Frequently Asked Questions

Looking for some quick answers? We’ve got you covered. Find your answers for some of our most frequently asked questions here.
FAQ Illustration

Pre-Built Secure Mailbox

What types of DataMotion accounts are offered?

We offer a variety of pricing plans ranging from our free, personal accounts to enterprise-level secure exchange bundles to suit the needs and budgets of any customer.

Learn More

How do I log into my DataMotion account?

To log into your DataMotion account, first navigate to your secure mailbox, enter your email address and password in the logon window and click “Enter” to login. If your organization has single sign on enabled, simply click the identity provider button to login. You will then be routed through the identity providers verification process.

Do I have different secure delivery options, or am i limited to only the web portal?

Yes, during initial setup of your DataMotion account, you will be prompted to select a delivery method such as encrypted PDF push and web delivery. You always have the option of changing it later through your preferences.

What is the secure mailbox size limit and how is my DataMotion mailbox space counted?

Your mailbox storage space varies based on your pricing plan and is counted using the messages SENT from your account, not received. Please contact us for more information.

Do messages expire? and if so, when?

Yes, messages do expire. To protect the sensitive nature of your messages, the DataMotion system stamps each message you send with an expiration date. By default, SENT messages expire after 30 days. The DEFAULT maximum expiration period of your sent messages can be extended to 2 or more years. Increasing your default expiration period will cause your mailbox to fill up quicker. There is also the option to change the expiration period on a PER message basis.

After a message has expired, the contents and any attachments associated with that message will no longer be available. Metadata of the message will still be available forever in the form of message tracking and reporting.

What are the main types of the DataMotion Outlook toolbar add-in?

The Outlook add-in can be configured to route secure messages to the DataMotion secure mailbox in three (3) different ways:

  • Client-Side Encrypting: In this version of the add-in the message is sent as an encrypted payload to the DataMotion secure mailbox for processing. An additional feature of the add-in is that it downloads an unencrypted version of the message from your secure email inbox directly to your Outlook inbox. This version of the Outlook add-in does not require the DataMotion secure content filter.
  • Server-Side Encrypting: This version of the add-in redirects a secure message over an encrypted channel to the DataMotion secure mailbox. This version of the add-in requires the DataMotion secure content filter to process and redirect the message.
  • Subject Line Tagging: If your policy is not to modify message headers for secure messages, then the tagging option is also available. With this option, a tag is added to the subject line of a message which can be scanned by the content filter and routed securely to the DataMotion secure mailbox. When the content filter recognizes the tag in a subject line, it strips it out before the message is forwarded to the DataMotion secure mailbox.

Note: In order to implement the tagging option, ALL of your messages will need to be routed through the DataMotion secure email content filter.

Secure Email Content Filter

What rules are built-in?

The content filter has some of the most common PHI and PII rule patterns built-in, including financial policy rules, healthcare rules, and personal identifying information rules.

Additional built-in rules include tags to scan a subject line of an email and take the appropriate action.

What happens when a rule is matched?

There are multiple actions that can be specified when a condition is matched. Some of the common ones are to send the message securely, route the messages to another SMTP server, and delete the message. In any of these cases, the sender and other individuals (administrators, managers) can be notified by the content filter.

Can i create my own custom rules to match patterns specific to my own organization?

Yes, the DataMotion secure email content filter includes the ability to use Regular Expressions for pattern matching, as demonstrated by many of the pre-configured rules. You can create custom rules using your own set of Regular Expressions as well. While the secure content filter has the most common PHI, PII, and HIPAA compliant patterns built-in and has been tuned over DataMotion’s years of experience, it is flexible enough to give you free reign over writing your own patterns (rules). The content filter is also capable of exact matching; meaning you can create a flat file with the exact keywords that you wish the content filter to scan.

Can the DataMotion secure content filter be deployed in a high availability environment?

Yes, the content filter can be installed in an active / passive cluster, VMWare or in a load balanced configuration.

Not all of my users require secure email. is there a setting on the content filter that will enable me to control my DataMotion secure email accounts?

Yes, there are various methods such as implementing user groups and rules whereby you can control your accounts.

What happens if one of my users does not have a secure email account and sends a secure message via the content filter?

The message will be received by the DataMotion secure mailbox and will sit in the ‘Drafts’ folder of the sender’s account. The sender will receive a notification that they do not have permission to send a message and to contact their IT administrator. Once their account has been fully licensed, the message in the drafts folder will automatically be sent out. The sender does not need to resend the message.

Single Sign On

Does single sign on (SSO) present any security risks?

SSO with industry-leading Identity Providers offered by DataMotion follows strict security measures put in place by these vendors to protect their users. Ultimately, safeguarding access to user accounts (whether via SSO or regular user ID/password combination) is in the hands of users, who must take all necessary precautions so as not to compromise their account credentials.


Can SSO be disabled?

DataMotion customers concerned about providing users within their companies with SSO, have an option to disable it for their licensed users (auto-created recipient users will still have it available).

Are there any restrictions for using SSO?

Any users who use the Outlook Add-in that requires authentication or DataMotion APIs, must continue using their current authentication method with email/user ID and password.

Clinical Direct Secure Messaging

Does DataMotion include a service level agreement with its DataMotion Direct services?

The DataMotion HISP Technical Support Agreement, part of the overall DataMotion HISP Agreement outlines the support mechanism for the DataMotion HISP. The SLA specifies the response time for different levels of support issues.

What steps does a hospital need to take to integrate its EHR system with a HISP?

Integrating an EHR system with a HISP typically involves the following steps:

  1. Establish Direct addresses for the EHR users who need access to Direct
  2. If the EHR supports connectivity via the XDR protocol, establish an XDR connection
  3. If API integration is involved, use the developer sandbox provided by DataMotion to develop and test the application calling into the DataMotion APIs.

