CORE PRODUCT / 02
Lattix Passport
Policy-carrying data sharing for resilient operations. Share sensitive data across partners, environments, and disconnected workflows while preserving policy, revocation, and cryptographic proof.
Most secure file transfer protects the channel and abandons the data the moment it arrives. Lattix Passport inverts that model. The policy travels inside the file, enforcement is re-evaluated at the moment of access, and the sender retains the ability to revoke, expire, and audit after the data has left their environment.
A file leaves your environment exactly once, and from that point the controls have to live with the data rather than the perimeter it crossed. Passport wraps each file in Trusted Data Format (TDF) before it moves, binding classification, handling restrictions, expiration, and access constraints directly to the payload alongside its encryption. The package is encrypted end to end, so neither the network path nor the storage at rest exposes the content. Because the policy is embedded rather than referenced, the same enforcement applies whether the recipient opens the file inside a managed enclave or on an unmanaged endpoint.
WHAT TRAVELS WITH THE FILE
- Classification level and handling restrictions bound to the payload
- Access constraints: view-only, download-permitted, time-limited, or single-access
- End-to-end encryption keyed to policy, not to the transport
- Expiration and revocation hooks that remain enforceable after delivery
How a recipient proves who they are determines how much policy can be evaluated at the moment of access. Passport supports a graduated model: the strongest guarantees apply when both parties run Lattix, and a secure fallback covers recipients who do not. Stronger identity yields stronger enforcement, and the sender's baseline policy holds in every mode.
When both sender and recipient run Lattix, access stops being a question of possession and becomes a question of authorization. The recipient's identity is resolved through the Policy Decision Point, which evaluates their complete attribute profile against the policy embedded in the file. A package marked ITAR-controlled can confirm that the recipient holds the required export authorization before any decryption key is released. The Key Access Service never transmits keys directly; it releases them only after a real-time policy evaluation passes, which means a copied file without a passing evaluation is inert. The result is a decision that reflects the recipient's current standing at the moment they ask, not a static permission granted when the file was sent.
EVALUATED AT THE MOMENT OF ACCESS
- Role and clearance level checked against embedded policy
- Organization and tenant scope confirmed before release
- Device posture and location factored into the decision
- Decryption keys released by KAS only after the evaluation passes
Survivability depends on the ability to act on data after it has moved. Passport keeps the delivery window short, purges packages once that window closes, and preserves the sender's authority to cut access while a transfer is still in flight. These controls matter most during the moments when an organization is least able to chase down loose copies: an incident, a degraded link, a recipient relationship that ends abruptly.
Non-Persistent Storage
Packages are automatically purged from Lattix infrastructure after delivery or expiration. There is no persistent store to breach, no lingering access to clean up, and no residual copy waiting to resurface in a later audit.
Revocation Mid-Flight
A sender can revoke access while a transfer is still in progress. During incident containment this turns a one-way send into a recallable action, so a package issued before a compromise was understood does not have to remain reachable after it is.
Controlled Decrypt After Disruption
Recipients can still complete a controlled decrypt after a disruption, so a dropped connection or a degraded environment does not force a resend of sensitive material through a less governed channel.
Bounded Access Constraints
Time limits, single-access tokens, and view-only restrictions bound what a recipient can do for how long. Access ends on the sender's terms rather than persisting by default once the file is opened.
Distributing one file to many recipients is where most secure-sharing tools collapse into a single shared link with a single set of rules. Passport treats each recipient as a distinct relationship. A single package can carry individualized access policies so that one recipient receives view-only access for a fixed window while another is permitted to download, and each recipient generates an independent audit trail. That separation is what makes a distribution defensible after the fact: you can answer who accessed the file, under which policy, and when, for each party individually, rather than reasoning about a crowd behind one credential.
PER-RECIPIENT, NOT PER-LINK
- Individualized access policy assigned to each recipient on one package
- Independent audit trail captured per recipient
- Revocation and expiration scoped to a single recipient without affecting others
- Recipient attributes govern access, so the same file resolves differently per party
Every shared package carries a complete lineage from sender to recipient, which converts a transfer from an untracked event into evidence. When an investigation or a regulator asks what was shared, with whom, and under what policy, the answer is a record rather than a reconstruction. The capabilities below describe how that record is produced as a property of the transfer itself.
Policy-Wrapped Transfer
Files are wrapped in TDF with embedded access policies, classification, and encryption before leaving the sender's environment, so the governing rules are part of the artifact rather than a separate system of record.
One-Time Password Access
Recipients authenticate via OTP to access transferred files, with no account creation and no software installation, while access events are still logged against the sender's policy.
Non-Persistent Delivery
Files are automatically purged after delivery or expiration, leaving no persistent storage, no lingering access, and no residual copies to account for later.
One-to-Many Distribution
A single file reaches multiple recipients under individualized access policies and independent audit trails, giving each recipient a discrete, provable chain of custody.
Passport fits the transfers that fall outside email and unmanaged channels because of size, sensitivity, or the need for proof. The same policy-carrying model covers each of these without a separate tool or a separate set of rules per workflow.
Large File Transfer
Move files that exceed email limits without falling back to consumer file-sharing services that drop policy at the door.
Classified Document Delivery
Deliver classified material with classification and handling restrictions enforced at access, and full lineage retained for review.
Cross-Organization Data Exchange
Share across organizational boundaries where the recipient may or may not run Lattix, with policy preserved either way.
Regulatory Submission Transfers
Send regulatory submissions with a defensible record of who received what, under which policy, and when.
Contractor and Vendor File Sharing
Provision contractors and vendors with time-bound, revocable access that ends cleanly when an engagement closes.
One-Time Sensitive Data Delivery
Issue single-access deliveries for one-time sensitive material, with the package purged once the window closes.
Because policy and lineage travel with the data, compliance evidence is produced as a side effect of sending, not assembled afterward. Every transfer maps to the frameworks that govern regulated and controlled information.
See Passport Move a File Under Policy
Walk through a live transfer: wrap a file, set per-recipient policy, and revoke it mid-flight. We will show both the Lattix-to-Lattix ABAC path and the external OTP fallback.