ExperiencesHow it worksSecurityPlatform
Get in touch
Platform overview

The external-sharing control layer for Microsoft 365

DocLoq is an additive control layer over SharePoint, OneDrive, and Teams. Documents stay in your tenant, while access, policy, delivery, and audit are governed in one place.

What DocLoq is

A governed path for sharing tenant documents externally

DocLoq sits between Microsoft 365 content and external recipients. It does not replace SharePoint, OneDrive, or Teams — it adds the controls enterprises need so external sharing stops being an uncontrolled link.

Identity-bound access

External recipients are verified before they see a document. OTP shares avoid unnecessary guest setup; federated access can align with Entra policies, Conditional Access, MFA, and governance.

Policy before delivery

Expiry, role, view-only, watermarking, and download restrictions are defined before the document is exposed outside the tenant.

Tenant-resident documents

Source files stay where they live in Microsoft 365. DocLoq governs the access workflow around them, not a separate file repository.

Workflow-focused audit

Access events are grouped around the actual external-sharing workflow, so reviewers see who shared what, with whom, under which conditions.

System fit

Where DocLoq sits in your Microsoft 365 stack

Additive control layer over tenant content. Documents do not leave their source library. External access can use OTP or federation, depending on policy.

Microsoft 365 tenant
  • spSharePoint
  • odOneDrive
  • tmTeams

Source files stay here. DocLoq references content; it does not copy or rehost it.

DocLoq control layer
Governs the share, not the storage
  • Identity & verification
    Entra ID for internal · OTP or federated access for external
  • Policy & protection
    Role · expiry · watermark · download mode
  • Audit & revocation
    Workflow-grouped events · revoke at any time
Coexists withEntra ID · Purview
External recipient
user
Verified per share
view
Controlled viewer

OTP shares avoid unnecessary guest setup. Federated access can follow Entra policy. No software to install.

Microsoft 365 fit

Additive to Microsoft 365, not a parallel stack

DocLoq complements the Microsoft 365 platform your enterprise has already standardized on.

  • 01SharePoint and OneDrive

    Source documents remain in SharePoint sites and OneDrive libraries. DocLoq references them rather than duplicating storage.

  • 02Microsoft Entra ID

    Internal users authenticate with their corporate identity. External access can use OTP for quick secure shares or federated login when Entra policy controls are required.

  • 03Microsoft Purview

    DocLoq is designed to coexist with Purview classification, sensitivity labels, and DLP policies that already apply to your tenant content.

  • 04Teams and Microsoft 365 apps

    Sharing originates from the apps people already use. DocLoq does not require external recipients to install anything.

Data boundary

What stays in your tenant, what DocLoq operates on

A precise, item-by-item view for security reviewers. Confirm exact data scope during your evaluation.

  • Item
    Source documents
    Microsoft 365
    In SharePoint / OneDrive library
    In DocLoq
    Reference only — not copied
  • Item
    Document rendering
    Microsoft 365
    Original file untouched
    In DocLoq
    Controlled viewer surface for the recipient
  • Item
    Recipient identity
    Microsoft 365
    Depends on access model and tenant policy
    In DocLoq
    OTP verification or federated access per share
  • Item
    Sharing policy
    Microsoft 365
    In DocLoq
    Role · expiry · watermark · download rules
  • Item
    Audit & activity
    Microsoft 365
    Tenant-side events remain in M365 logs
    In DocLoq
    Workflow-grouped events for the share
  • Item
    Revocation
    Microsoft 365
    In DocLoq
    Single action ends recipient access
Document handling

What happens to documents when they are shared

A clear answer to the first question every IT admin asks during a review.

Source of truth stays in your tenant

The original document continues to live in SharePoint or OneDrive. DocLoq governs access rather than replacing storage.

Controlled rendering for recipients

External recipients access content through a controlled viewer that enforces the policy chosen for that share — view-only, watermarked, time-bound.

Metadata is operational

DocLoq stores the data needed to operate sharing: who has access, with what conditions, and what activity occurred. Confirm the precise data scope as part of your security review.

Lifecycle is explicit

Access can be revoked at any time. Expiry is enforced. Activity is captured for the audit trail and removed in line with retention.

Identity and access

External access with the right identity model

Recipients are verified, and the access model can match the risk, duration, and governance needs of the share.

Recipient verification
External users prove who they are before access is granted. OTP works for quick document access; federated login supports scenarios that need Entra policy enforcement.
No anonymous links
A DocLoq share is bound to a recipient identity, not a public URL that anyone can forward.
Time-bound sessions
Sessions expire. OTP access can avoid unnecessary tenant guest accounts, while federated access can remain governed by your Entra policies.
Visible to admins
Admins can see active shares, who has access, and the policy each recipient is operating under.
Available controls

Controls applied to each share

View-only enforcement

Recipients can read documents without download by default. Download is a deliberate decision, not the only option.

Watermarking

Apply visible watermarks tied to the recipient identity to deter screenshot leaks of sensitive material.

Expiry and time bounds

Set an expiry that matches the engagement and revoke instantly when scope changes.

Protected delivery

Deliver documents through a controlled flow rather than as a direct attachment that leaves the tenant.

Audit and revocation

Sharing events, access activity, and revocation actions are captured for review and export.

Policy templates

Reuse standard combinations of role, expiry, watermarking, and download rules so teams do not configure from scratch each time.

For IT admins

What to check before a demo

Bring these to the first conversation so the walkthrough lines up with your tenant reality.

  1. 1

    Tenant prerequisites

    Microsoft 365 tenant, target SharePoint/OneDrive locations, and the team or business unit that should pilot first.

  2. 2

    Identity model

    Which flows should use OTP, which should use federated login, and how guest registration should interact with Entra ID policies you already enforce.

  3. 3

    Data scope

    The document types, sensitivity labels, and Purview policies that need to coexist with DocLoq sharing.

  4. 4

    Rollout model

    Pilot scope, success criteria, and the controls that must be on by default before broader rollout.

  5. 5

    Security review questions

    Subprocessors, incident contact, deployment model, and the architecture details your security team needs.

Walk through DocLoq with your IT and security teams

Bring stakeholders to the first conversation. We will walk through the control model directly against one external-sharing workflow.

Book a walkthrough