Knowledge & files

Document Vault

A classified, versioned, governed file store with signatures, retention, and entity links.

Updated 2026-06-2313 sections9 min readFor the marketing team

1In one sentence#

The Document module is LumosCRM's secure, governed document vault — a single, classified, version-controlled home for every file the agency holds, with military-grade classification levels, encrypted storage, signature workflows, controlled sharing, retention policies, GDPR erasure, and a permanent audit trail — and it links each document to the clients, requests, invoices, events, or vendors it belongs to.

Other modules don't store files in isolation; they promote files into this vault, so everything sensitive lives in one place with one set of rules.

2Who it's for#

RoleWhat they get
All staffOne place to find, upload, and share the documents tied to their work.
Compliance & legalClassification, retention policies, GDPR erasure, and a complete audit trail.
Relationship managersEvery document for a client or deal, linked and findable.
Anyone handling signaturesA workflow to request, track, and record signatures on a document.
Vault administratorsCategories, retention rules, and a compliance overview across the whole vault.

3The core idea: classified, governed, linked#

Every file becomes a governed Document with a classification, a lifecycle, encrypted storage, and links to the records it relates to:

                         ┌────────────────────────────────┐
                         │           DOCUMENT              │
                         │  title · category · CLASSIFICATION│
                         │  version · status · retention   │
                         │  encrypted storage (per class)   │
                         └────────────────┬───────────────┘
                                          │
   ┌──────────┬──────────┬──────────┬─────┴──────┬──────────┬──────────┐
   │          │          │          │            │          │          │
 Versions  Ownership  Signatures  Shares      Comments    Tags      Audit
 (chain,   links       (request,   (controlled (notes)    (labels)   trail
  supersede)(client,    sign,       access)
            request,    decline,
            invoice,    remind)
            event,
            vendor)

The two ideas that set it apart: classification drives security (more sensitive = stronger storage encryption and tighter access), and ownership links connect a document to everything it relates to across the CRM.

4Capabilities at a glance#

CapabilityWhat it means for the user
Central vaultEvery file in one governed place, browsable and searchable.
Classification levelsFive tiers from public to top-secret, driving storage and access.
Encrypted storageFiles stored encrypted, with stronger key management for higher classifications.
VersioningUpload new versions; older ones are superseded, not lost.
Ownership linksTie a document to clients, requests, invoices, events, or vendors.
SignaturesRequest a signature and track it through to signed/declined, with reminders.
Controlled sharingShare a document with controlled, revocable access.
Access controlsPer-document flags for client visibility, watermarking, download, and print.
Retention policiesDefine retention rules; documents carry a "retain until" date.
GDPR erasureRequest and record erasure for compliance.
CategoriesOrganize documents by category (including KYC).
Tags & commentsLabel and annotate documents.
Compliance overviewA vault-wide compliance view for administrators.
Audit trailA permanent record of every action on every document.

5Classification — the heart of the vault#

Every document is stamped with a classification level, and the level isn't cosmetic — it governs how the file is stored and who can reach it:

LevelTypical use
PublicFreely shareable material.
InternalDay-to-day internal files.
ConfidentialSensitive client or commercial information.
RestrictedHighly sensitive — tight access.
Top secretThe most sensitive material the agency holds.

Higher classifications get stronger storage protection (encrypted storage with dedicated key management), and access is gated accordingly. Combined with per-document flags — client-visible, requires-watermark, download-allowed, print-allowed — this gives precise control over who can see, download, or print each file.

Note for marketing: classification levels and the storage tiers behind them are fixed security policy; categories are configurable.

6Document lifecycle#

A document moves through a clear set of states: active → archived / expired, and for signature work pending signature → signed / rejected, with erased as the GDPR end-state. Each document also records where it came from — staff upload, client portal, API, email ingestion, vendor submission, or system-generated — its file fingerprint (a SHA-256 hash), size, type, and page count, and validity/expiry dates.

7Screen-by-screen walkthrough#

7.1Browsing the vault (index)#

A filterable, searchable list. Filter by category, classification, and the entity a document is linked to (e.g. "all documents for this client"); search by title. Each row shows the document with its classification badge, category, status, and version. An upload action sits in the header.

7.2Uploading & editing#

An upload form captures the file plus its metadata — title, description, category, and classification — along with access flags (client-visible, sensitive, watermark, download/print) and a GDPR lawful basis. Editing updates the metadata; the file itself is replaced by uploading a new version (see below).

7.3The document detail page#

A header with the title, classification, status, and key actions — download, reclassify, request erasure, supersede (new version), and share. Tabbed/sectioned content covers:

SectionWhat's on it
Overview / metadataTitle, description, category, classification, dates, file details.
VersionsThe full version chain, with the ability to upload a new version.
Linked records (ownership)The clients, requests, invoices, events, and vendors this document belongs to.
SignaturesSignature requests and their status.
SharesActive shares, with the ability to revoke.
CommentsNotes on the document.
TagsLabels for organization.
AuditThe permanent change history.

