Series A funding is a crucial time for any startup. While typically the business has developed an established user base and consistent revenue, bringing it to the next level often requires significant investment. Investors want to know that the business is trustworthy and has a strong strategy for growth – which is why you mustn’t give the wrong idea with lax document security.
The Series A process produces large volumes of documentation; from term sheets to stock investment agreements, suitability questionnaires, IRAs, written consent forms, and more. A leak of many of these documents at this crucial stage would be likely to significantly undermine investor trust and reduce the chance of investment from other parties in the future.
Unfortunately, controlling who can access these documents is a real challenge. It’s not possible to simply keep them inside of your businesses‘ internal network, as many have to be shared with investors and legal teams, employees may be working from home, and board members need to sign documents. At each link in the communication chain, unprotected documents have a chance of leaking – so what can businesses to do protect them?
Digital Signature Solutions
Due to the volume of documents being exchanged between different parties, businesses may be tempted to pay for a secure digital signature solution. The idea behind digital signatures is as follows: using a public key infrastructure, one unique individual is linked cryptographically to another. When it works, this allows the recipient to verify that the data they receive has not been altered and that the person who sent it can be positively identified.
However, it’s important to understand that digitally signing a document does not prevent it from being copied or information being extracted. It also doesn’t stop a sender from editing and pre-presenting the document in an unsigned form. As a result, digital signature solutions don’t really stop unauthorized sharing – they just help to make sure the document that is sent is the same as the one that is received.
However, even these authenticity checks aren’t perfect. In some cases, the current status of the digital signature owner isn’t checked (such as when they’re offline), so the accuracy may not always be complete. Further, weaknesses in some digital signature validation algorithms can allow digitally signed PDFs to be tampered with without being reported as so. This is especially true when a browser-based solution is involved, as online PDF solutions typically enforce controls via JavaScript, which can be tampered with. It’s also possible to create forged identities and digital signatures that look legitimate when they aren’t.
This makes researching your secure signing solution before you buy it very important. Unfortunately, though, no matter which you pick your protection will be limited and – due to the significant overhead required to manage PKI keys – likely expensive.
Secure Deal Rooms
A second solution many startups fall for is the “secure deal room”, also known as a secure data room. You upload your documents to a secure cloud server where other users can log in, see, and interact with them.
We’ll keep this short – despite their naming, they aren’t particularly adept at keeping your documents private. They have a myriad of fundamental flaws such as:
- Any user can share their login details and two-factor authentication key (if used) with another
- Multiple users can often log in at the same time
- Users can take high-quality screenshots of any document
- Their browser-based nature opens them to exploitation via developer tools or plugins
- If printing is allowed users can simply print to an unprotected PDF file and share it as many times as they like
Series A funding
As a result, it’s not recommended to use secure deal rooms for series A funding unless you know their flaws and have a way to account for them.
Document DRM
Document DRM takes a different approach to digital signing. Instead of using digital signatures, which are complex and expensive, it uses a combination of transparent key management using a licensing system and secure viewer applications.
When the sender finishes a document, they encrypt it in such a way that it can only be opened by someone with the secure viewer application and a license file registered to their device that grants them access to that specific document via decryption keys.
As their specific license file can only be registered to one device at once and the decryption keys cannot be extracted from the system, there’s no way to share the license with others.
On top of this, document DRM allows the sender to choose from a wide range of controls during the protection process that are designed to prevent other forms of sharing. These can include:
- Anti screen grabbing, editing, and copying controls
- Restrict opening to specific devices and locations
- Document expiry after a certain number of prints, views, or days
- Printing prevention or limiting of prints to a certain number
- Instant document revocation for all or select users
- Dynamic watermarks (including date, time, company name, and email address)
- Tracking of document views, prints, devices, and operating systems
Due to the use of a secure viewer application rather than the browser, these controls can be enforced modularly, effectively, and cannot be bypassed. This makes them a worthwhile purchase for most startups going through Series A funding, particularly for final documents that either need to be printed and signed or shared with outside parties.