Lattix Passport
Secure file sharing built on Zero Trust Data Format — send once, enforce forever.
Lattix Passport is the file-sharing product. A producer wraps a file once, applies a policy, and shares it. Every consumer — inside the organization or outside — unwraps the file under policy at the moment of access. Revoking a share is effective immediately, regardless of where the file has traveled.
How it compares to conventional file transfer
Conventional managed file transfer systems protect the connection — TLS between the sender and the MFT platform, TLS between the platform and the recipient. Once the file is on the recipient's machine, it is decrypted. Once the connection ends, the file is outside your control.
Passport protects the file. The connection is secured too, but the file remains wrapped throughout its lifecycle. On the recipient's machine, in their download folder, on a USB drive, or forwarded to a third party, it is still a ZTDF envelope that refuses to open without a current, valid policy decision.
What a sender does
- Upload the file in the Mesh Dashboard or via a Passport integration.
- Apply or confirm the classification tags. The tenant can require tags before allowing a share.
- Select or configure a policy — who can access, under what conditions, for how long.
- Generate a share link. The link references the envelope; it carries no keys.
What a recipient experiences
When a recipient opens the share, the Passport viewer authenticates them to the identity provider, obtains their attribute claims, and presents them to the Policy Decision Plane. On a positive decision:
- For view-only access, the recipient sees the document through the Passport viewer with any configured obligations (watermarking, download disabled, time-bounded session).
- For download access, the decrypted payload is streamed to the recipient's machine, and the local client re-wraps the file for continued protection (if the recipient is also a Lattix tenant) or provides a plain decrypted copy (if they are not).
Recipients outside the sender's organization can receive shares. They authenticate with their own identity provider (if they are a Lattix user) or through an email-verified flow for one-off access. The audit record captures them either way.
Policy controls a sender can apply
- Recipient scope. Specific individuals, groups, or organizations.
- Expiration. A share can expire on a fixed date, after a fixed duration, or after a fixed number of accesses.
- Access mode. View-only or download, with optional watermarking on view.
- Revocation. A share can be revoked at any time. Subsequent access attempts are denied and logged.
- Geographic or network constraints. Access permitted only from specified regions or network zones.
- Classification requirements. Access only for recipients with claims meeting the object's classification policy.
These controls compose with the tenant's baseline policy set. A share cannot grant more permission than the tenant's baseline policy allows — it can only narrow it.
Audit and oversight
Every Passport share produces ledger records at every stage:
- Creation (with the originating principal, policy, classification, and recipients).
- Each access attempt (allowed or denied, with the resolved principal and decision rationale).
- Each revocation (with the acting principal).
The sender can see the full event stream for any share. The tenant administrator can query across all shares.
Relationship to concepts
- Passport wraps files in the Trusted Data Format.
- Every access is gated by the Policy Decision Plane.
- Keys are managed by the hierarchical key model.
- Every event is recorded on the Immutable Ledger.
- Tags applied at share time are governed by the tenant's classification schema.