Protection and Rights Management
Security That Travels. Protection That Persists.Microsoft Purview DRM encrypts every file with rights - view, edit, print, forward - that are enforced wherever the file travels. Dynamic watermarks carry the viewer's identity on every page. AI-assisted redaction removes what shouldn't be shared before it leaves the room. Your protection boundary extends past the download button, past the email forward, past the device handoff.
Request a DemoEVERY ACTION TRACKED. EVERY PROOF PRESERVED. ZERO COMPLIANCE GAPS.
- Purview-Native Digital Rights Management: Encryption with granular rights (view-only, no-print, no-forward, no-download) enforced across all devices - offline or online - ensuring protection travels with the file
- Dynamic Watermarking & Identity Tracking: Viewer's identity and timestamp automatically watermarked on every page - visible to readers, creating accountability and preventing anonymous sharing or unauthorized redistribution
- AI-Assisted Sensitive Data Redaction: Automatically detect and redact confidential content (SSN, credit card, PII) before documents leave your organization - preventing accidental exposure of sensitive information
Security and IT teams at Glycos, Quifa, Enery, and Taysha Gene Therapies trust Govern 365 to keep sensitive content protected
What is Protection and Rights Management?
Protect your organization’s sensitive information and maintain control over how content is used – across devices, applications, and sharing boundaries. Our comprehensive protection and rights management solution ensures that only authorized users can access, view, edit, or share your most valuable data. Built to support modern hybrid work environments, it seamlessly integrates with your existing tools and workflows, providing persistent security that travels with your content, no matter where it goes.
Why It Matters
Puts sensitive IP, financial records, and customer information at immediate risk of exposure or theft.
Expose your organization to regulatory penalties and a permanent, devastating loss of market trust.
Threats go undetected when you lack visibility into how sensitive content is being accessed and shared.
What’s inside Protection and Rights Management
Three layers of protection that work together – one encrypts, one marks, one removes.
DRM – Microsoft Purview Rights on Every File
When a file is published to the room, Microsoft Purview applies a sensitivity label that encrypts it at rest and in transit. The label carries a rights policy – view, edit, print, forward – that’s enforced wherever the file travels. If a bidder downloads a file and emails it to someone outside the policy, it won’t open. If a user leaves the deal, every copy they downloaded stops working within minutes. Your protection boundary becomes the rights policy, not the download button.
- Native Office (Word, Excel, PowerPoint) and PDF support via Microsoft Purview
- Rights enforced in Office desktop, Office for web, and Adobe Acrobat
- Policies defined once in Purview, applied automatically based on room or folder classification
- Remote revocation takes effect within minutes across all distributed copies
- Offline enforcement – files refuse to open if rights have expired, even without network access
Dynamic Watermarking – Who, When, from Where
Every page a user views is overlaid with their identity, timestamp, and IP address at render time. No pre-stamped copies sit on disk – the watermark is bound to the viewer, so a leaked screenshot traces back to exactly one person on exactly one session. When DRM prevents the file from being shared, watermarks prevent the content from being photographed or screenshotted anonymously. The two work together.
- Overlays are configurable: user email, timestamp, IP, room name, document classification, custom fields
- Rendered at view time – no impact on the original file
- Works in the native Microsoft 365 viewer and the Vault portal
- Different watermark policies per folder, per classification, or per user group
- Forensic traceability – even a cropped screenshot typically leaves enough watermark to identify the source
AI-assisted Redaction – Remove What Shouldn’t be Shared
An AI model scans every document for names, emails, account numbers, routing information, and other sensitive entities – then proposes redactions for a human reviewer to approve or reject. The analysis happens inside your Microsoft 365 tenant; documents never go to a third-party AI service. The redacted version publishes alongside the original with full audit evidence of what was removed, by whom, and under which review.
