Differential Watermarking
Spread-spectrum LSB coding into float32 weights. 128-bit partner signature across 131,072 positions. Resists averaging by up to ~32 colluders. Survives format conversion.
Why this is different from Google Drive, Dropbox, or MEGA
General-purpose storage tools are optimized for collaboration. DGR is optimized for attribution-first controlled distribution — specifically the case where you need to know, after the fact, who leaked your high-value asset.
Standard storage tools
✗ No per-recipient watermarking
✗ No forensic attribution on leak
✗ No collusion-resistant signatures
✗ No canary tokens
✗ No threat intelligence scoring
✗ No tamper-evident evidence chain
✗ No automatic corruption enforcement
✗ No forensic attribution on leak
✗ No collusion-resistant signatures
✗ No canary tokens
✗ No threat intelligence scoring
✗ No tamper-evident evidence chain
✗ No automatic corruption enforcement
DGR
✓ 128-bit differential watermark per download
✓ Collusion-resistant up to ~32 partners
✓ Canary tokens fire on open, anywhere
✓ Threat scoring: Tor, impossible travel, velocity
✓ SHA-256 tamper-evident evidence chain
✓ Signed evidence package for legal proceedings
✓ Automatic binary corruption on policy violation
✓ Collusion-resistant up to ~32 partners
✓ Canary tokens fire on open, anywhere
✓ Threat scoring: Tor, impossible travel, velocity
✓ SHA-256 tamper-evident evidence chain
✓ Signed evidence package for legal proceedings
✓ Automatic binary corruption on policy violation
Honest threat model
No platform can fully prevent screenshots, screen recordings, camera captures, or malicious endpoint exfiltration once authorized access is granted. DGR is designed to maximize attribution confidence and increase deterrence through forensic watermarking, canary tokens, and legal-grade evidence trails — not to make leaks technically impossible.
Canary Tokens
Embedded phone-home tokens in every distributed file. Fires when opened outside DGR — in email, Jupyter, or a colleague's machine. Real-time email alert dispatched immediately.
Threat Intelligence
Live IP geo data, Tor exit detection, impossible travel analysis (900 km/h max), VPN/datacenter ASN scoring, and download velocity analysis — all scored before serving any byte.
Evidence Chain
Every download event chained via HMAC-SHA256. Retroactive modification is detectable. Exported as a signed JSON package with full audit trail, canary fires, and attribution data.
Real-Time Email Alerts
Instant alerts for leak attribution, elevated threat scores (≥35), canary fires, and impossible travel detection. Configure via SECURITY_ALERT_EMAIL in your environment.
Enterprise Controls
SSO/SAML configuration, role-based organization membership, API key automation, device allowlists per partner, approval workflows, legal holds, and compliance attestation export.
Reference API capabilities
Full REST API available on Business plan. Sample endpoints:
POST /api/models/:modelId/grant-access— Issue partner access with canary + differential watermarkPOST /api/models/download/:accessToken— Threat-scored download with all watermark layersPOST /api/models/:modelId/leak-report— Submit leak URL for watermark extraction + attributionGET /api/models/:modelId/evidence/export— Signed evidence package with full chainGET /api/models/:modelId/evidence/verify— Verify chain integrity independentlyGET /api/organization/audit-logs— Full organization audit trailPATCH /api/organization/:orgId/sso/configure— SSO/SAML setupPOST /api/organization/legal-holds— Place file under legal hold