PaperClip Incorporated

Email Encryption

3rd Party Auditing

Commodity Pricing

Sign Up Now!


Compliant Email Service

Email encryption is a reality today, so why not use the most compliant service that doesn’t require logins or passwords. eM4 B2B model requires no user training, in fact, they don’t even know they’re using it. B2C model does not require authentication and when you need to identify the receiver, using PaperClip’s Wallet Authentication is both friendly and provides that “Proof of Delivery”.

The eM4 Service exceeds user expectations on meeting compliance all while minimizing change and expense. Your users continue to send emails as they always have, the only noticeable difference is the reassuring message that their email was protected by eM4.

  • eM4 Service connects subscribers seamlessly into a "Many to Many" network, as a result member trading partners are secure and in compliance.
  • Emails are encrypted with 168 bit - Triple DES symmetrical keys before delivery to the targeted email server. The eM4 service does not store and forward emails.
  • Disinterested third party (D3P) auditing makes reporting available to all members and regulatory authorities as necessary.
  • Commodity price whereby any size organization can subscribe.
  • eM4 Relay quickly installs along side your Email Server (Microsoft Exchange, Domino, GroupWise, etc.).
  • eM4 Cloud connects your email client to secure eM4 email requiring no internal software to install.
  • Simple yet strict encoding rules ensure encryption and authentication for end to end email compliance. Three modes of operations for simple, complex and adhoc integration: Serial mode(all emails) with 6 rules, parallel mode(routed emails) with 3 rules or no rules with desktop control.
  • eM4 Relay in parallel mode integrates with third-party content filtering solutions, email policies engines and back end admin systems.
  • Eliminates the expense of acquiring third party encryption keys or the need to manage encryption keys at all.

Service Cost Examples

Advisers & Producers can subscribe for as low as $75 a year.

eM4 Proof of Delivery

Basic Rules for Voice Signatures

  • Voice Signatures are accepted today as a form of electronic signature under ESIGN and UETA laws.
  • Documents being signed in this event must be delivered in paper or electronic form.
  • Signer of the documents must be authenticated and have access to the documents at the time of voice signing.
  • Signed Documents must be auditable and tamper-proof.


  • eM4 Proof of Delivery provides the means where document providers can send a secure email with attachments to a signer for their review.
  • Signer clicks on the link provided and authenticates by answering a combination of simple questions of shared personal information (last four of SSN, Birth Date, etc.).
  • Signer opens attachments and follows the email instructions to start the voice signing event.

In Addition

  • Signer has the opportunity to "Reply To" the same email and securely return any documents and/or comments requested.
  • eM4 service can archive Proof of Delivery documents to PaperClip's VCF4Compliance meeting the rules and regulations of FINRA and SEC.
  • Disinterested Third Party (D3P) auditing makes reporting available to all members and regulatory authorities as necessary.
  • Commodity priced whereby any size organization can subscribe.

Frequently Asked Questions

Does PaperClip consider the eM4 Service compliant with Federal and State laws?

PaperClip meets the Federal and State regulations and rules. Unique architecture allows for no user logins or password while remaining compliant under current laws. Recipient Validation (RV) is the preferred method of authentication by Subscribers ensuring the person accessing the email is the correct person and still not require logins or passwords. RV method is designed to address the notice being hijacked and illegally used to view emails on the PaperClip Webmail servers.

In addition, PaperClip’s “Proof of Delivery” feature offers the non-reputation needed for delivery confirmations (e.g. Voice Signatures, Disclosures, sensitive information) through friendly “Wallet Security” (e.g. last four digits of your SSN). PaperClip’s Disinterested Third Party (D3P) level of email auditing enables archived access reporting meeting many new rules of 6 years preserved on who had access to HIPAA, GLB and CFPB rules.

Do all my Emails go out encrypted?

Yes or when the User selects encryption. Subscribers can configure their compliance level at any time. Subscribers can deploy the Server Edition or the Cloud Client with the standard five encryption rules, or Serial Mode. In Serial Mode all Email traffic passes through the Relay and only those Emails subject to the rules are encrypted.

