1In one sentence#
The Document module is LumosCRM's secure, governed document vault — a single, classified, version-controlled home for every file the agency holds, with military-grade classification levels, encrypted storage, signature workflows, controlled sharing, retention policies, GDPR erasure, and a permanent audit trail — and it links each document to the clients, requests, invoices, events, or vendors it belongs to.
Other modules don't store files in isolation; they promote files into this vault, so everything sensitive lives in one place with one set of rules.
2Who it's for#
| Role | What they get |
|---|---|
| All staff | One place to find, upload, and share the documents tied to their work. |
| Compliance & legal | Classification, retention policies, GDPR erasure, and a complete audit trail. |
| Relationship managers | Every document for a client or deal, linked and findable. |
| Anyone handling signatures | A workflow to request, track, and record signatures on a document. |
| Vault administrators | Categories, retention rules, and a compliance overview across the whole vault. |
3The core idea: classified, governed, linked#
Every file becomes a governed Document with a classification, a lifecycle, encrypted storage, and links to the records it relates to:
┌────────────────────────────────┐
│ DOCUMENT │
│ title · category · CLASSIFICATION│
│ version · status · retention │
│ encrypted storage (per class) │
└────────────────┬───────────────┘
│
┌──────────┬──────────┬──────────┬─────┴──────┬──────────┬──────────┐
│ │ │ │ │ │ │
Versions Ownership Signatures Shares Comments Tags Audit
(chain, links (request, (controlled (notes) (labels) trail
supersede)(client, sign, access)
request, decline,
invoice, remind)
event,
vendor)
The two ideas that set it apart: classification drives security (more sensitive = stronger storage encryption and tighter access), and ownership links connect a document to everything it relates to across the CRM.
4Capabilities at a glance#
| Capability | What it means for the user |
|---|---|
| Central vault | Every file in one governed place, browsable and searchable. |
| Classification levels | Five tiers from public to top-secret, driving storage and access. |
| Encrypted storage | Files stored encrypted, with stronger key management for higher classifications. |
| Versioning | Upload new versions; older ones are superseded, not lost. |
| Ownership links | Tie a document to clients, requests, invoices, events, or vendors. |
| Signatures | Request a signature and track it through to signed/declined, with reminders. |
| Controlled sharing | Share a document with controlled, revocable access. |
| Access controls | Per-document flags for client visibility, watermarking, download, and print. |
| Retention policies | Define retention rules; documents carry a "retain until" date. |
| GDPR erasure | Request and record erasure for compliance. |
| Categories | Organize documents by category (including KYC). |
| Tags & comments | Label and annotate documents. |
| Compliance overview | A vault-wide compliance view for administrators. |
| Audit trail | A permanent record of every action on every document. |
5Classification — the heart of the vault#
Every document is stamped with a classification level, and the level isn't cosmetic — it governs how the file is stored and who can reach it:
| Level | Typical use |
|---|---|
| Public | Freely shareable material. |
| Internal | Day-to-day internal files. |
| Confidential | Sensitive client or commercial information. |
| Restricted | Highly sensitive — tight access. |
| Top secret | The most sensitive material the agency holds. |
Higher classifications get stronger storage protection (encrypted storage with dedicated key management), and access is gated accordingly. Combined with per-document flags — client-visible, requires-watermark, download-allowed, print-allowed — this gives precise control over who can see, download, or print each file.
Note for marketing: classification levels and the storage tiers behind them are fixed security policy; categories are configurable.
6Document lifecycle#
A document moves through a clear set of states: active → archived / expired, and for signature work pending signature → signed / rejected, with erased as the GDPR end-state. Each document also records where it came from — staff upload, client portal, API, email ingestion, vendor submission, or system-generated — its file fingerprint (a SHA-256 hash), size, type, and page count, and validity/expiry dates.
7Screen-by-screen walkthrough#
7.1Browsing the vault (index)#
A filterable, searchable list. Filter by category, classification, and the entity a document is linked to (e.g. "all documents for this client"); search by title. Each row shows the document with its classification badge, category, status, and version. An upload action sits in the header.
7.2Uploading & editing#
An upload form captures the file plus its metadata — title, description, category, and classification — along with access flags (client-visible, sensitive, watermark, download/print) and a GDPR lawful basis. Editing updates the metadata; the file itself is replaced by uploading a new version (see below).
7.3The document detail page#
A header with the title, classification, status, and key actions — download, reclassify, request erasure, supersede (new version), and share. Tabbed/sectioned content covers:
| Section | What's on it |
|---|---|
| Overview / metadata | Title, description, category, classification, dates, file details. |
| Versions | The full version chain, with the ability to upload a new version. |
| Linked records (ownership) | The clients, requests, invoices, events, and vendors this document belongs to. |
| Signatures | Signature requests and their status. |
| Shares | Active shares, with the ability to revoke. |
| Comments | Notes on the document. |
| Tags | Labels for organization. |
| Audit | The permanent change history. |
7.4Administration#
- Categories organize the vault.
- Retention rules define how long classes of document are kept — and, by design, rules are never deleted, only retired (so policy history is preserved) and their scope is immutable once set.