The DataMotion Direct Software Developer Kit (SDK) offers up a set of robust APIs that integrate into your workflow without any disruption. DataMotion will setup all the Direct addresses, certificates, encryption, and message routing. DataMotion provides assistance all the way through and is also recognized by our customers as a reliable integration partner.

With DataMotion’s HISP, which EHRs can I send direct messages to/receive direct messages from?

You can send a Direct message to (or receive a Direct message from) any EHR that is in DataMotion’s HISP, or to any EHR that is in another HISP.


Can I access my direct messages in my EHR, my cell phone, and my tablet?

Yes, it is possible to access your Direct Messages in a secure manner from your cell phone, tablet, and any other mobile device, using the DataMotion mobile-optimized Direct Messaging Portal.


What is in DataMotion’s developers’ sandbox?

To enable developers and compress development cycles, DataMotion’s connectivity methodologies are incorporated into a developer’s sandbox with open web standards such as web services, S/MIME, SMTP, etc. to test your system. Developers familiar with standard web communication protocols, including HTTP, XML, and SOAP will be able to use the sandbox with minimal training and support. The sandbox contains:

  • Integration code samples
  • API documentation
  • Implementation guide

What types of direct addresses does DataMotion offer?

DataMotion offers the following categories of Direct addresses:

  • Individual Direct Address
  • Group Direct Address
  • Workflow Direct Address

Read more about these types of addresses here.

What is the data retention policy for mailboxes on the DataMotion Direct HISP?

As per DataMotion HISP agreement, the standard data retention period for each DataMotion Direct mailbox is 30 days.


For what purposes and how does Direct involve user identity validation?

DataMotion adheres to DirectTrust LoA3 for all Direct Users (equivalent to NIST 800-63-1 Level 3 or Kantara Level 3 or FBCA Basic or Medium).

Is DataMotion included in the Certified Product Health IT List (CHPL), and what certifications does it have?

Yes. DataMotion Direct Secure Messaging has achieved Office of the National Coordinator of Health Information Technology (ONC-HIT) 2015 Edition Modular Certification, see Certified Health IT Product 10017.

Secure Message Delivery API

How is this API different from the DataMotion APIs for Secure Message Center?

The secure message delivery API is a subset of our family of APIs for the secure message center. It does not include APIs for administration and provisioning. Unlike the secure message center APIs, it only supports the sending of messages in one direction.


Does this API support the bi-directional sending of messages and attachments?

No, the secure message delivery API only supports the sending of messages and attachments in one direction.

The direction that your secure messages are sent depends on your application. It can be coded to support user-initiated secure messages from your app or portal, or you can enable emails to be sent automatically or manually from your system to your end-users.

What is the storage limit for sent messages on my developer account?

Your developer account has a 10GB limit for storing sent messages. You can release the storage taken by a message by deleting it via API.


What is the maximum attachment size that this API supports?

The maximum attachment size is 20MB. Your users can choose to send one attachment up to 20MB in size or multiple attachments totaling up to 20MB.


What other actions can I perform via API after the message is sent?

You can retract the message, review its delivery status and delete the message from your account to release the storage taken by it.


What does “pay-per-use” mean for this API?

Pay-per-use means that you only pay for the transactions that are actually made while using this API. Transactions are based on the number of recipients per message. So, one message sent to one recipient is billed as one transaction. However, one message sent to five recipients would be billed as five transactions.


What happens when I run out of credits on my developer account? How do I refill my balance?

A member of our sales team will be reaching out to you once you run out of credits on your developer account to inform you of your next steps to refill your balance.


Where can I find documentation and more information on this API?

For in-depth documentation, including base URLs, endpoints, response and request body formats, and more, please visit our developer center. To learn more about this API and what it does, head on over to our Developer Experience page on our website.

HITRUST CSF® Certification

What is the HITRUST CSF certification?

According to the HITRUST Alliance, the HITRUST Certification “is a globally recognized certification of an organization’s compliance to the rigorous comprehensive security and privacy protection requirements specified in the HITRUST CSF.” The certification provides a framework for compliance with top security and privacy regulations, including ISO, NIST, PCI, HIPAA, and GDPR.

Learn more about what the HITRUST CSF Certification is in our blog post “HITRUST CSF® Certification: What Is It and Why Does It Matter?

Why is the HITRUST CSF certification important?

Any organization that earns HITRUST CSF Certification is considered to have demonstrated “the highest level of trust.” HITRUST also states that that those who achieve the certification have proven that they implement the highest security controls and place a strong emphasis on protecting their data’s security and reducing risk.

In other words, the HITRUST Certification provides verified assurance that an organization is performing the greatest level of diligence to protect your data.

What are the certification requirements?

To become HITRUST CSF Certified, an organization must complete a minimum of 156 (typically, many more) rigorous controls (requirements). These controls span across fourteen categories, including risk management, security policy, compliance, and business continuity management. After implementing each control, the organization must be verified via self-assessment or third-party assessor. An organization must be recertified every two years.

What DataMotion solutions are certified under HITRUST?

DataMotion Direct Secure Messaging and the secure email platform are HITRUST CSF Certified.


How frequently must HITRUST CSF certifications be renewed?

Each HITRUST CSF-certified company must undergo a full reassessment bi-annually and a partial one in the interim.


Where can I learn more about HITRUST CSF certification?

We recommend stopping by “HITRUST CSF® Certification: What Is It and Why Does It Matter?” on the DataMotion Blog and visiting the HITRUST website.


Still have a question?

Didn’t find your answer in one of our frequently asked questions? Contact DataMotion support now.