- Detects PII, account and routing numbers, email addresses, and custom entity types you define
- Reviewer workflow with approve/reject per suggestion
- Original document preserved; redacted version published alongside
- Full audit trail captures redaction decisions and reviewer identity
- No third-party AI services – analysis stays inside your Microsoft 365 tenant
Backed by Microsoft Purview
Protection in Govern 365 is Microsoft Purview DRM — not a proprietary rights system. If your Microsoft 365 tenant already has Purview sensitivity labels configured, Govern 365 inherits them the moment you install. Your compliance team’s existing DLP rules apply to VDR content automatically. When Microsoft ships an Office update, DRM keeps working because it’s the same DRM layer Office was always going to use. Legacy VDR DRM systems ship their own encryption and routinely break when Microsoft updates their apps — Purview-native DRM is maintained by Microsoft and validated across millions of tenants.
- Sensitivity labels defined in Purview apply to VDR content automatically
- DLP rules, retention policies, and eDiscovery extend into VDR rooms Rights enforcement works across Office, Adobe, and Microsoft 365 ecosystem apps
- Updates roll out with Microsoft — no vendor-side compatibility gaps
Frequently Asked Questions
Encryption locks the content of a file so only someone with the key can read it. DRM — Digital Rights Management — goes further. It binds a rights policy to the file (view, edit, print, forward) that’s enforced wherever the file travels, even after download. Encryption protects what’s in the file; DRM controls what someone can do with the file. Govern 365 uses Microsoft Purview DRM, which is enforced natively by Office apps, Office for web, and Adobe Acrobat.
The watermark is rendered at view time rather than stamped onto the file, so there’s no “original without watermark” for a bidder to retrieve. Screenshots can be cropped, but the watermark carries the viewer’s identity, timestamp, and IP — even a cropped screenshot typically leaves enough of the watermark to trace the leak back to a specific person on a specific session. Against a determined attacker with time, nothing is unbreakable. Against casual leak scenarios, watermarks are a strong deterrent and a forensic trail.
No. The AI model runs inside your Microsoft 365 tenant — documents never leave your environment. This is a deliberate architectural decision for regulated industries where sending content to an external AI service would violate compliance policy. Detection accuracy for common entity types (names, emails, account numbers) typically exceeds 95%, with a reviewer workflow for edge cases and custom entity types.
Microsoft Purview DRM covers Office files (Word, Excel, PowerPoint) and PDFs. Rights are enforced natively in Office desktop, Office for web, and Adobe Acrobat. Other file types (images, CAD files, archives) can be protected inside the room through access control and watermarking, but don’t carry post-download rights enforcement.
If the file has a valid rights policy and the bidder is still authorized, the file opens offline normally — DRM supports offline use. If the bidder’s rights have been revoked or the policy has expired, the file refuses to open even without network access because the enforcement check happens locally. Attempted access by a revoked user is captured and reported once the device reconnects.
Yes. This is one of the core capabilities of Microsoft Purview DRM — rights policies can be changed after distribution, and the changes propagate to all downloaded copies within minutes. If a bidder drops out of a deal, their entire downloaded file set stops working without you needing to chase devices. The revocation is logged in the audit trail as evidence for post-deal review.
Yes. The default watermark includes user email, timestamp, and IP address, but any of these can be turned off or replaced with custom fields — room name, document classification, deal code, or arbitrary text. Different watermark policies can apply to different folders within the same room. For very high-sensitivity content, consider enabling the full forensic overlay (user + time + IP + room name) as a deterrent against copy-and-paste leaks.
No. Govern 365 uses Microsoft Purview DRM, which is the same DRM layer Microsoft ships and maintains across every Office update. There’s no vendor-side compatibility gap. This is a common failure mode with legacy VDR DRM systems that ship their own encryption layer — they regularly break when Microsoft updates Office, and customers wait weeks for a vendor patch. Purview-native DRM avoids the problem entirely.
Microsoft Purview DRM works across Windows, macOS, iOS, Android, and browsers wherever Office apps run. Rights enforcement is device-agnostic. A file opened on an iPhone respects the same rights policy as the same file opened on a Windows laptop. Dynamic watermarks render on any device the Secure Preview viewer supports, which includes all modern browsers.
DRM (Office and PDF) and dynamic watermarking are included in every edition, starting with Founder Edition at $2,400/year. AI-assisted redaction availability scales with edition — check the current pricing page for details.
Insights | Testimonial
Insights | Blog
