Why a Workflow Engine?
Organizations that exchange personal or confidential information via email - whether in B2C or B2B contexts - must not only meet GDPR requirements, but increasingly also requirements from NIS2, industry-specific compliance guidelines or internal security standards.
Critical infrastructures, clinics, research institutions, insurance companies, authorities and suppliers are exemplary for a challenge that now affects all companies:
How can email communication be designed securely, automatically and verifiably - without hindering business operations?
Static transport rules - such as "activate TLS if available" - are not flexible enough for this. They can only react to a limited extent to recipients, content or risk context - and often intervene too late or not at all in complex scenarios. TLS also only ensures encryption to the next server on the transmission path.
Intelligent Email Processing
The rule-based workflow engine
of mail:u secure solves this problem with maximum flexibility:
• Any number of conditions (recipient, domain, file type, subject, classification, user action, etc.) that can be linked together.
• Freely combinable actions (S/MIME, PGP, PDF container, FileLink, signature, archive, API routing …)
• Fully configurable execution sequence
• Rule linking via AND/OR/IF-THEN logic
• Dynamic email routing based on all parameters
• Complex special cases such as security incidents, data classes or role-based delivery can also be mapped
• Integration of user-specific decisions from the client or third-party tool (Outlook, ERP, CRM, etc.)
Every email is processed exactly as required by the protection requirements and communication context.
How the Engine Works
Condition Catalog
• Sensitivity Labels (Microsoft Purview, VS-NfD, TISAX)
• File type and size
• Subject tags (e.g. #NIS2, #HCONF)
• Header flags from specialist systems
• Content contents
Actions
• Signature / signature verification
• PDF container with password
• Delivery via a portal incl. optional 2-factor auth (web application)
• FileLink output incl. optional 2-factor auth
• Archive or journal copy
• Handover to portal, DMS, SIEM via API
Example Policy
AND Attachment.Size > 25MB
THEN Attachment → FileLink (TTL 14 days)
Mail → S/MIME encrypted, signed
ELSE IF Key missing
Mail → PDF container + return channel
Rules can be configured via web wizard or rolled out as YAML/JSON via a GitOps pipeline.
Benefits in regulated areas
Benefits for Secure Data Transmission
Fine-grained Policies
Separate rule sets per department, user, location or tenant
Versioned & auditable
Git history, policy diffs for ISO 27001 and NIS2 proof
Simulation Mode
"Dry run" generates report without real delivery
API-First
Specialist systems (LIS, ERP, ticketing) can trigger actions via header or subject
Use Cases
Practice Workflows
Medical Images in Healthcare
CT image series (120 MB, DICOM) is detected ⇒ FileLink + S/MIME signature ⇒ radiologist downloads GDPR-compliant.
Incident Report from Energy Provider
Subject contains #NIS2 ⇒ PDF container, password via SMS, copy to security team.
CAD File in Supply Chain
STEP file 35 MB, recipient without PKI ⇒ FileLink with two-factor portal access, complete audit trail.
Quote Communication with B2C Customer
Secure storage of quote and all information (contracts) in portal. Secure access for customer without encryption technology in use. Reply options and download of data and information.
Technical Deep Dive
Policy as Code
YAML in Git repo, CI/CD pipeline, rollback.
OpenTelemetry
Traces, metrics, logs for SOC / SIEM.
Tenant Separation
own rule sets, key stores, FileLink spaces.
Kubernetes Cluster
automatic horizontal scaling, blue/green deploy.
Compliance Coverage
| Framework / Standard | Implementation by Engine |
|---|---|
| GDPR Art. 32 | End-to-end cryptography, audit trail |
| NIS2 | Incident webhook, tenant segregation, policy proof |
| ISO 27001 | Role-based admin portal, versioned policies |
| B3S Healthcare | FileLink in DE-RZ, password-protected PDF containers |
Implementation in Five Steps
Analysis Workshop
Capture data flows, labeling, attachment types
Proof of Concept (1 week)
SaaS tenant, two test policies, SECFLOW for pilot users
Policy Design Sprint
Model rules, set up Git repo
Go-Live
Blue/Green deployment without downtime
Optimization Cycle
Quarterly policy review & audit report
'%3e%3ccircle%20cx='493.5'%20cy='493.5'%20r='249.5'%20fill='url(%23paint0_linear_144_957)'/%3e%3c/g%3e%3cdefs%3e%3cfilter%20id='filter0_f_144_957'%20x='0'%20y='0'%20width='987'%20height='987'%20filterUnits='userSpaceOnUse'%20color-interpolation-filters='sRGB'%3e%3cfeFlood%20flood-opacity='0'%20result='BackgroundImageFix'/%3e%3cfeBlend%20mode='normal'%20in='SourceGraphic'%20in2='BackgroundImageFix'%20result='shape'/%3e%3cfeGaussianBlur%20stdDeviation='122'%20result='effect1_foregroundBlur_144_957'/%3e%3c/filter%3e%3clinearGradient%20id='paint0_linear_144_957'%20x1='371.5'%20y1='477.5'%20x2='680'%20y2='363'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20stop-color='%23E42FE8'/%3e%3cstop%20offset='0.265625'%20stop-color='%236FCBFE'/%3e%3cstop%20offset='0.494792'%20stop-color='%239FB4FC'/%3e%3cstop%20offset='0.776042'%20stop-color='%23B7E4BB'/%3e%3cstop%20offset='1'%20stop-color='%236CF760'/%3e%3c/linearGradient%3e%3c/defs%3e%3c/svg%3e)
