A secure, open-source Virtual Data Room (VDR) for sharing confidential documents with full control over access, engagement tracking, and NDA enforcement. Built for founders, investors, and deal teams who need to know exactly who viewed what, for how long, and whether they signed the NDA.
- Overview
- Features
- Tech Stack
- Prerequisites
- Installation
- Database Setup
- Running Locally
- Project Structure
- Contributing
- License
OpenVault lets you upload documents, generate secure sharing links, and track every interaction. Visitors access documents through a canvas-based viewer that prevents downloads and applies dynamic watermarks with their email and IP address. Every page view, session, and download is logged with full attribution.
Key Capabilities:
- Secure Canvas Viewer: Renders PDFs on canvas to prevent Save As, with right-click disabled
- Dynamic Watermarking: Every viewed page is watermarked with visitor email, IP, timestamp, and room name
- Granular Link Controls: Per-link expiration, max views, email gating, NDA requirements, and download permissions
- Page-Level Analytics: Tracks time spent on each page via Intersection Observer and Beacon API
- NDA Enforcement: Customizable per-room NDA templates with version tracking and acceptance proof
- Team Collaboration: Invite admins to manage rooms with role-based access control
- Create isolated vaults with hierarchical folder structures
- Upload PDFs to private Supabase Storage
- Rename, soft-delete, and organize documents and folders
- Generate unique, slug-based links scoped to a room, folder, or single document
- Optional email gating — require visitors to identify themselves
- Link expiration by date and max view count
- Toggle download permissions per link
- Activate or revoke links without deleting them
- Canvas-based PDF rendering prevents browser Save As
- Right-click context menu disabled
- Dynamic watermarks embedded on every page: visitor email, IP address, date, room name, filename
- Watermarked PDF downloads (server-side via
pdf-lib) when download is permitted
- Create and version NDA templates per room
- Require NDA acceptance before viewing
- Track acceptances with visitor identity, IP, timestamp, and template hash
- Per-page time tracking via Intersection Observer + Beacon API
- Visitor session tracking with email, IP, and user agent
- Download event logging
- Engagement dashboard with filters: email, domain, link, document, date range
- CSV export for reporting
- Invite team members as admins via email with expiring tokens
- Owner and admin roles with distinct permissions
- Team member management (invite, remove, view)
- Admin login via Magic Link (Supabase Auth)
- Visitor authentication via email gating with cookie-based sessions
- Viewer magic links for document access
- Built-in AI panel for room analysis (accessible from room page sidebar)
- Multi-provider support: Anthropic (Claude), OpenAI (GPT), Google (Gemini)
- Bring Your Own Key (BYOK) — users provide their own API keys, stored encrypted per-room
- Room-aware tools: document text analysis, room structure overview, engagement metrics, completeness check against fundraising template
- Consent flow required before first interaction
- Token usage tracking per interaction
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router, RSC) |
| Language | TypeScript 5 |
| UI | React 19, Tailwind CSS 4, Radix UI, shadcn/ui |
| Database | Supabase (PostgreSQL + Auth + Storage) |
| PDF Rendering | react-pdf (client), pdf-lib (server watermarking) |
| AI | Vercel AI SDK v6 (Anthropic, OpenAI, Google providers) |
| Icons | Lucide |
| Resend |
- Node.js v18 or higher
- A Supabase project (free tier works)
- A Resend API key (optional, for email notifications)
- Clone the repository:
git clone https://github.com/MoreCowwbell/data_room.git
cd data_room- Install dependencies:
npm install- Set up environment variables:
cp .env.local.example .env.localEdit .env.local and add your credentials:
NEXT_PUBLIC_SUPABASE_URL=your-supabase-project-url
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-supabase-anon-key
NEXT_PUBLIC_SITE_URL=http://localhost:3000
RESEND_API_KEY=your-resend-api-key
RESEND_FROM_EMAIL=notifications@yourdomain.comRun the SQL migrations in order in your Supabase SQL Editor:
supabase/migrations/20240523000000_init.sql— Core schema (profiles, rooms, documents, folders, links, analytics)supabase/migrations/20240523000001_storage.sql— Supabase Storage bucket and policiessupabase/migrations/20260210000002_policies.sql— Row-Level Security policiessupabase/migrations/20260210000003_storage_delete_update.sql— Storage delete/update policiessupabase/migrations/20260210000004_alpha_scope_foundation.sql— Scoped links, soft delete, team members, NDA, analytics tablessupabase/migrations/20260210000005_viewer_magic_link_nda.sql— Viewer auth tokens, profile email columnsupabase/migrations/20260210000006_team_roles_policies.sql— Team invites, role-based policy refinementssupabase/migrations/20260210000007_fix_rls_recursion.sql— SECURITY DEFINER helpers to fix RLS circular dependenciessupabase/migrations/20260210000008_ai_agent_panel.sql— AI tables (API keys, consent, usage logs, document text cache)supabase/migrations/20260211000009_link_folder_permissions.sql— Folder-level permissions on shared links (allowed_folders JSONB)supabase/migrations/20260211000010_hardening.sql— RLS update policy for beacon, file_size column, scoped storage upload policy
npm run devOpen http://localhost:3000 to access the application.
