Vault Security Configuration

This checklist ensures the Google Drive document vault embedded in the Investor Data Room is hardened against downloads, printing, copying, and unauthorized access. Every item below must be verified before granting investor access.

Critical: The client-side security layer in the Investor Data Room (watermarks, key-blocking, screenshot detection) cannot enforce download prevention inside the embedded Google Drive iframe. Drive's download, print, and copy controls must be configured at the Drive level — this page is how you do it.
0%

Vault Hardening Progress

0 of 12 security controls configured. Complete all items before issuing any investor access codes.

Google Drive Folder Settings

Disable download, print, and copy for viewers CRITICAL
By default, Google Drive lets viewers download any file they can see. This single setting is the difference between a secure vault and a self-serve buffet.
How to set it:
  1. Open the DD folder in Google Drive
  2. Click Share (top right)
  3. Click the ⚙ settings gear icon (top right of share dialog)
  4. Uncheck "Viewers and commenters can see the option to download, print, and copy"
  5. Click Done
Set folder sharing to "Anyone with the link → Viewer" CRITICAL
The embedded folder iframe needs link-based access so approved investors can view files through the data room without signing into Google. Editor access would let anyone with the link delete your files.
How to set it:
  1. In the Drive share dialog, under "General access"
  2. Change from "Restricted" to "Anyone with the link"
  3. Ensure role is set to "Viewer" (not Editor or Commenter)
  4. Copy the link and verify it matches folders/1Lm_TajY1Zoab...
Apply watermark to documents in preview WORKSPACE
Google Workspace Business+ accounts can apply a viewer's email as a watermark on all PDF/image previews. This makes leaked screenshots traceable to the person who took them.
How to set it:
  1. Requires Google Workspace Business Standard+ plan
  2. Admin Console → Apps → Google Workspace → Drive and Docs → Sharing settings
  3. Enable "Apply a watermark when viewing" for selected files/folders
  4. Free Google accounts can't do this — budget for Workspace if investor trust matters
Convert sensitive DOCX/XLSX to PDF HARDENING
PDF previews in Drive are harder to extract text from than native Docs/Sheets. For the most sensitive items (financials, cap table, projections), convert to PDF before uploading.
Recommended for: Financial statements, cap table, tax returns, projections, term sheet, PPM, legal agreements. Keep native-editable versions in a separate private folder only you can access.
Remove file ownership from personal accounts OWNERSHIP
All files in the vault should be owned by a company Google account (e.g., admin@loknblok.com), not a personal Gmail. Personal-owned files survive company dissolution and can leak.
How to set it:
  1. Select all files in the DD folder
  2. Right-click → "Share" → Add the company admin email as Owner
  3. After transfer, remove personal account access

Data Room Hardening

NCNDA flow tested end-to-end VERIFIED
Submit a test request → approve in the queue → enter access code → sign NCNDA → enter vault. Verify every step logs correctly in the activity panel.
Test URL: /investor-vip.html?vip=test-user — submit with your own email, then approve from admin-approvals.html.
Client-side security confirmed active
The vault should block right-click, copy, F12, Cmd+Option+I, Cmd+P, Cmd+S, PrintScreen, Cmd+Shift+3/4/5, drag, and select-all. It should blur content when the window loses focus.
How to verify: Enter the vault, try each shortcut, confirm each triggers a warning toast and activity log entry. Click away from the window — the page should blur.
Session timer and idle logout
Sessions expire after 60 minutes total, or after 5 minutes of inactivity (with a 30-second warning). Investors must re-authenticate every 15 minutes via identity challenge.
Defaults: 60 min max session, 5 min idle timeout, 30s idle warning countdown, 15 min re-auth interval. Edit IDLE_LIMIT and sessionSeconds in source if needed.
Watermark overlay working
The investor's name, email, IP address, and "CONFIDENTIAL" appear as a diagonal repeating watermark across every page of the vault. This makes any screenshot or screen-recording traceable.
How to verify: Enter the vault, look at any section, confirm a subtle diagonal text pattern is visible across the full viewport.
Activity log captures all actions
The right-side activity panel should log: section navigation, deck slide views, breach attempts (screenshot, copy, devtools), tab switches, idle warnings, and session events.
How to verify: Click through sections, try to copy text, press F12 — confirm each event appears in the activity log with a timestamp.

Legal & Compliance

NCNDA reviewed by counsel LEGAL
The electronic NCNDA presented at Step 3 should be reviewed by Florida securities counsel to ensure: liquidated damages clause enforceability, DTSA whistleblower notice presence, and §542.335 compliance.
Signed NCNDA audit trail retention
Every executed NCNDA (including the signature image, timestamp, IP, fingerprint, and full NCNDA text version) must be exported and archived in a tamper-evident storage system for at least 7 years.
Export path: After each approval and signing, export the session record from admin-approvals.html → Export CSV. Keep encrypted backups.

🔐 Server-side hardening roadmap

The current vault is a static deployment. For production-grade enforcement, migrate to a backend implementation: