Instead ofEmail

Share sensitive documents
without losing control.

1Bridge Vault lets Beneficial Owners & Controllers store sensitive identity, financial, and corporate documents once, then securely share controlled, watermarked access with the Regulated Firms that need to review them.

See how it works
  • Browser-side encryption
  • /Expiring access
  • /Recipient watermarking
  • /Logged and revocable
  • /Contract e-signing

Separate vaults (workspaces) for personal KYC, portfolio companies, and SPVs — one password.

Built onAES-256-GCMArgon2id KDFZero-knowledge

The Problem

Your most sensitive documents keep escaping your control.

Regulated Firms have a duty to request sensitive identity, ownership, and financial information during onboarding and diligence. Those requests are legitimate. They usually arrive by email, WhatsApp, or shared folders, and the copies end up in places you do not control.

Anyone under document review faces the same pattern: sensitive identity and financial records sent through channels never designed for controlled sharing.

01

Asked to resend

Your assistant needs to update a source-of-wealth declaration for the lawyers. Again. Third time this month. Same documents, different thread, no version control.

02

The email pile-up

A regional bank needs proof of address. Your accountant wants ID. Documents scatter across email threads, living forever in five different inboxes you do not control.

03

Unsigned, unverifiable contracts

NDAs and vendor agreements go through DocuSign or email PDFs. You trust the platform's audit log, not independent proof. The signed copy has no watermark, and no independent way to prove what was actually executed.

1Bridge Vault complements enterprise KYC platforms by handling the dozens of ad-hoc document requests that come through informal channels, the ones that do not justify a full compliance workflow.

Inside 1Bridge

Control throughout the document lifecycle

Prepare document access, track recipient copies, delegate operations, and sign contracts from one encrypted vault.

Secure share composer with two identity documents selected for a regulated firm and fixed access controls listed beside the form.
01Owner view

Prepare a controlled share

Choose the documents, recipient, purpose and expiry. Three-factor access, watermarking, audit logging and revocation apply to each share.

Explore controlled sharing
Fictional identity document carrying a recipient watermark beside an access timeline with the same reference and a revoke control.
02Recipient access

Trace each recipient copy

Every view receives a unique watermark reference. The same reference appears in the access record, so the owner can trace a copy and revoke future access.

See the recipient workflow
Delegate-prepared request awaiting owner approval beside the owner and delegate permission matrix.
03Delegated workflow

Let the team prepare the work

Delegates prepare requests and review audit metadata. The owner retains the keys and approves document access.

Read about delegation
Completed dual-signature contract with a confirmed attestation certificate and matching public Bitcoin verification result.
04Signing and verification

Verify the executed contract

A SHA-256 hash chain records each signing stage. Owner-finalized contracts receive an OpenTimestamps proof that anyone can verify against Bitcoin.

Explore contract signing

Trust Model

No one but you can read your documents

Most services ask you to trust the provider with your files. 1Bridge is built so that trust is not required: no one can read your documents without your approval.

The guarantee is enforced by cryptography rather than by a stated policy.

Your Documents

Encrypted in your browser before upload. We only store ciphertext.

Your Vault Password

Never transmitted. Key derivation happens entirely in your browser.

Encryption Keys

KEK, DEKs, and LSKs exist only in browser memory. Never persisted server-side.

Vendor Secrets

One-time codes sent directly to vendors. Never stored, never logged.

How trust is minimized

We cannot read your documents, delegates work only with metadata, and every vendor access is logged and watermarked. The only party that has to be trusted is you.

Read the technology model

Use Cases

Use cases where uncontrolled copies create real risk

Banking and account opening

Banks and PSPs request identity, address, source-of-funds, and ownership documents. They often arrive as email attachments instead of controlled access.

Legal and corporate services

Founders, directors, UBOs, and signatories send identity, authority, and company records through WhatsApp and shared folders.

Audit and accounting

Audit teams request sensitive personal, company, and financial records that scatter across inboxes and local downloads.

Property and mortgages

Property purchases require identity, bank statements, income, tax, and source-of-funds evidence forwarded in email chains.

Expat and residency

Residency, banking, and tax workflows require repeated sharing of passports, proof of address, and financial evidence.

Investor and founder diligence

Investors and founders provide ownership charts, source-of-wealth materials, and corporate records through ad hoc channels.

How We Compare

Sharing and Signing, Side by Side

1Bridge sits between informal channels and enterprise platforms. It gives you more control than plain file storage and more proof than standard e-sign.

Document Sharing

Ad-hoc KYC requests through email and WhatsApp vs structured sharing.

File Storage

Google Drive, Dropbox

Client-side encryption
Expiring links
Watermark on every access
Audit trail
Team delegation (no plaintext)
Three-factor vendor access

Best for

General file sharing

Password-Protected Links

WeTransfer

Client-side encryption
Expiring links
Watermark on every access
Audit trail
Team delegation (no plaintext)
Three-factor vendor access

Best for

One-time file transfers

1Bridge Vault

Client-side encryption
Expiring links
Watermark on every access
Audit trail
Team delegation (no plaintext)
Three-factor vendor access

Best for

Secure KYC sharing + signing

Enterprise KYC

Persona, Onfido

Client-side encryption
Expiring links
Watermark on every access
Audit trail
Team delegation (no plaintext)
Three-factor vendor access

Best for

Full compliance workflows

Contract Signing

Platform audit logs vs independent Bitcoin-anchored proof.