Subscribers can deploy the Server Edition or the Cloud Client with absolute encryption enabled, or Parallel Mode. In Parallel Mode all Email traffic received by the Relay is encrypted. Parallel Mode usually deploys controlled by an email content filtering (scrubber) or routing system.

Subscribers can deploy the Server Edition or the Cloud Client with absolute encryption disabled. All Emails will pass through the Relay unchanged. Encryption only happens when the Outlook AddIn Forces Encryption or the Encrypt Flag ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) is one of the addresses.

What are the eM4 encryption rules?
  1. If an Email recipient's Email address or address domain is in the list of Subscribers, the Email is encrypted.
  2. If one or more Email recipients' Email addresses or address domains are in the Subscriber list, the Email is encrypted to all addresses.
  3. If the wild card Email address ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) appears in the address, the Email is encrypted to all addresses.
  4. If the wild card Email address ( This email address is being protected from spambots. You need JavaScript enabled to view it. ) appears in the address, the Email is passed through, not encrypted to any addresses.
  5. If recipients on the Email are not eM4Service Subscribers or not sponsored eM4Lite Subscribers, the Email is not encrypted.
What are the eM4 decryption rules?
  1. All incoming encrypted Email is decoded and passed on to the Server or Client.
  2. All eM4 Relay encoded Emails will be tagged indicating so.
Is there an Outlook AddIn to help the user?
Yes. Users can install an Outlook AddIn presenting a bottom placed ribbon indicating the encryption status and the ability to change the same.
Can users with third party hosting or various public ISPs providers use eM4?
Yes. Subscribers can securely route their email to the Relay SaaS model or install the Cloud Client. The Cloud Client installs as a new email account and using POP3, IMAP and SMTP to connect to their eM4 mailbox, securely exchanging emails to other Subscribers and Non-Subscribers.
Do emails pass through PaperClip's Central Office?
No. Emails are encrypted by your internal eM4 Relay and handed off to your Email gateway for normal delivery. In the eM4 Relay SaaS model, eM4 delivers your emails. Emails for Non-Subscribers are sent to PaperClip's eM4 Webmail.
Are Emails sent to eM4 Webmail secured?
Yes. Emails are encrypted in transit and stored on the PaperClip server encrypted at rest then purged 30 days later. Subscribers can contract and extend their Non-Subscriber webmail storage in 30 day increments.
Can we leverage our existing mail infrastructure to write business rules which would redirect mail going to specific domains, over to Em4?
Yes. In a parallel implementation of the eM4 Relay, you can use your email server to identify and route emails by domain or address through the eM4 relay.
The header info includes an eM4 tag for encrypted emails. Is this tag removed when the email is decrypted on the relay server?
No. The two "x records" remain with the email.
Will the Subject line of the email also be encrypted?
Yes. The entire email and its attachments will be encrypted and wrapped. The subject line will include "eM4 Compliant Email delivery notice". The "From" line will include "PaperClip Compliant Email".
Can you choose to turn on eM4 for one Subscriber and not another Subscriber?
Yes. In a Parallel Deployment the host mail server or content filtering system can decide on what domains are routed to the eM4 Relay.
Does PaperClip offer hosted Enterprise eM4 Relay?
Yes. PaperClip hosts internally the Multi-Tenant Relay whereby a secure tunnel (SSL/TLS) is established from your provider to the M-T Relay. Standard eM4 encryption rules apply and PaperClip becomes your delivery agent.
Can eM4 work with GroupWise email server?
eM4 is basically a SMTP closed relay allowing it to work with any SMTP based email platform. The eM4 Relay sits between your email server (Exchange, GroupWise, Lotus, etc.) and the Smart Host or SMTP Gateway.
Is a Smart Host required?
Yes. eM4 Relay is a "Closed" relay which for compliance, is not accessible from the Web. The Smart Host or SMTP Gateway manages the interface with the Web and routes all or selected emails to the eM4 Relay.
