# Data Room Governance Playbook

Keeping laboratory artefacts protected requires aligning platform configuration, legal obligations, and day-to-day behaviour. Use this guidance to operate the fluidXlab data rooms with confidence.

## 1. Provisioning new rooms
- Map every room to a signed master service agreement and capture the contract ID in the room metadata.
- Default retention: 24 months after delivery unless your agreement specifies otherwise. Apply legal holds before the retention window closes when projects extend.
- Restrict room creation to workspace administrators and document approvals in the activity log.

## 2. Role design
- **Viewers** can preview and download files that have cleared QA. They cannot upload or delete content.
- **Editors** can upload new artefacts, add comments, and request watermarking. They cannot change room-level policies.
- **Approvers** (usually lab leads or client champions) confirm external shares, legal holds, and retention overrides.
- Review membership quarterly. Remove access immediately when a team member leaves the engagement.

## 3. File handling standards
- Use the desktop uploader for artefacts larger than 4&nbsp;GB to guarantee resumable transfers and checksum validation.
- Store final reports as signed PDFs. Enable watermarking for interim exports shared with third parties.
- Tag every upload with the experiment ID, instrumentation source, and revision notes so downstream teams can trace provenance.

## 4. Sharing etiquette
- External reviewers should receive expiring links only. Default expiry is 7 days; shorten for especially sensitive datasets.
- Require watermarking when exporting imagery or raw data to parties outside the core programme team.
- Capture context in the comments thread whenever you publish a share to maintain a searchable record.

## 5. Monitoring & compliance
- Inspect the consolidated activity log weekly. Follow up on spikes in download volume or repeated failed access attempts.
- Export the audit report at project closeout and archive it alongside the final deliverables.
- For regulatory reporting, use the manifest JSON to demonstrate data lineage and retention history.

Questions? Email [data-sharing@fluidxlab.com](mailto:data-sharing@fluidxlab.com) or book a session with the security desk through the workspace support links.