E-Sign Platforms

DocuSign, Dropbox Sign

Client-side encryption
Ciphertext-only storage
Watermark on executed PDF
Hash-chain integrity
Bitcoin attestation
Independent public verification

Best for

Standard business e-sign

Email + PDF Scan

Informal signing

Client-side encryption
Ciphertext-only storage
Watermark on executed PDF
Hash-chain integrity
Bitcoin attestation
Independent public verification

Best for

Quick informal agreements

1Bridge Vault

Client-side encryption
Ciphertext-only storage
Watermark on executed PDF
Hash-chain integrity
Bitcoin attestation
Independent public verification

Best for

Attested confidential contracts

Note on e-sign platforms: DocuSign and Dropbox Sign encrypt data in transit and at rest, but process readable documents on their servers to apply signatures. Their audit trails are platform-controlled. 1Bridge keeps ciphertext on the server and adds OpenTimestamps proof anyone can verify at /verify.

Under the Hood

What the vault is built on

The same four components underpin both sharing and signing.

Client-Side Vault Encryption

Argon2id key derivation, AES-256-GCM document encryption, ciphertext-only storage.

Watermarking & Verification

Visible and invisible watermarks on every view and download, with public verification.

Bitcoin Attestation

OpenTimestamps anchors the SHA-256 of executed contracts to the Bitcoin blockchain.

Delegation

Teammates run sharing and signing workflows without access to plaintext or keys.

FAQ

Frequently Asked Questions

Security and privacy questions answered honestly.

Yes. Create named vaults (workspaces) under one account. One password derives keys for all your vaults. Documents, team delegates, and audit trails stay isolated per vault.

1Bridge Vault is designed for Beneficial Owners & Controllers who personally handle document requests from Regulated Firms. You own the vault and control all access. Optionally, you can delegate to team members (like ops or legal) who can create share requests and manage workflows, but they never see your documents, encryption keys, or vendor secrets. Only you can approve shares and generate the cryptographic material needed for vendor access.

No. Delegates (team members) can create share requests and manage sharing workflows, but they never have access to your documents, encryption keys, or vendor secrets. They work with metadata only. Only you, as the vault owner, can approve share requests and generate the cryptographic material needed for vendor access.

There is no password recovery. Your vault password is never transmitted to our servers; it is used locally to derive your encryption keys. If you lose it, your documents cannot be recovered. This is a deliberate security choice: it means even we cannot access your documents under any circumstances. We recommend using a password manager.

Vendors must complete a three-step verification: (1) They receive a share link, (2) They verify their email address via a one-time passcode (OTP), and (3) They enter a one-time vendor secret that was sent directly to them. Only after all three factors are verified can they view documents.

Yes, and every download is tracked and watermarked with the vendor's details, timestamp, and a unique reference ID that appears in your audit log. Watermarks are single-use and can always be traced back to the vendor that first accessed the document. Images and PDFs both receive visible and invisible watermarks. Each watermark includes a verification link you can check at any time.

No watermarking system is foolproof. Determined users can screenshot documents or attempt to remove watermarks with image editing tools. However, watermarking creates a strong deterrent and provides accountability through the audit trail. Each watermark is unique and single-use, meaning if a document is shared without authorization (even via screenshot), it can always be traced back to the vendor that first accessed it. The audit log records every view and download with unique reference IDs, regardless of whether the watermark is later removed.

Yes. You can create signing requests for PDFs, place signature fields, and collect vendor signatures with recorded electronic consent. In dual-signing mode, the owner counter-signs after the vendor. The fully executed PDF is watermarked, hash-chained, and when the owner finalizes, anchored to Bitcoin via OpenTimestamps with a downloadable verification certificate.

When an owner counter-signs a contract (dual-signing mode), 1Bridge computes the SHA-256 hash of the final watermarked PDF and anchors it to the Bitcoin blockchain using OpenTimestamps. Anyone can verify the document independently at /verify without trusting 1Bridge. Vendor-only signing completes the contract but does not trigger blockchain attestation.

The vault supports identity documents (passport, national ID, driver's license), proof of address, source-of-funds and source-of-wealth materials, ownership evidence, company records, director and signatory documents, and PDF contracts for signing. These are the documents most commonly requested by Regulated Firms during onboarding, diligence, banking, legal, audit, and transaction workflows.

Yes. You or your delegates can revoke any share link instantly. Once revoked, the vendor's access stops immediately, even if they still have the link and vendor secret. Revocation is logged in your audit trail.

Documents are encrypted with AES-256-GCM. Encryption keys are derived from your vault password using Argon2id. Each document has its own random encryption key (DEK), wrapped with your master key (KEK). Share links use HKDF-SHA256 to derive wrapping keys from one-time vendor secrets.

No. 1Bridge is a controlled document-sharing layer, not a KYC, AML, DMS, CRM, or compliance system. It helps Beneficial Owners & Controllers share sensitive documents with your team more safely, complementing the systems you already use for onboarding and diligence.