include but is not limited to (i) an attempt to crash the Service host or network, (ii)"denial of service" attacks, or "flooding" attacks against the Service host or network, (iii) any attempt to circumvent the user authentication or security of the Service host or network, (iv) the creation, transmission, storage, or publication of any kind of virus or corrupting program or corrupted data, or (v) any other action that may adversely affect the Service. AppRiver shall have the right to suspend or terminate the Service, and to take such defensive action as may at AppRiver's sole discretion be deemed necessary in the event of any attack upon the Service or network.

11. Modifications to Services

AppRiver reserves the right to modify the features and functionality of the Service with the objective of providing Customer with equal or enhanced services. These updates shall include a subsequent release or version of the Service containing functional enhancements, error corrections or fixes that is generally made available free of charge to AppRiver's customers that have contracted for the appropriate level of Service. Updates shall not include any release, option or future product which AppRiver licenses separately or which is not included as part of the Service.

12. Service Level Agreement and Remedy

AppRiver warrants that during the Term, the Service shall be operational at least 99.99% of the total hours during every month Customer uses the Services ("Availability Warranty"), meaning that the Downtime in such given month shall not be more than .01%. The Availability Warranty does not apply to Downtime which is attributable to (i) events of Force Majeure as described in Section 17 of this Agreement, (ii) acts or omissions by the Customer which are in contravention of this Agreement, or (iii) scheduled maintenance of the service by AppRiver.

If Customer believes that AppRiver has failed to meet its commitments under the Availability Warranty, Customer must contact AppRiver in writing within fifteen (15) business days of the month in which Customer believes the warranty obligations were not met. Failure to provide such notice will result in the forfeiture of Customer's right to receive a remedy for the Downtime. In the event that it is shown that AppRiver did not meet its warranty commitments, AppRiver's sole obligation to Customer will be to provide a credit to Customer against future Service fees in an amount equal to 5% of the Customer's monthly Service fee for each 30 minutes of Downtime in the calendar month in question, up to a maximum of the monthly or calculated monthly fee. The remedy set forth above shall be Customer's sole and exclusive remedy for a breach of the Availability Warranty.

13. Warranty Disclaimers

Except as otherwise provided in section 12, the service is being provided "as is" without warranty of any kind. AppRiver does not warrant that the service will meet customer's requirements or that the service will find and correctly categorize all urls or malware. AppRiver hereby disclaims all warranties, express, implied, or statutory, including, without limitation, all implied warranties of merchantability and fitness for a particular purpose, and any warranties as to non-infringement, related to the service supplied hereunder. Some states and countries do not allow the exclusion of implied warranties, so the above exclusion may not apply to customer. This warranty gives customer specific legal rights. Customer may have other rights which vary by state or country.

14. Limitation of Liability

AppRiver's and its suppliers entire liability under, for breach of, or arising out of this agreement, is limited to the payments actually made by the customer for the service during the one (1) month prior to the date of the event giving rise to any liability. Under no circumstances and under no legal theory, tort, contract, or otherwise, shall AppRiver or its suppliers be liable to customer or any other person for any indirect, special incidental, exemplary, punitive or consequential damages of any kind, including without limitation, lost profits, losses or expenses relating to interruption of business activities, loss of data or the costs of procuring substitute goods, whether or not AppRiver was advised in advance of the possibility of such loss or damage.

15. Customer's Indemnification

Customer agrees to indemnify and hold AppRiver harmless from any claims or demands against AppRiver relating to the Service that are attributable to the negligence of Customer, any misuse of the Service by Customer, any violation of AppRiver's acceptable use policy set forth in Section 10 of this Agreement, or the failure of Customer to fulfill its responsibilities under this Agreement. In the event of any such claim or demand, AppRiver agrees to promptly notify Customer of the claim or demand and allow Customer to control the defense or reasonably settle such claim or demand provided that AppRiver or its Service is not adversely affected by such control or settlement.

16. Export Controls

Customer agrees to comply with all applicable U.S. export control laws and regulations as from time to time amended, including without limitation, the laws and regulations administered by the United States Department of Commerce and the United States Department of State. Customer shall not export, import or transfer the Service contrary to U.S. or other applicable laws, whether directly or indirectly, and will not cause, approve or otherwise facilitate others such as agents or any third parties in doing so. Customer represents that neither the United States Department of Commerce nor any other federal agency has suspended, revoked or denied its export privileges. Customer agrees not to use or transfer the Service for end use relating to any nuclear, chemical or biological weapons, or missile technology unless authorized by the U.S. Government by regulation or specific license.

17. Force Majuere

Neither party will be liable to the other party for any alleged or actual loss or damages resulting from delays or failures in performance due to: acts of civil or military authority, governmental priorities, earthquake, fire, flood, epidemic, quarantine, energy crisis, strike, labor trouble, war, riot, terrorism, accident, shortage, delay in transportation, acts or omissions of Internet traffic carriers, or any other cause beyond the reasonable control of the party whose performance is so delayed.

18. General

The waiver by either party of any breach of any provision contained in this Agreement shall not be deemed to be a waiver of such provision on any subsequent breach of the same or any other provision contained in this Agreement. Any such waiver must be in writing in order to be effective, and no such waiver or waivers shall serve to establish a course of performance between the parties contradictory to the terms hereof. All provisions of this Agreement are severable, and the unenforceability or invalidity of any of the provisions will not affect the enforceability or validity of the remaining provisions. This Agreement is the complete and exclusive statement of the agreement between Customer and AppRiver concerning the subject matter covered hereby, this Agreement supersedes any prior proposal, agreement, or communication, oral or written, pertaining to the such subject matter and there are no inducements to enter into this Agreement which are not set forth herein. Customer may not assign this Agreement or any associated transactions without the written consent of AppRiver. In the event of breach by a party of its obligations hereunder, the non-breaching party may seek injunctive or other equitable relief in any court of competent jurisdiction, without necessity of posting bond. This Agreement shall be governed by the laws of the State of Florida, USA, and of the United States of America, excluding (i) their respective conflicts of law principles and (ii) the United Nations Convention on Contracts for the International Sale of Goods.

August 2015