What type of hardware is recommended?
eM4 Relay supports Microsoft 2003 servers and above. Encoding and decoding is the most resource intense function of the eM4 Relay therefore CPU power is the most critical requirement.
How can I measure the performance of the eM4 Relay?
eM4 Relay supports Microsoft Performance Monitor (PerfMon) with 13 eM4 related counters providing you the capability to measure and track the systems performance.
Is the MS IIS SMTP Virtual Server required if we already have an email gateway that does the mail routing?
No. The eM4 Relay can inter operate with any Smart Host or SMTP Gateway. The MS SMTP Virtual Server comes with IIS and is very effective for medium to lite traffic. MS Exchange 2003/2007 requires exclusive control of the SMTP server which will require a second CPU to support SMTP Virtual Server as a Smart Host.
The installation mentions the need for MS SQL Express but I don't see any configuration instructions for a database. Is there a database with the Relay Server?
Yes. The eM4 Relay install software contains MS SQL Express. The install will setup the database requiring no user intervention.
What is stored in the Database?
The SQL Database is used for configuration parameters and auditing. Audit data is held and posted to the Central Office (every 15 minutes) then purged - "transient data storage".
What's the expected size of the Database?
The SQL Database size under normal operation is estimated at 2 Mb.
Is there something specific in the headers before and after the encryption/decryption?
The eM4 encrypted email inserts two "x records" in the header identifying it as an eM4 encoded email and a unique identification number.
Is the eM4 Relay software supported under VMware?
Yes. eM4 Relay is compatible with VMware and Microsoft Virtual Server.
Is there any documentation on eM4 installation/setup/configuration?
Request the "eM4 Installation Docs" file.
Does the Relay Server Edition support mobile devices?
Yes. Emails are decrypted before they land on your mail server therefore available to your mobile device in clear text. Users should always secure their mobile devices.
What is the PaperClip Cloud Client?
The eM4 Cloud Client can be used by anyone that has a desktop email client (i.e. Outlook, Lotus Notes, GroupWise, etc.). The Cloud Client installs as a new email account with simple email address and password. The additional server information will be provided by PaperClip.
What protocols does the Cloud Client support?
The eM4 Cloud Client supports POP3, IMAP and SMTP protocols.
Is the Cloud Client considered a full subscriber?
Cloud Clients are full Subscribers; you will have a login and password to access reports, configuration options, Webmail options and branding.
How do I receive encrypted emails?
The desktop email clients (e.g. Outlook) cycles the new eM4 Email Account via a secure protocol (IMAP) and pulls the email from your eM4 Mailbox.
How do I send encrypted emails?
To send securely, compose your email and select the eM4 Email Account as the sender. The mail will be sent securely to your eM4 Mailbox, encrypted and delivered to a Subscriber, or Non-Subscriber as necessary.
Mobile Device support?
Configure your mobile device to your eM4 Mailbox and process the same selecting the eM4 Account when sending.
Who uses webmail?
eM4 Webmail is provided to support Non-Subscribers and meet compliance. In addition, Webmail users can "Reply To" the sender securely.
Are emails stored in webmail encrypted?
Yes, all emails and attachments are encrypted at rest.
Who pays for webmail?
The eM4 Webmail is included as a service for Subscribers.
Is there any kind of notice that an email has not been received?
Yes. Once an email goes out the recipient gets 1st notice. If they do not pick it up within the Subscribers configured wait period (ex: 36 hours) they get a 2nd notice. Yet another period of time (ex: 36 hours) goes by then both sender and receiver get a 3rd and final notice. Email is retained on PaperClip servers for 5 days then purged. Audit reports reflect activity.
Do Non-Subscribers require a login and password to view email?