7.4Administration#

  • Categories organize the vault.
  • Retention rules define how long classes of document are kept — and, by design, rules are never deleted, only retired (so policy history is preserved) and their scope is immutable once set.
  • A compliance overview gives administrators a vault-wide view of classification, retention, and signature status.

8Feature deep-dives#

8.1Versioning#

Upload a new version of any document and it joins the document's version chain — the previous version is superseded (marked, not deleted), so you always have the latest while keeping the full history. Every document tracks its version number and the chain it belongs to.

A document can be linked to multiple records across the CRM via polymorphic ownership entries — a contract linked to both a client and a request, an invoice PDF linked to its invoice, a passport linked to a client's KYC. This is how files captured anywhere (a request attachment, an event document) promote into the vault while staying connected to where they came from. Links can be added and removed.

8.3Signatures — request, track, complete#

For documents that need signing, staff can create a signature request and then track it through the ceremony — mark signed, mark declined, and send reminders — with the document's signature status reflecting where things stand (pending → signed/rejected).

Honesty note for marketing: this is an in-platform signature workflow — it manages and records the signature process and status within LumosCRM. It is the framework for signatures rather than a third-party cryptographic e-signature integration (e.g. DocuSign-style); describe it as "signature request & tracking," not "qualified e-signature," unless a specific signing integration is confirmed.

8.4Controlled sharing#

Share a document with controlled, revocable access rather than emailing a copy around — and pull the access back at any time with a revoke.

8.5Retention & GDPR#

Each document can be governed by a retention rule and carries a retain-until date. For privacy compliance, a document can be put through GDPR erasure (requested and recorded, with the erasing user and time captured) — giving the agency a defensible answer to data-subject erasure requests.

8.6KYC documents#

Identity and KYC documents (e.g. passports captured during client onboarding) live in the vault under a dedicated KYC category, keeping due-diligence evidence governed alongside everything else.

9Security & access control#

  • Classification-driven security: higher classifications get stronger encrypted storage and tighter access.
  • Encrypted at rest: storage references and notes are encrypted; files are stored on non-public, encrypted storage.
  • Granular permissions: documents.record.view / create / update / delete, plus a dedicated documents.record.share for sharing. Retention-rule and signature management sit behind vault-admin-level write access.
  • Per-user record scoping (self-scoping): self-scoped staff see only the documents they own; broader roles see more, always bounded by classification.
  • Per-document controls: client-visibility, watermarking, and download/print toggles.
  • Audit & retention: permanent audit trail, retention policies, and GDPR erasure.

10Search & integration#

  • Global search (⌘K) and entity pickers surface documents across the CRM.
  • The promote-to-vault pattern: Clients (KYC), Requests, Invoices, Events, and Vendors can all promote a file into the vault, which then links back to the originating record — so the vault is the single source of truth for files, and each module shows the documents that belong to it.

11Use cases & scenarios#

Use case A — Governed contract handling#

A signed villa contract is uploaded as Confidential, linked to both the client and the request it relates to. It's stored encrypted, watermarked, and download-restricted. Anyone with access finds it from either record.

Use case B — Getting a document signed#

An NDA is uploaded with requires-signature. Staff create a signature request, send a reminder when it's outstanding, and mark it signed when done — the document flips to signed and the audit trail records the whole ceremony.

Use case C — Keeping the latest, never losing the old#

A proposal goes through three revisions. Each is uploaded as a new version; the chain keeps every one, with the current at the top — no "final_v3_FINAL.pdf" confusion.

Use case D — Answering a GDPR request#

A former client requests erasure. Compliance runs the document through GDPR erasure, which records who erased it and when, and applies the retention policy — a clean, auditable response.

Use case E — Vault-wide compliance check#

An administrator opens the compliance overview to confirm no Confidential documents are past their retention date and all pending signatures are accounted for.

12Permissions reference (simplified)#

AreaPermission
View / browse / download / compliance viewdocuments.record.view
Uploaddocuments.record.create
Edit, reclassify, supersede, request erasure, versions, tags, signatures, ownership links, commentsdocuments.record.update
Deletedocuments.record.delete
Share / revoke sharedocuments.record.share
Retention rules (create/update — never delete)documents.record.update (vault-admin level)

Roles are assembled from these permissions in the RBAC module. Access is always additionally bounded by document classification.

13Glossary#

TermMeaning
ClassificationA document's sensitivity tier (public → top-secret) that drives storage and access.
Version chainThe linked history of a document's versions; new versions supersede old ones.
Ownership linkA connection from a document to a client, request, invoice, event, or vendor.
Promote to vaultMove a file from another module into the governed Document Vault.
Signature requestAn in-platform request to sign a document, tracked to signed/declined.
Retention ruleA policy for how long a class of documents is kept (never deleted, only retired).
GDPR erasureRecorded deletion of a document to satisfy a privacy request.
Self-scopingThe rule limiting a user to the documents they own (within classification limits).

This document describes the Document module as currently built. Categories are configurable; classification levels and their storage tiers are fixed security policy. The signature capability is an in-platform request-and-tracking workflow — confirm any external e-signature integration before describing it as such.