Loading...
Loading...
Send a confidential message that only the recipient can read, then it is gone forever.
Confidential, in a corporate sense, is a classification rather than a feeling. A board resolution draft, a privileged memo from outside counsel, an unannounced earnings figure, a layoff list, the codename of an M&A target — each carries fiduciary or legal consequence the moment it leaves its intended distribution. The blast radius is rarely technical. It looks like a Reg FD selective-disclosure trigger, a privilege waiver under FRE 502, an inadvertent insider walking into the clean room, or a press headline ahead of the 8-K.
Default channels treat all of this as ordinary mail. Microsoft Purview journals every Outlook message into an immutable archive; Google Vault retains chats regardless of user delete; Smarsh, Global Relay, and Mimecast Sync & Recover ingest Slack, Teams, and Bloomberg traffic to satisfy SEC Rule 17a-4 and FINRA 3110. Once a draft talking point hits any of those vaults, eDiscovery platforms surface it on the next litigation sweep. One Reply-All to the wrong distribution breaks the embargo across hundreds of mailboxes.
PasteOnce is the channel for the narrow handoff that should not become a record — a verbal-equivalent transmission between two parties. The ciphertext sits in Redis for the chosen TTL, the recipient reads once, and nothing remains. It is not a substitute for required records, and should never carry information that belongs in iManage or your books-and-records system.
Client-side encrypted. We can't see your data.
Your data is encrypted in your browser before it leaves your device.
Messages are automatically deleted after being read once.
We never see your data. Only encrypted blobs pass through our servers.
Links work exactly once. Refresh the page and it's gone forever.
Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.
Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.
When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.
Lead with the header your governance policy specifies — Restricted, Privileged & Confidential, Project [Codename] Eyes Only — and reference the relevant clean-team or NDA. That sets the legal posture and signals the reader not to redistribute.
When a substantive decision must be preserved, log it in Diligent Boards, Nasdaq Boardvantage, OnBoard, iManage Work, or NetDocuments — use PasteOnce only for the surrounding ephemeral discussion. Auditors and the audit committee still see what they need.
Refer to Project Falcon, not the target; to the Counterparty, not the bank. Even with a one-time link a screenshot can travel — codenames are the last line of defense if any fragment survives.
Pre-announcement embargoes run hours, not days. Pick one hour for earnings draft language and intra-day deal updates; reserve 24 hours for cross-timezone board cycles. Never default to seven days for embargoed material.
Investor Relations is finalizing prepared remarks the night before the call. The redline contains preliminary EPS and softened guidance that has not cleared the Disclosure Committee. PasteOnce delivers it to the CFO for one read; approved language commits via the official IR workflow afterward.
Outside counsel needs the deal lead to confirm a closing-condition tweak before the SPA mark goes back at midnight. The note rides under engagement-letter privilege, the deal lead reads once, and nothing journals into the firm Exchange archive.
After a session that excluded management, the chair walks the lead independent director through a CEO performance concern. The communication is intentionally outside the minutes, beyond the management distribution, and inappropriate for a board-portal upload.
Not for genuinely ephemeral, non-record communications. Spoliation arises when a litigation hold is in place and you destroy responsive material. If a hold is active under FRCP 37(e), your records policy must override convenience — route through your preserved channel instead.
A subpoena compels us to produce what we hold: encrypted ciphertext for the TTL window, or nothing once the recipient has read. We never receive the decryption key. The SEC, DOJ, or FINRA cannot recover plaintext from us — sender and recipient devices, plus pasted-onward copies, remain fair game.
No. Those rules require broker-dealers and registered firms to preserve business communications in non-rewriteable form for seven years. PasteOnce is the opposite by design. Use it only outside their scope; keep your Smarsh or Global Relay pipeline intact for everything in scope.
Privilege depends on confidentiality and the lawyer-client relationship, not the channel. A one-time link neither strengthens nor weakens privilege — but the absence of an archived copy means you cannot prove the substance later. Counsel typically keeps a parallel privileged record alongside the ephemeral transmission.