No. Subscriber can deploy their Webmail presence with no login or password required. Non-subscribers simply click on the link contained in the notice and a SSL secured browser displays the original Email with any attachments.

Recipient Validation (RV) is the preferred method of authentication by Subscribers ensuring the person accessing the email is the correct person and still not require logins or passwords. RV method is designed to address the notice being hijacked and illegally used to view emails on the PaperClip Webmail servers.

Users will receive their normal notice with a link to click on. This link will present a Captcha Code entry screen requiring the user to enter the Captcha Code. The page will refresh indicating a new email will arrive immediately with the link to open the email. Two principals are used to grant access to the Webmail, same location and same device. All validation data is recorded to the D3P audit. When Registration and Recipient Validation are used together, Two Factor authentication is achieved.

Does webmail provide an inbox?
Non-Subscribers have the option to register and secure their inbox with a login and password. Registering an inbox provides simple Email options and management.
Are there any rules for entering passwords when creating an account?
Subscribers can manage their own password profile with 15 common configuration options (i.e. Lengths, expirations, lockout attempts, etc.). Default is minimum length 6 characters: requires 2 non-alphanumeric characters.
Can a Non Subscriber use their Inbox to initiate a secure email?
Yes. Subscribers have two options on their Non-Subscribers features they can use. The first is to send secure emails where the receiver can only reply to you, the sender. The second option will allow you, the subscriber, to publish an address book within the portal the receiver can use and the ability for the receiver to initiate new secure emails to you or Subscriber’s published contacts.
Do Non-Subscribers have access to the portal?
Can multiple people log into the webmail under the same credentials?
Yes. They must share the authentication.
Who pays for the non-subscriber email "Replied to"?
The ability to converse with a Non-Subscriber is part of the eM4 Service.
Can more than one person share a Web Mail account?
Yes. One Web Mail account supports one email address, users would share login credentials.
How long are emails stored in the Web Mail Mailbox?
Emails are purged five days after Third and Final Notice to Sender and Receiver. Opened emails are purged 30 days after retrieved. In the inbox, new mail appears in bold, once retrieved it appears un-bolded.
Can I brand my emails to non-subscribers with my company logo?
Yes. Subscribers can send to eM4 Support a properly formatted banner (240x120 pixel) whereby Non-Subscribers opening Emails will see the Subscriber’s branding.
Can I customize the notice email sent to Non-Subscribers?
Yes. Subscribers can modify the notice Email language to conform to their compliance department. Notices are setup in the eM4 Central Office portal.
Can Non-Subscribers use the eM4 Cloud Client?
No. Non-Subscriber exclusively work with the Webmail portal.
Can Webmail users save the Email to their desktop?
Yes. Non-Subscribers can save the Email to their desktop in a WC3 or MSG compliant format.
Are there email attachment size limits?
Yes. eM4 has a 20 megabyte limit.
Saved eM4 Webmail disappears when i drag them into Outlook.

This is the nature of Microsoft Exchange when using Cached Exchange Mode. When Outlook is configured with IMAP protocol connecting to your Exchange Server, the Outlook Client manages mailheaders and not emails in a local store. When dragging a third party email (###.msg) into an Exchange managed folder, Exchange will consider the email a failure and moves it to a hidden folder within Exchange. There are two solutions within the Outlook Client to correct this, Private Folder or disable Cached Exchange Mode.

Exchange managed folders will display in the lower right hand corner "Connected to Microsoft Exchange". Emails dragged into this folder will result in the email disappearing when Exchange synchronizes.

Solution 1 Private Folders will display no connection status. Emails dragged into a local folder will store the email within a local "pst" database. These emails like all emails are searchable and available for all Outlook operations.

Solution 2 Disable "Cached Exchange Mode". THis will stop the automatic synchronization when Outlook reconnects with your Exchange Server if the connection is lost.

To disable "Cached Exchange Mode" go to File > Info > Account Settings > Change Exchange Account and uncheck "Use Cached Exchange Mode" then restart Outlook.

When "Cached Exchange Mode" is disabled, the status will not display "All folders are up to date".

Are Bypass Emails recorded for auditing?
Yes. If an Email normally subject to encryption but the users selects “Force Not Secure” or enters the “Bypass Flag”, the event is considered auditable and recorded.
As part of the Audit information, what is actually stored at the Central Office server?
Email addresses, Subject Line, Attachment file names, Sent and Received date/time stamps.
Are there specific Retention Requirements for the logs?
Audits (logs) are maintained for seven years. The Subscriber can configure reports to be sent to subscriber and their frequency. Audits can be pushed to subscriber daily, weekly or monthly and accessible from the CO for last sixty days.
Are the logs encrypted?
The possible NPI in the attachment name or subject line is stored in a secured database. Audit reports generated from the portal are downloaded over an SSL connection. Scheduled reports are sent as email attachments via eM4 Compliant Email.
What's the mechanism to transfer the audit files? Is this optional?
The auditing File will be a CSV file (spreadsheet) pushed via email through eM4 itself. This feature can be enabled or disabled with a frequency of daily, weekly or monthly selected.