Cloak Files wraps files in end-to-end encryption and returns a signed audit receipt for every operation — encrypt, decrypt, share, or revoke. Built for accountants, lawyers, and consultants who handle PII and privileged documents.
{
"operation": "FILE_DECRYPT",
"actor": "alice@lawfirm.com",
"file_hash": "sha256:3f9e2a…",
"key_ref": "ck-matter-2024-089",
"policy": "privileged:read-only",
"timestamp": "2025-06-14T09:22:11Z",
"client_ip": "203.0.113.42",
"signature": "eyJhbGciOiJFUzI1NiJ9…",
"verify_url": "https://verify.cloakapps.com/r/abc123"
}
Your work involves confidential data by definition. Cloak makes protection automatic — not a manual step you have to remember.
Protect client PII, tax records, and financial statements. Share encrypted files with clients through any channel — email, cloud drive, USB. The receipt proves when the client opened the file and on which device.
Maintain privilege over client communications and evidence. Cloak Files ensures that privileged documents can only be opened by named recipients — and every access is logged to a tamper-proof receipt.
Deliver reports and strategy documents to clients without worrying about forwarding. Cloak Files lets you set a read-only or time-limited policy on any file, and revoke access when the engagement closes.
Encryption without changing your workflow. It fits around the tools you already use.
Right-click any file in Windows Explorer, Finder, or your mobile file picker. Or drag into the Cloak desktop app. Any file type — PDF, Excel, Word, image, archive.
Choose who can open the file (by email), what they can do (read-only, download, print), and for how long. Policies are enforced by Cloak's key server — not by the file itself.
The encrypted file is safe to send via email, Dropbox, USB, or any channel. Keys never travel with the file. Recipients need the Cloak app to open it.
Every encrypt, decrypt, share, and revoke operation returns a signed JSON receipt. Collect them for your audit trail. Verify any receipt at verify.cloakapps.com — no login needed.
Change your mind? Revoke access to a file from the console or via API. The recipient's Cloak app will deny the next open — even if they already have the encrypted file on their machine.
The console shows every file operation: who encrypted what, when each recipient opened it, and any access denials. Filter by client matter, date range, or file type.
No shared password to remember or lose. Keys are managed by Cloak's key server and tied to identity. Lose your device — not your files.
Every operation returns a receipt signed with Cloak's ECDSA private key. Verifiable offline. Present in a regulatory review or dispute without calling Cloak.
Revoke a file's decryption key from the console at any time. The next open attempt fails — on any device, anywhere. No need to retrieve the file.
Set an expiry date on any file policy. Access auto-revokes at midnight on the last day — no manual action required. Useful for draft deliverables and time-sensitive disclosures.
The console shows a full operation log per file, per user, and per client matter. Export as CSV or JSON for PDPA, GDPR, or internal audit.
Automate file protection in your existing workflows. Or wire it to an AI agent via MCP — protect files autonomously with human-authorized policies. No SDK lock-in.
Cloak Files exposes MCP tools that any MCP-compatible agent (Claude, Cursor, custom LLM apps) can call. Your agent encrypts a file, Cloak returns a receipt, and the agent attaches it to the workflow — all without a human clicking anything.
Policies are human-authorized upfront. The agent operates within the policy boundary and cannot escalate its own permissions. Every agent action appears in the same audit log as human actions.
protect_file — encrypt with policydecrypt_file — retrieve plaintextcreate_receipt — generate signed audit receiptverify_receipt — confirm receipt authenticityrevoke_access — remote revoke by key reference# Agent calls protect_file via MCP result = mcp.call_tool( "protect_file", { "file_path": "./client_financials.xlsx", "policy": { "recipients": ["alice@firm.com"], "permissions": "read-only", "expires_at": "2025-12-31" } } ) # Every call returns a signed receipt receipt = result["receipt"] # → { operation, actor, file_hash, # key_ref, timestamp, signature }
Encrypt and open protected files on Android and iOS. Desktop apps (Windows / macOS) are coming soon.
All apps are free to download. A paid account is required to encrypt files.
Add Cloak KMS to store your encryption keys in a dedicated HSM partition. Keys never leave hardware as plaintext — not even Cloak staff can extract them. Start with Cloak Files; upgrade to the HSM-Protected Workspace when compliance requires it.
Start free with 50 operations per month. Scale up when you're ready.
Free account. 50 file operations included. No credit card. Full API and MCP access from day one.
Create free account →Governed by the OMMAU Charter — humans authorize, agents execute, receipts prove it.