(If your Encyro account is part of an organization, see )
To enable or edit compliance settings, go to your account "Settings" and scroll down to "Compliance: HIPAA, GDPR...". Click that to open the compliance settings area, which will look like the picture below:
Enabling common compliance related settings such as requiring you to use a strong password and to use a password on your Encyro account (as opposed to signing in using Google or Facebook). These safeguards are in addition to all the data security safeguards already part of your Encyro account (including encryption) even when compliance is not enabled.
By default, compliance is not enabled. To change, first check the box "Enable Compliance." Then enter your password in the box labeled "Current Password" and click Submit.
- If your current password is not a strong password, you will be prompted to change it. Your new password must be a strong password, meaning that, it must contain a mix of uppercase and lowercase alphabets, numbers and symbols.
- If you currently did not have a password (such as you signed in with Google or Facebook), you will be asked to create a password for your Encyro account. While compliance is enabled, you cannot use your Google (Gmail) or Facebook accounts to login to Encyro. This is because Encyro cannot check if your Google or Facebook password is strong and even if it is strong now, it may later be changed.
Once you enable compliance, your audit trails will also become available.
There are two optional settings available to you when you enable compliance. You may leave them at their defaults and you will meet compliance requirements. However, you can customize them if you so desire. These are discussed below.
When you enable compliance, automatic logout is also activated. This means that if you are logged in to Encyro but do not perform any activity on the Encyro website for 15 minutes (i.e., you are inactive for 15 minutes), then you will be automatically logged out. Automatic logout is required as part of most data security standards compliance.
However, if you only access your Encyro account on a limited number of devices and you are certain that each of those devices (your work computer, home computer, laptop, smartphone, any other computers you use at remote sites) is already set to lock its screen if left unattended for 15 minutes or less, then you can use that screen lock to satisfy your compliance requirement. In this case, you may disable automatic logout from your Encyro account.
You may wish to activate screen lock on your devices following these instructions:
- Windows: https://blog.encyro.com/how-to-force-windows-10-to-lock-itself-after-inactivity-for-all-users/
- Mac: First set the display to turn off after inactivity and then require password upon wake up.
- Mobile devices (iOS, Android): See https://blog.encyro.com/digital-safeguards-for-device-security/ and scroll down (or find “ios” and then “Android”) – they are under section Device Encryption but describe both the screen lock and encryption together.
Message Access Without Password
You can optionally also check the box next to "Allow others to receive my messages with temporary access links" and then select a number of days after which the message access links expire. When this is enabled, your recipients can simply click a link in their email to read the secure message you sent them. These links do expire to keep data secure.
Should I allow message access without password: Data privacy standards require access control to protect data. One way to implement access control is to send a link that can only be accessed using the recipient's email account. And because the regular email messages are not encrypted and you do not want the message access link to be stored without encryption forever, the links expire after a few days. So using message access links without a password can meet compliance requirements.
However, the traditional method to meet access control requirements is to require a password. Even though that makes message access harder and may cause some users to simply give up on encrypted email and fall back to regular email.
So whether to allow such access or not is a subjective decision you must make. Our recommendation is this: If your contacts are themselves businesses (and subject to compliance), do not allow messages without a password (i.e., do require a password). They will make the extra effort to sign up for an account and benefit from password protection. However, if your recipients are consumers who may not be subject to compliance themselves, then do allow message access without passwords. Your recipients will continue to benefit from secure messages and the more security conscious among them will create a password.