Reific
Back to Blog
SecurityEnterpriseIP Protection

Zero-Trust Sharing: The Secure Way to Share 3D Models

Re
Reific Team
December 07, 2025
8 min read

You need to show a design to a potential customer. The natural instinct is to email the STEP file. Don't.

That file contains the complete mathematical definition of your product—every curve, dimension, and design decision. Once it's downloaded, you've lost control of your intellectual property forever.

What's Actually in a STEP File

A STEP file (ISO 10303) isn't just geometry. It contains:

  • Full NURBS geometry: Mathematical surface definitions with infinite precision
  • Topology: How surfaces connect, edge relationships, face orientation
  • Assembly structure: Part hierarchy, component relationships
  • Metadata: Part names often reveal material choices (e.g., "HOUSING_6061_AL")
  • PMI data: In some formats, dimensions, tolerances, and GD&T annotations

With this data, a competent engineer can reproduce your exact geometry, reverse-engineer your manufacturing approach from draft angles and fillet strategies, or modify dimensions slightly for a design-around.

Pixels vs Files Security Model
Figure 1: The security difference between sharing raw files versus rendered pixels.

The "Pixels, Not Files" Approach

The solution is architectural: never share the source file. Send rendered pixels instead.

Sharing MethodWhat They ReceiveReverse Engineering Risk
Email STEP/IGES fileFull geometry + metadataComplete (trivial)
Download OBJ/STLTessellated meshHigh (mesh-to-NURBS tools exist)
Screenshot/PNG2D image, single viewpointLow (limited info)
Interactive ViewportStreamed pixels, all anglesLow (high fidelity, no data)

What to Look For in a Secure Viewer

  • No download option: The viewer should not export any 3D format
  • Link expiration: Set time limits (24 hours to 90 days)
  • Access logging: Know who viewed the model and when
  • Watermarking: Visible identifier on screenshots to trace leaks
  • Password protection: Additional layer for sensitive projects

Enterprise: Zero-Retention Processing

For highly sensitive IP (defense, medical devices, unreleased products), even trusting the platform with your data may be a concern. Zero-retention processing means:

  • Source file loaded into server RAM only
  • Processing happens in memory
  • No file written to disk
  • Session ends → RAM cleared → no trace remains

Common Sharing Failures (And How to Avoid Them)

We've seen these IP leaks happen repeatedly:

Failure: Emailing STEP via Dropbox

"I'll just put it in Dropbox and send the link." That link has no expiration. The supplier downloads it, then shares it with their subcontractor. You've lost control.

Failure: Viewer with Download Button

Some 3D viewers let recipients download OBJ/STEP. Even if they "promise not to," the button exists. Assume they'll click it.

Failure: Wrong Supplier Saw the Model

You sent a link to Supplier A. They forwarded it to Supplier B. You had no visibility. Next quarter, Supplier B is selling a knockoff.

Compliance Considerations: ITAR, NDA, Export Control

For defense contractors, medical device manufacturers, and other regulated industries:

  • ITAR (International Traffic in Arms Regulations): Technical data cannot leave US servers or be accessed by foreign nationals. Zero-retention + US-only infrastructure helps.
  • EAR (Export Administration Regulations): Similar controls for dual-use technology. Audit logs prove chain of custody.
  • NDA Enforcement: Pixels-not-files doesn't replace an NDA, but it makes breach irrelevant—they physically can't extract the data.
  • Vendor Qualification: Before sharing with contract manufacturers, use view-only links. Full geometry only after signed agreements.

Reific's Security Model

Pixels, Not Math: Shared links deliver rendered frames. Viewers never receive vertex data.
Time-Limited Links: Set expiration from 24 hours to 90 days. Revoke access instantly.
View Analytics: See exactly who opened the link, when, and how long they spent.
Enterprise: Zero-Retention Mode: For regulated industries—source files processed in-memory only.

Key Takeaways

  • • STEP files contain complete IP—never email them to external parties
  • • Interactive viewports provide high fidelity without exposing geometry
  • • Look for expiration, logging, and zero-download features in any sharing tool
  • • For sensitive IP, require zero-retention processing

FAQ

Can someone screen-record the viewer and extract geometry?

They would get pixel data only—no mathematical precision. Reconstructing NURBS from video is impractical for anything beyond simple shapes.

Is this as good as an NDA?

It's complementary. An NDA creates legal recourse; pixels-not-files prevents the leak in the first place. Use both.

What about OBJ or STL for 3D printing customers?

If they need to manufacture, they need geometry. Use view-only links for review; export mesh only after commercial agreement.

Give them the view. Keep the file.

Start Sharing Securely

Further Reading

Join the waitlist

Get early access to Reific and start visualizing your CAD data in seconds.