Top secret: document security is more than just a watermark

By Michael Biwald on 10. August 2018


The “top secret” label sounds like something out of an old James Bond film – confidential documents with the label stamped on them in big red letters and stored in a cast-iron safe. Today’s confidential documents are more likely to be stored on a server than in a steel cabinet. They might have a note on them indicating that they’re classified as confidential – but it’s difficult to prevent them from being forwarded by electronic means.
As soon as a document leaves a protected environment, companies can no longer control how it’s shared or stored and who has access to it. That’s why they would be well advised to only work on sensitive documents within a secure dataroom. This has a range of protection options that can be freely combined with each other and enable comprehensive document security that goes way beyond a cast-iron safe.
Brainloop CollaborationRoom is the secret weapon companies can use against would-be data thieves, as it offers multiple levels of protection for confidential documents. This protection isn’t limited to technical security – it also includes the following document-specific security settings.


Confidential documents are stored on the server with 256-bit encryption and protected against unauthorised access – blocking IT system operators and even company-internal IT administrators. All the data transmission between client and server is also secured with 256-bit encryption.

Access protection

Users can only access information in the dataroom once they have logged in with two-factor authentication – their user name and password, plus either a single-use PIN code sent to them by SMS or a time-based one-time password (TOTP). This is the only way for them to access the dataroom.

Information Rights Management

Information Rights Management technologies control usage permissions for encrypted documents. Companies can use them to define individual permissions for certain actions on a document, such as viewing, editing, printing, copying content etc. for a specific group of users. Documents can also be provided to users as write-protected PDFs. The relevant user receives a personal, encrypted copy of the document, which can’t be opened by anyone else and is blocked once the validity period expires – just like James Bond and the famous “this message will self-destruct”. With Brainloop, Adobe LiveCycle Management is included as standard. And Microsoft IRM can be integrated with the solution if it is being operated in the company’s own data centre.


As soon as the content of a document is changed, the automatic versioning function kicks in. Every upload and every change to the current document version is immediately saved as a new version. Users can still access the older versions and their history but can no longer modify them.


Back to Goldfinger! A fingerprint is a clear indicator of the content in a particular document version by verifying the integrity of the data in the document. The fingerprint is based on a technical hash value and analyses the file content in the background using a cyclic redundancy check (CRC) algorithm. This is an important confirmation of file integrity and protection against manipulation.

Document ID

The Brainmark ID works in a similar way to the fingerprint, but unlike the fingerprint it is visible in the document. The original document is converted automatically to a protected PDF – the Brainmark format. It has a unique identifier in the form of a randomly-generated, 10-digit Brainmark ID. This ensures that every document version has its own distinctive ID.


Companies can also use a dynamically-generated watermark to ensure extra protection against unauthorised document forwarding. For example, they can have the user’s name and a time stamp embedded into every page of the document. They can also configure the content and layout of the embedded watermark.

Audit trail

All activities in the dataroom are logged in a tamper-proof audit trail and time-stamped, ensuring later traceability. The activities logged as standard include configuration changes as well as document uploads and modifications.


This combines the automatic versioning, fingerprint, IRM and ID functions and adapted to every new update. All these functions run automatically – the user doesn’t need to make a single click. For complete inviolability, the document can also be put into “deep freeze” mode. This blocks any further changes to the document, its content and its properties.

Time-limited access

Access for specific users can be limited in time, and the same goes for the validity period of the document links sent out to users. This enables companies to reduce the group of users benefiting from access to content and restrict it to key users only.

Security categories

Freely configurable security categories enable companies to automatically add a set of protection mechanisms to confidential documents and folder structures. All the user needs to do is select a security category, such as “strictly confidential”, and all the selected protection mechanisms are applied automatically.

Collaboration, Brainloop

This could also be of interest:

On cloud 9? How we see data storage today

On cloud 9? How we see data storage today

Read more
The key ingredients in secure collaboration software

The key ingredients in secure collaboration software

Read more
What happens when an internal audit uncovers explosive information

What happens when an internal audit uncovers explosive information

Read more
Family office: efficient and secure wealth management

Family office: efficient and secure wealth management

Read more