Sign In Get Started
Biometric File Delivery

Send the file.
Lock the door.
Open it with a face.

ProntoDeliver wraps every file in a biometric gate. The recipient passes a live ID check and liveness scan before the download key is ever generated — encrypted at rest, decrypted by identity.

Request Access Read the Docs
KMS-encrypted at rest
Biometric attestation
Single-use download keys
The Problem

Email and links
aren't access control

Sensitive files are still being delivered like brochures. A forwarded link, a leaked password, a shared inbox — and the chain of custody is gone.

Links Are Bearer Tokens

A magic link, signed URL, or password-protected ZIP is a bearer token. Whoever holds it gets the file. Forwarded once, screenshotted once, intercepted once — and your sensitive document is in the wrong hands with no audit trail.

No Proof of Recipient

You can prove the link was clicked. You cannot prove the right human clicked it. For contracts, medical records, financial statements, or age-restricted content, that gap is the whole problem.

Compliance Risk Falls on You

GDPR Article 32, HIPAA, bar association rules, 18 U.S.C. § 2257 — every framework now expects more than a password. When the file is sensitive, the sender carries the burden of proving the right person received it.

How It Works

One upload.
One verified download.

Send a file, define who can open it, and let ProntoDeliver handle everything in between — from encryption to identity verification to the final decrypted byte.

1
Sender uploads the file
Your backend posts the file and delivery rules to create-delivery. ProntoDeliver generates a per-file encryption key via KMS, encrypts the payload, and stores the ciphertext in S3 with SSE-KMS.
2
Define the access rules
Specify what the recipient must prove: KYC pass, minimum age, nationality, name match, document type, or a combination. Rules live in prontoid-deliver-rules as data — no code changes to add a new constraint.
3
Share the claim link
The recipient receives a single-use claim URL on secure.prontoid.com. The link reveals the filename, size, and what verification is required — never the file contents.
4
Recipient verifies their identity
ProntoDeliver routes the recipient through the standard ProntoID flow — document capture, biometric liveness, AnalyzeID + MRZ. No raw document data touches your infrastructure.
5
Rules engine evaluates the attestation
Verification completes, the attestation is bound to the file via RecipientToken, and the rules engine confirms every condition. Fail = audit log + rejection. Pass = decryption key released.
6
File streams from the gate
The download Lambda decrypts the KMS data key and streams the file behind a 60-second, single-use signed URL. The same attestation cannot unlock a different file.
PHP · ProntoDeliver 
// Lawyer sends an NDA to a verified client
$delivery = $client->createDelivery([
    'file'             => $pdf,
    'recipient_email'  => 'jane@example.com',
    'recipient_name'   => 'Jane Carter',
    'rules'            => [
        'kyc_required'    => true,
        'liveness_required' => true,
        'name_match'      => true,
        'min_age'         => 18,
    ],
    'expires_in'       => 604800,  // 7 days
    'max_downloads'    => 1,
]);

// Share with the recipient out-of-band
$delivery['claim_url'];
// → https://secure.prontoid.com/deliver/claim/…

// On successful verification + download:
"file_id":           "7b3c4d1e-9af2…",
"recipient_token":   "ec5964ae-59bf…",
"attestation_hash":  "b9f2a14c…",
"downloaded_at":     1747058400,
"status":            "delivered"
Delivery Modes

Two ways
to lock a file

Every delivery is identity-gated. The difference is how tightly you bind the file to a specific person.

delivery_mode: identity_bound

Identity-Bound Delivery

Bind the file to a named recipient. The sender provides the recipient's legal name and optionally email; the rules engine confirms the verified ID matches before the decryption key is released. Forwarding the link to someone else doesn't work — their face doesn't open it.

  • Recipient name match against MRZ
  • Optional email match against invitation
  • Document type restriction (passport, EU ID, etc.)
  • Nationality whitelist
  • Minimum age threshold
  • Single-use or N-time download policy
Get Started
delivery_mode: attribute_gated

Attribute-Gated Delivery

Anyone can claim the file — if they prove who they are and meet the attribute thresholds. Perfect for age-gated digital goods, age-restricted research data, or public bounty distributions where you don't know recipients up front but still need a real identity attestation.

  • Age verification (18+, 21+, custom)
  • Nationality whitelist or blocklist
  • KYC pass with liveness
  • Per-identity download limit
  • Total claim cap across all recipients
  • Per-claim audit log + attestation hash
Get Started
Infrastructure

Built for files
that actually matter

Every component of ProntoDeliver is designed so that a compromised link, a stolen account, or a forwarded email is not enough to access the file.

Per-File KMS Data Keys

Each file is encrypted with its own KMS-generated data encryption key. The DEK is wrapped under your tenant master key and stored in DynamoDB — never in the URL, never in a cookie, never reusable across files.

Attestation Binding

The recipient’s verification session is bound to the FileID at completion. The same attestation cannot unlock a different file, and the download Lambda re-validates the binding on every request.

60-Second Signed URLs

When the gate opens, the download Lambda issues a single-use, 60-second pre-signed S3 URL. Even if it leaks, it’s dead by the time anyone else sees it — and the DownloadCount has already incremented.

