Stop Emailing Sensitive Documents: Why Browser-Based Onboarding Is Way Safer
How WorkZerk eliminates the hidden security risks of traditional document collection
Every day, thousands of Australian businesses collect sensitive documents the same way they always have. A site manager asks a new contractor to ‘just email through’ their forklift licence. An HR coordinator receives a scanned passport in their inbox. A compliance officer forwards a Working with Children Check to a colleague for verification.
It feels routine. But every one of those emails creates a security risk that most businesses never think about!
The problem with email attachments
When someone emails a PDF or image to your team, that file doesn't just arrive once. It gets downloaded to a laptop. It gets forwarded to a colleague. It gets saved to a shared drive. It gets opened again on someone else's machine. Before long, a single document has been copied, stored, and opened across multiple devices with no tracking, no access controls, and no audit trail.
Each of those touchpoints is a potential vulnerability. Malicious actors know that PDFs can carry embedded code, exploit payloads, and hidden scripts designed to target PDF reader software. A file that looks like a perfectly normal driver's licence could be weaponised to execute code the moment it's opened in a desktop application like Adobe Reader.
And that's just the security side. From a privacy perspective, sensitive identity documents are now scattered across inboxes, downloads folders, and shared drives with no visibility over who has access or where copies exist.
For businesses operating under the Australian Privacy Principles, that's a significant exposure.
What changes when documents stay in the browser
WorkZerk takes a fundamentally different approach. When someone uploads a document during onboarding, whether it's a licence, certificate, or proof of identity, that file is stored once in encrypted Azure cloud storage hosted in Sydney. Every time an administrator needs to review that document, they view it directly in the browser. The file is not downloaded to their local machine, never opened in a desktop PDF reader, and never forwarded as an email attachment.
This might sound like a small distinction, but it changes the security picture entirely.
When a PDF is opened inside a web browser, the browser acts as a sandbox. It renders the visual content of the document without executing embedded scripts or code in the way a native desktop application might. The attack surface that makes email attachments risky simply doesn't exist in this model.
Compare that to the traditional workflow where a contractor emails their credentials to three different people, each of whom opens the file locally, and the difference becomes clear!
One copy, one location, full visibility
Beyond the malware angle, there's a broader principle at play: reducing the number of places sensitive documents exist.
With email-based document collection, you have no real way of knowing how many copies of someone's passport photo or licence are sitting in various inboxes and folders across your organisation. You can't revoke access to an email attachment after it's been sent. You can't see who opened it, when, or on what device.
With WorkZerk, every document lives in a single, secured location. Access is controlled through user permissions and tracked through a comprehensive audit trail. Administrators can see exactly who viewed, approved, or rejected a document and when they did it. If an employee or contractor leaves the organisation, their documents don't linger in forgotten email threads. Access is managed centrally and can be removed at any time.
For businesses that handle identity documents, health records, or compliance credentials, this isn't just a convenience. It's a meaningful improvement in how personal information is protected.
No app downloads, no accounts, no friction
Security measures only work if people actually use the system. One of the most common reasons businesses fall back to email-based document collection is that their proper system is too complicated. If a contractor needs to download an app, create an account, and remember a password just to upload their White Card, they'll ask if they can just email it instead.
WorkZerk removes that friction entirely. Onboardees receive a secure, tokenised link. They tap it on their phone, complete the process in their browser, upload their documents, and they're done. No app download, no account creation, no password to remember. The process is designed to be so simple that there's no reason for anyone to fall back to email.
And because it's frictionless for the person being onboarded, it's also more secure for the business. When the easy path and the secure path are the same path, compliance happens naturally.
What this means in practice
Consider a typical scenario in construction. A principal contractor needs to verify that 30 subcontractors have current forklift licences, White Cards, and public liability insurance before they can start on site.
The traditional approach: The site manager sends 30 emails asking for documents. Replies trickle in over days. PDFs are downloaded, opened, checked manually, and saved to a shared folder. Some contractors reply to the wrong person. Some documents expire and nobody notices. Copies of licences and insurance certificates sit in multiple inboxes indefinitely. In a word — Chaos!
The WorkZerk approach: Each contractor receives a secure link in their secure email inbox. They upload their documents directly into the platform. The site manager reviews and approves everything from a single dashboard. Expiry dates are tracked automatically with renewal reminders. Every document is stored once, viewed in-browser, and protected by enterprise-grade security. No emails, no downloads, no scattered copies.
Same outcome. Dramatically different risk profile!
A simple question worth asking
Next time your team asks a contractor, employee, or volunteer to ‘just email through’ a copy of their licence or ID, it's worth pausing to consider where that document will end up. How many copies will exist by the end of the week? Who will have access to it in six months? And if something goes wrong, would you even know?
WorkZerk exists to make those questions irrelevant. Documents are uploaded once, stored securely, viewed in-browser, and managed centrally. No email chains, no local downloads, no untracked copies floating around your organisation.
It's a safer way to handle sensitive documents. And it's a lot simpler, too.
WorkZerk is an Australian-built onboarding and compliance platform. All data is hosted in Sydney on Microsoft Azure. Learn more at workzerk.com.au.