- Login — Go to
/loginand enter your email. Check your inbox for the Magic Link. - Create a Vault — From the dashboard, create a new vault (e.g., "Series A").
- Upload — Open the room and upload a PDF document.
- Share — Create a sharing link with your desired settings (email gating, expiration, NDA).
- View — Open the link in an incognito window. Enter a visitor email and view the document. Note the watermark.
- Analytics — Back in the room, check the Engagement tab to see page-level analytics.
data_room/
├── docs/ # Project documentation
│ ├── PRD.md # Product Requirements Document
│ ├── ALPHA.md # Alpha scope & acceptance criteria
│ ├── TODOS.md # Open work items
│ ├── API_REFERENCE.md # Route surface & data schemas
│ ├── INVESTIGATION_REPORT.md # Codebase audit findings
│ └── HEALTH_CHECK_REPORT.md # Full health check report
├── src/
│ ├── app/
│ │ ├── dashboard/ # Admin dashboard & room management
│ │ │ ├── rooms/[roomId]/ # Room detail, engagement, NDA, actions
│ │ │ └── team-invite/ # Team invite acceptance
│ │ ├── v/[slug]/ # Visitor-facing routes
│ │ │ ├── auth/ # Magic link verification
│ │ │ ├── view/ # Secure PDF viewer
│ │ │ └── nda/ # NDA acceptance page
│ │ ├── api/
│ │ │ ├── ai/ # AI chat, keys, consent
│ │ │ ├── stream/[docId]/ # Protected PDF streaming
│ │ │ ├── download/[docId]/ # Watermarked PDF download
│ │ │ ├── preview/[docId]/ # Admin document preview
│ │ │ ├── analytics/beacon/ # Page view beacon endpoint
│ │ │ └── rooms/[roomId]/ # Engagement CSV, folder listing
│ │ ├── auth/ # Auth callback handlers
│ │ ├── login/ # Magic link login
│ │ └── privacy/ # Privacy policy page
│ ├── components/
│ │ ├── ui/ # shadcn/ui primitives
│ │ ├── AiPanel.tsx # AI assistant sidebar (chat + settings)
│ │ ├── SecureDocumentViewer.tsx # Canvas PDF viewer + watermarking
│ │ ├── CreateLinkDialog.tsx # Link generation with full options
│ │ ├── FolderPicker.tsx # Folder selection for link permissions
│ │ ├── NdaTemplateForm.tsx # Per-room NDA editor
│ │ ├── TeamManager.tsx # Team member & invite management
│ │ ├── LinkManager.tsx # Active/revoked/expired links
│ │ ├── TrashBin.tsx # Soft-delete restore UI
│ │ ├── CookieConsent.tsx # Cookie consent banner
│ │ ├── DocumentPreviewDialog.tsx # Document preview modal
│ │ ├── DocumentActions.tsx # Document rename/delete/move
│ │ ├── FolderActions.tsx # Folder rename/delete
│ │ ├── DeleteVaultDialog.tsx # Vault deletion confirmation
│ │ └── UploadButton.tsx # PDF upload widget
│ └── lib/
│ ├── supabase/ # Client, server, middleware setup
│ ├── ai/ # AI provider, keys, system prompt, tools
│ ├── link-access.ts # Link availability & session validation
│ ├── engagement.ts # Analytics aggregation + CSV export
│ ├── audit.ts # Audit event logging
│ ├── nda.ts # NDA template & acceptance logic
│ ├── viewer-auth.ts # Viewer magic link token lifecycle
│ ├── room-access.ts # Role-based room access control
│ ├── notifications.ts # First-open email notifications
│ ├── rate-limit.ts # In-memory rate limiter
│ ├── email.ts # Resend transactional email
│ └── env.ts # Environment variable validation
├── supabase/
│ └── migrations/ # 10 SQL migrations
├── public/
├── CONTRIBUTING.md # Contributor guidelines
└── package.json
Detailed documentation lives in the docs/ directory:
| Document | Description |
|---|---|
| PRD.md | Product Requirements Document (v2.0) |
| ALPHA.md | Alpha scope, acceptance criteria, and locked decisions |
| TODOS.md | Current status and open work items |
| API_REFERENCE.md | Route surface, data schemas, and auth flows |
| INVESTIGATION_REPORT.md | Codebase audit findings and remediation status |
| HEALTH_CHECK_REPORT.md | Full project health check (architecture, features, issues, deployment) |
See CONTRIBUTING.md for guidelines on forking, branching, committing, and submitting pull requests.
This project is licensed under the MIT License.