Optional Recipient Watermarking

For PDFs and images, the recipient’s verified legal name and timestamp can be burned into the file at decryption time — a permanent, per-recipient watermark that survives screenshots, prints, and re-encoding.

Time-Boxed Expiry

Set expires_at per file. S3 lifecycle rules permanently delete the ciphertext on expiry — the file ceases to exist on disk, not just behind a closed link.

Full Audit Trail

Every claim attempt, verification result, rule evaluation, and download is written to prontoid-deliver-audit with timestamp, IP, user agent, and the SHA-256 attestation hash. Auditable end-to-end.

1 API Call
To create an identity-gated delivery
60 Seconds
Signed URL TTL on every download
AES-256
Per-file KMS data key encryption
SHA-256
Attestation hash bound to each file
Use Cases

Wherever the
recipient matters

Any document where “the right person got it” is more important than “the link was clicked”.

Legal & Professional

Deliver privileged documents, settlement drafts, and confidential briefs to verified clients. Bar association rules in many jurisdictions require identity confirmation for privileged material.

HR & Recruitment

Send offer letters, contracts, and onboarding documents to verified candidates. Eliminate the risk of leaked compensation data or accepted offers from imposters.

Medical & Insurance

Deliver test results, claim documents, and policy paperwork with HIPAA-aligned recipient verification. The patient or policyholder is who they say they are, every time.

Adult & Age-Restricted

Deliver downloadable digital goods only to recipients who have passed age verification + liveness. Built-in support for the UK Online Safety Act, EU age assurance, and US state laws.

Finance & M&A

Send financial statements, term sheets, and data room documents to identity-verified counterparties. Replace bespoke virtual data rooms for single-file delivery use cases.

Whistleblower Reverse Flow

Invert the model: the journalist publishes a claim link, sources verify their identity before submitting documents back. A verified channel for sensitive uploads, not just downloads.

Testimonials

Delivery you
can actually defend

"We used to send NDAs over email and pray. With ProntoDeliver, the recipient’s face is the key — we can prove who opened the document, when, and from where. It changed how our compliance team thinks about delivery."

M
Marcus Reinhardt
Managing Partner, M&A Advisory

"For age-gated content, ‘click here to confirm you are 18’ isn’t compliance — it’s theatre. ProntoDeliver bolted real biometric age assurance onto our delivery pipeline in a week."

P
Priya Anand
Head of Trust & Safety, Creator Platform

"The single-use 60-second signed URL was the convincer. Even if a sophisticated attacker intercepts the link, the file is already on disk for the verified recipient and the URL is dead."

T
Tomás Vidal
CISO, Healthcare SaaS
FAQ

Common
questions

Everything you need to know about ProntoDeliver. Can't find the answer? Contact us.

No. The file is encrypted in the upload Lambda with a per-file KMS data encryption key before being written to S3, which itself uses SSE-KMS as a second layer. The plaintext only exists in memory during the upload encryption step and again briefly in the download Lambda after the recipient passes verification. At rest, on disk, in backups, in logs — the file is always ciphertext.
The verification session is logged to prontoid-deliver-audit with the failure reason (document rejected, liveness failed, name mismatch, age below threshold, etc.). The decryption key is never released. The recipient can retry with a new verification session, but the failed attempt is permanently auditable.
It depends on the delivery mode. Identity-bound deliveries are tied to a specific name and refuse any other identity. Attribute-gated deliveries can be claimed by multiple people up to the max_recipients cap, each producing their own attestation record. Single-use mode locks the file to the first successful claimant.
Any file type up to 500 MB in the standard plan, with higher limits available for enterprise. PDFs and images additionally support optional recipient watermarking applied at decryption time. Encryption and decryption are streamed, so there’s no in-memory limit beyond the AWS Lambda max.
Brooks & Keitt Sàrl acts as data processor for the verification artefacts; the file sender remains controller for the file contents. Verification documents are retained per the standard ProntoID KYC policy and auto-deleted on schedule. File ciphertext is deleted on expires_at via S3 lifecycle rules — the file ceases to exist, not just becomes inaccessible.
Yes. The owner can call revoke-delivery at any time before the recipient has downloaded. This sets the file status to revoked and the next claim attempt is rejected at the rules-engine layer. Already-completed downloads cannot be unsent — once the bytes are on the recipient’s device, they’re out of our reach. Watermarking is the recommended deterrent for post-delivery leaks.
Related Services

Part of the ProntoID ecosystem

KYC Verification

The identity verification layer that powers ProntoDeliver. Document capture, biometric liveness, and age verification in a single API call.

Learn More

ProntoVault

Cryptographic document delivery for certified ledger use cases. Where ProntoDeliver gates the recipient, ProntoVault anchors the document itself.

Learn More

ProntoSigned

Identity-verified digital contracts for any document type — NDAs, service agreements, partnership deeds — with the same KYC anchor as ProntoDeliver.

Learn More

Ready to send files
that can’t be forwarded?

ProntoDeliver is available to platforms on the ProntoID enterprise plan. Contact us to discuss your use case and onboard your first verified delivery.

Request Access Read the Docs

Brooks & Keitt Sàrl  ·  Place du Midi 30, 1950 Sion, Switzerland  ·  Data Processor