Cross-Domain Solution · v3.2

Secure file transfer across trust boundaries.

Enterprise-grade cross-domain gateway with policy-driven authorization, AES-256-GCM encryption, and zero-trust architecture. Purpose-built for organizations where data sovereignty is non-negotiable.

Request a demo View architecture
Encryption
AES-256-GCM
Transport
TLS 1.3
Architecture
Zero-trust
Auth
SAML 2.0 · RBAC

Trusted by organizations in

  • Banking & Finance
  • Federal Government
  • Defence & Intelligence
  • Critical Infrastructure
  • Healthcare

Capabilities

Built for adversarial environments.

Every control below exists because a real customer, in a regulated industry, asked for it. Nothing is optional theatre.

01

Zero-Knowledge Encryption

AES-256-GCM with envelope encryption. Data Encryption Keys never stored in plaintext. Bring your own KMS, or use our managed HSM with FIPS 140-2 Level 3 hardware.

  • AES-256-GCM
  • Envelope DEKs
  • BYO-KMS
02

Policy-Driven Download Authorization

Downloads aren't just "allowed." A multi-rule policy engine evaluates file integrity, AV verdict, drop status, expiry, and scanner health before every release.

  • Integrity check
  • AV verdict
  • Expiry · drop state
03

Mandatory AV Scanning

Every file scanned by ClamAV with signature freshness tracking. The system fails closed on scanner unavailability — no bypasses, no exceptions, no exception approvals.

  • ClamAV
  • Freshness check
  • Fail-closed
04

Immutable Audit Trail

Every action logged: uploads, downloads, scans, policy decisions, admin activity. Full chain of custody for compliance, incident response, and forensic reconstruction.

  • WORM log
  • Chain of custody
  • SIEM export
05

SAML SSO & RBAC

Enterprise IdP integration via SAML 2.0. Role-based access with Admin, Operator, and Auditor roles. No local passwords — the attack surface simply doesn't exist.

  • SAML 2.0
  • Three roles
  • No local auth
06

Customer-Simple, Enterprise-Secure

External senders upload via a single tokenized link. No accounts, no passwords, no friction. The management plane is fully hardened and isolated from the public surface.

  • Tokenized links
  • No sender accounts
  • Split planes

Architecture

A single path. Every hop inspected.

Data moves through the gateway along one deterministic path — scanned, encrypted, policy-checked, and finally released to an authorized recipient. No side channels. No exceptions.

Defence in depth

01

Encryption, end to end

AES-256-GCM at rest with per-object DEKs. TLS 1.3 in transit with modern cipher suites only.

02

Cryptographic tokens

All access URLs use hashed, single-use tokens with bounded lifetime and recipient binding.

03

Network segmentation

Public upload surface is fully isolated from the management plane. No shared trust, no shared routes.

Compliance

Frameworks we operate against.

Cryptic Gateway deploys into environments with the most demanding regulatory and certification regimes in the world.

  • NIST 800-171
  • FedRAMP Ready
  • IRAP
  • CMMC 2.0
  • SOC 2 Type II
  • ISO 27001
  • GDPR
  • PCI DSS

Compliance posture varies by deployment configuration. Contact us for a mapping against your specific authority-to-operate requirements.

Pricing

Three tiers. Transparent terms.

Annual subscription with multi-year discounts. Sovereign deployments are quoted to scope.

Standard

For departmental deployments.

$48,000 / year

Billed annually

Request quote
  • Up to 50 users
  • 1 gateway instance
  • 500 GB transfer / month
  • ClamAV scanning
  • SAML SSO
  • Email support
  • Standard SLA
Most selected

Enterprise

For organization-wide deployment.

$120,000 / year

Billed annually

Request quote
  • Up to 500 users
  • 3 gateway instances
  • 5 TB transfer / month
  • Multi-AV scanning
  • Custom policy rules
  • HA clustering
  • SIEM integration
  • 24/7 support · 99.9% SLA

Sovereign

For classified and high-assurance environments.

Custom pricing

Scoped to accreditation requirements.

Contact for quote
  • Unlimited users & instances
  • Air-gapped deployment
  • BYO-KMS / HSM
  • Cross-domain guard integration
  • Dedicated support team
  • Compliance acceleration package
  • On-site installation

Contact

Ready to secure your cross-domain transfers?

Tell us where you're deploying. We'll schedule a technical walkthrough with a solutions architect.

Typically responds within 1 business day. Demos available under NDA.