Secure file sharing for healthcare professionals

A medical secretary emails an imaging report. A physiotherapist sends an assessment to a GP. A practice forwards a prescription to a patient. Each of these gestures carries health data, classified as sensitive data under Article 9 of the GDPR, whose processing is prohibited in principle except under specific conditions and subject to reinforced protection measures.

A consumer webmail attachment offers none of that. The file stays in the sender's and recipient's mailboxes, passes through servers whose location you do not know, and can be read by the messaging operator. Standard transfer platforms store your files for as long as they decide, often on infrastructure outside Europe, and read what you send. For a health document, that is a risk neither the patient nor the professional should carry.

Let us be precise, because the subject demands it. Pli Scellé secures the one-off, temporary transmission of a document. You upload a file, it is encrypted, a link is generated, the recipient retrieves it, then everything is purged. No copy is kept after expiry.

Pli Scellé is not an HDS-certified host and is not a health information system. HDS certification (Hébergement de Données de Santé, the French framework for health data hosting) governs the durable hosting of personal health data collected in the context of prevention, diagnosis or care. If your need is to store a patient record over time, run an electronic health record or archive medical data, you need an HDS-approved host. Pli Scellé does not cover that use case and does not claim to.

The regulation distinguishes hosting from the temporary copies made in the course of technical transmission activities, which fall under a different regime. Pli Scellé sits in this transmission logic: the encrypted file merely transits, for the time the recipient needs to retrieve it, then disappears.

In end-to-end mode, the file is encrypted in your browser with AES-256-GCM before being sent. The key never leaves your device: it travels in the link fragment, the part of the URL that the browser does not send to the server. As a result, Pli Scellé's server stores an encrypted block it cannot read. This is the so-called zero-knowledge architecture.

Concretely, even Pli Scellé has no access to the document's content. You send the link to your colleague through one channel, and ideally the password through another. Without the key, the file stays unreadable for anyone who would intercept it. Everything is hosted in France by SHPV FRANCE SAS, with no tracker on the sharing pages.

A radiologist sends a report and its imaging to the prescribing physician: they upload the files, set a 48-hour expiry, protect access with a password shared verbally, and send the link. The physician downloads it, the content is then purged.

A specialist practice exchanges a large record with a colleague for a second opinion: end-to-end encryption on, the server never sees the content, the link expires once the document has been retrieved.

A secretariat needs to receive documents from a patient ahead of a consultation: a receive link lets the patient send their files in encrypted form, with no account required. ClamAV antivirus scanning runs on received files when the mode allows it, to screen out an infected attachment before it reaches the practice's workstation.

You set the expiry between one hour and thirty days. At that point, or after the number of views you defined, the file is purged and the link leads nowhere. This ephemeral logic answers data minimization: a health document does not linger, it is transmitted then erased. The exact opposite of an attachment forgotten in a mailbox for years.