- A compliance overview gives administrators a vault-wide view of classification, retention, and signature status.
8Feature deep-dives#
8.1Versioning#
Upload a new version of any document and it joins the document's version chain — the previous version is superseded (marked, not deleted), so you always have the latest while keeping the full history. Every document tracks its version number and the chain it belongs to.
8.2Ownership links — the connective tissue#
A document can be linked to multiple records across the CRM via polymorphic ownership entries — a contract linked to both a client and a request, an invoice PDF linked to its invoice, a passport linked to a client's KYC. This is how files captured anywhere (a request attachment, an event document) promote into the vault while staying connected to where they came from. Links can be added and removed.
8.3Signatures — request, track, complete#
For documents that need signing, staff can create a signature request and then track it through the ceremony — mark signed, mark declined, and send reminders — with the document's signature status reflecting where things stand (pending → signed/rejected).
Honesty note for marketing: this is an in-platform signature workflow — it manages and records the signature process and status within LumosCRM. It is the framework for signatures rather than a third-party cryptographic e-signature integration (e.g. DocuSign-style); describe it as "signature request & tracking," not "qualified e-signature," unless a specific signing integration is confirmed.
8.4Controlled sharing#
Share a document with controlled, revocable access rather than emailing a copy around — and pull the access back at any time with a revoke.
8.5Retention & GDPR#
Each document can be governed by a retention rule and carries a retain-until date. For privacy compliance, a document can be put through GDPR erasure (requested and recorded, with the erasing user and time captured) — giving the agency a defensible answer to data-subject erasure requests.
8.6KYC documents#
Identity and KYC documents (e.g. passports captured during client onboarding) live in the vault under a dedicated KYC category, keeping due-diligence evidence governed alongside everything else.
9Security & access control#
- Classification-driven security: higher classifications get stronger encrypted storage and tighter access.
- Encrypted at rest: storage references and notes are encrypted; files are stored on non-public, encrypted storage.
- Granular permissions:
documents.record.view / create / update / delete, plus a dedicateddocuments.record.sharefor sharing. Retention-rule and signature management sit behind vault-admin-level write access. - Per-user record scoping (self-scoping): self-scoped staff see only the documents they own; broader roles see more, always bounded by classification.
- Per-document controls: client-visibility, watermarking, and download/print toggles.
- Audit & retention: permanent audit trail, retention policies, and GDPR erasure.
10Search & integration#
- Global search (⌘K) and entity pickers surface documents across the CRM.
- The promote-to-vault pattern: Clients (KYC), Requests, Invoices, Events, and Vendors can all promote a file into the vault, which then links back to the originating record — so the vault is the single source of truth for files, and each module shows the documents that belong to it.
11Use cases & scenarios#
Use case A — Governed contract handling#
A signed villa contract is uploaded as Confidential, linked to both the client and the request it relates to. It's stored encrypted, watermarked, and download-restricted. Anyone with access finds it from either record.
Use case B — Getting a document signed#
An NDA is uploaded with requires-signature. Staff create a signature request, send a reminder when it's outstanding, and mark it signed when done — the document flips to signed and the audit trail records the whole ceremony.
Use case C — Keeping the latest, never losing the old#
A proposal goes through three revisions. Each is uploaded as a new version; the chain keeps every one, with the current at the top — no "final_v3_FINAL.pdf" confusion.
Use case D — Answering a GDPR request#
A former client requests erasure. Compliance runs the document through GDPR erasure, which records who erased it and when, and applies the retention policy — a clean, auditable response.
Use case E — Vault-wide compliance check#
An administrator opens the compliance overview to confirm no Confidential documents are past their retention date and all pending signatures are accounted for.
12Permissions reference (simplified)#
| Area | Permission |
|---|---|
| View / browse / download / compliance view | documents.record.view |
| Upload | documents.record.create |
| Edit, reclassify, supersede, request erasure, versions, tags, signatures, ownership links, comments | documents.record.update |
| Delete | documents.record.delete |
| Share / revoke share | documents.record.share |
| Retention rules (create/update — never delete) | documents.record.update (vault-admin level) |
Roles are assembled from these permissions in the RBAC module. Access is always additionally bounded by document classification.
13Glossary#
| Term | Meaning |
|---|---|
| Classification | A document's sensitivity tier (public → top-secret) that drives storage and access. |
| Version chain | The linked history of a document's versions; new versions supersede old ones. |
| Ownership link | A connection from a document to a client, request, invoice, event, or vendor. |
| Promote to vault | Move a file from another module into the governed Document Vault. |
| Signature request | An in-platform request to sign a document, tracked to signed/declined. |
| Retention rule | A policy for how long a class of documents is kept (never deleted, only retired). |
| GDPR erasure | Recorded deletion of a document to satisfy a privacy request. |
| Self-scoping | The rule limiting a user to the documents they own (within classification limits). |
This document describes the Document module as currently built. Categories are configurable; classification levels and their storage tiers are fixed security policy. The signature capability is an in-platform request-and-tracking workflow — confirm any external e-signature integration before describing it as such.