safedrop tenant administrators guide
safedrop Tenant Administrator Guide
This guide covers administrative tasks for managing your organisation's safedrop instance.
Overview
As a Tenant Administrator, you have access to manage:
- Teams and team memberships
- Users and access permissions
- Organisation settings
- Security configurations
- Audit logs
Accessing the Admin Panel
- Log in with your administrator account
- Click Admin in the main menu
- You'll see the administration dashboard
Screenshot: The main administration dashboard
Team Management
Creating Teams
- Navigate to Teams from the menu
- Click New Team
- Enter a team name and description
- Click Create Encrypted Team
A Team Encryption Key (TEK) is automatically generated. You'll be the first member with access and your first team created will be marked as the default team automatically
Screenshot: The create team dialog
Setting the Default Team
One team should be marked as default for new user signups:
- Go to Teams
- Click the menu on the team
- Select Set as Default
New self-signup users are automatically added to the default team.
Deleting Teams
- Click the menu on the team
- Select Delete Team
- Type the team name to confirm
- Click Delete
Note: You cannot delete the default team. Set another team as default first.
Member Management
Inviting Members
- Click on Admin
- Click Invite user in top right hand corner
- Enter the user's email address
- Select their role (Member or Admin)
- Click Add
Screenshot: The add member dialog
Roles Explained
Role | Capabilities |
|---|---|
Member | View and upload files, access messages |
Admin | Everything members can do, plus: invite users, grant TEK access, manage team settings |
Granting TEK Access
When new members join, they need TEK access to view encrypted content:
- You'll see a notification banner when users are waiting
- Go to Teams and select the team
- Find the member with "Pending Access" badge
- Click Grant Access
The member's public key is used to wrap the TEK, giving them access.
Screenshot: The pending access banner and grant access button
Removing Members
- Select the team
- Find the member
- Click the menu on their row
- Select the trash can to Remove from Team
- Confirm the removal
Note: Removed members lose access immediately. They cannot decrypt any team content.
User Management
Viewing All Users
- Go to Admin → Users tab
- View all users in your organisation
- See their status, role, and verification state
Screenshot: The user management table
User Status Indicators
Status | Meaning |
|---|---|
Verified | User can access the platform |
Pending | Waiting for email verification |
Locked | Account temporarily locked |
Deleted | Account marked for deletion |
Resetting User 2FA
If a user loses access to their authenticator:
- Find the user in the list
- Click the menu
- Select Reset 2FA
- Confirm the action
The user will need to set up 2FA again at next login.
Deleting Users
- Find the user
- In line with the username you will see a trashcan
- Select the trashcan icon
- Confirm deletion
Warning: This removes the user from all teams and revokes all access.
Organisation Settings
Accessing Settings
- Go to Admin → Overview tab
- Configure organisation-wide options
Branding
Setting | Description |
|---|---|
Logo | Upload your organization's logo |
Primary Colour | Set your brand colour |
Screenshot: The branding configuration section
Security Settings
Setting | Description |
|---|---|
Allowed Domain | Restrict signups to specific email domain |
Session Timeout | How long until inactive users are logged out |
2FA Required | Force all users to enable two-factor authentication |
Embedding Settings
Control how SafeDrop forms can be embedded:
Setting | Description |
|---|---|
Enable Embedding | Allow forms to be embedded on external sites |
Allowed Domains | Whitelist specific domains for embedding |
Custom CSP | Advanced content security policy settings |
Message Settings
Setting | Description |
|---|---|
Default Expiry | How many days before messages expire |
Max Expiry | Maximum expiry allowed for messages |
Delete on Expiry | Automatically delete or archive expired messages |
Storage Management
Viewing Storage Usage
- Go to Admin → **Overview ** tab
- See total storage used
- View breakdown by team
Screenshot: The storage usage dashboard
Storage Limits
Your plan includes a storage allocation. When approaching limits:
- Users receive warnings when uploading
- Uploads are blocked when limit is reached
- Contact your SafeDrop account manager to increase limits
Audit Logs
Viewing Audit Logs
- Go to Admin → Audit Logs tab
- Browse security-relevant events
- Filter by user, action, or date range
Screenshot: The audit log viewer
Events Logged
Event Type | Description |
|---|---|
Login | User sign-ins (success and failure) |
Logout | User sign-outs |
User Created | New user registrations |
Team Created | New team creation |
Member Added | User added to team |
Member Removed | User removed from team |
TEK Granted | Encryption access granted |
File Uploaded | File added to Secure Store |
File Downloaded | File downloaded from Secure Store |
Message Sent | safedrop message created |
Message Viewed | Message opened by recipient |
Exporting Logs
- Filter to your desired date range
- Click Export
- Download CSV file
Security Administration
Key Rotation
Rotate team encryption keys for security:
- Go to Teams
- Select the team
- Click Secure store tab
- Click Key rotation
All team members receive new wrapped keys. Files are re-encrypted with the new key.
Note: Key rotation may take time for teams with many files.
Account Recovery
When users cannot access their accounts:
Tier 1 Recovery (Self-Service):
- User uses their 12-word recovery phrase
- No admin intervention needed
Tier 2 Recovery (Admin Assisted):
- User requests admin recovery
- Admin verifies identity out-of-band
- Admin initiates account reset
- User creates new credentials
Screenshot: The admin account recovery interface
Monitoring Failed Logins
- Check audit logs for failed login attempts
- Look for patterns indicating attacks
- Consider temporarily locking affected accounts
Best Practices
Team Structure
- Create logical teams - Based on departments or projects
- Limit admin roles - Only grant admin where needed
- Review memberships regularly - Remove inactive members
- Use meaningful names - Make team purposes clear
Security
- Require 2FA - Enable organisation-wide 2FA requirement
- Monitor audit logs - Check regularly for unusual activity
- Prompt TEK approvals - Don't leave users waiting
- Rotate keys annually - Maintain encryption hygiene
User Management
- Verify identities - Before granting access or recovery
- Offboard promptly - Remove departed employees immediately
- Document roles - Keep records of who has admin access
- Train users - Ensure users understand security features
Troubleshooting
User Cannot Access Team
- Check they're added as a team member
- Verify their TEK access has been granted
- Have them try logging out and back in
- Check they've verified their email
Storage Limit Issues
- Review storage usage by team
- Identify large files that can be removed
- Contact SafeDrop for limit increases
Audit Log Missing Events
- Ensure you're looking at correct date range
- Check event type filters
- Some events may be delayed slightly
Getting Help
For issues beyond this guide:
- Technical Support - Contact SafeDrop support
- Account Changes - Contact your account manager
- Security Incidents - Report immediately to SafeDrop security team
This guide covers tenant administration. For super-admin (platform-wide) functions, contact SafeDrop.
Updated on: 20/01/2026
Thank you!