I'm Deqian, the founder of Peony. I've raised millions in VC funding and spoken with hundreds of founders about their fundraising process. For every funding event, there are three artefacts one needs to create:

1. a blurb

2. a pitch deck

3. a data room

People generally want their blurbs to travel as far as possible, and they typically don't contain any sensitive information. When they reach the stage where a pitch deck is needed, things start to get tricky because pitch decks often contain future roadmaps and financial information.

While there's a whole debate on whether investors should have unlimited access to companies' pitch decks, I won't address it today and will focus on how founders or anyone can secure their documents.

There are, in general, two methods one can use to secure their documents. One method is to encrypt the actual file. The other is by hosting the file in a secure environment (like Peony). They both have their pros and cons.

Encryption

Adding a password to your PDFs is probably one of the most straightforward ways to control access. Most modern PDF readers, like Adobe Acrobat, encrypt your files using AES-256, which is actually very strong. So you can feel pretty confident that only people with the password can access your files.

The downside is also fairly obvious - people would have no trouble forwarding your files to others because they can also leak the password. So it's only really useful if you are sending files that contain sensitive information but have little forwarding value. For example, a birth certificate. With pitch decks, this is unfortunately not the case.

But it doesn't mean the end for the encryption strategy - and in fact, that's the whole reason why DRM (digital rights management) exists. In fact, they are behind every movie you watch on Netflix and every game you play on Steam. With DRM software, you are able to encrypt your PDFs and make them available only to specific users/devices. That way, you can send your PDFs like normal email attachments and still rest assured nobody but the intended recipient can access your files.

Seems like the dream world, except when it's not. The big downside of the DRM path is that any recipient who wants to access the files will have to download a piece of bespoke software. Just like the games that sit on your computer's hard disk are unplayable, unless you've got your Steam account open. It would be a viable strategy for use cases where your recipients are open to downloading a piece of software to view your files, but for pitch decks, they are often not. (Nonetheless, if you can get your recipients to download the DRM software, this is probably the most secure path, as I'll explain later.)

So this brings us to the next strategy.

Secure cloud

The beauty of hosting your files remotely is that the cloud itself can act as a DRM environment. Just like folks don't need to download Figma to start designing, people also don't need to download bespoke software to decrypt your files when you host them in a secure cloud.

Products like Peony often store your pitch decks in secure private buckets like AWS S3 and only serve them to your intended audience when they pass your challenge, whether it's email, password, or other forms of authentication. When sharing the file, instead of sending it as an email attachment, you share the link (which also comes with the added benefit of bypassing the email firewall/attachment size limit).

When it comes to sending pitch decks, founders generally have two philosophies: 1. I don't mind it being forwarded so long I know who's accessed it; 2. I only want my intended audience to see my pitch decks and nobody else.

For people in the first camp, hosting your files in a secure cloud is probably your only option. DRM software is anti-forwarding in nature, so any new access will need to be approved manually. If you want your pitch decks to spread organically, it'd be a time-consuming option. On the other hand if you upload your pitch deck to a secure cloud like Peony, enabling forwarding is usually as simple as toggling a button.

If you are in the second camp, where you want to prevent all levels of unwanted access, the choice becomes a bit more nuanced. Whilst secure cloud environments let you control access, if bad actors really try, there are ways to bypass them. In some instances, like DocSend, things have gotten so bad that there are dedicated websites/extensions just so folks can download the underlying PDFs - wild.

The good news is - there are many ways you can fight back. In fact, when you enable email verification and screenshot protection (both are available on Peony), almost all of these techniques fail. Also, we've found that by serving the PDFs using randomized image tiles (like how Google Maps serves its data), even the most sophisticated bypasses struggle. So I feel good recommending this option to 95% of the people.

For the remaining 5% where security is the utmost priority, a DRM software with end-to-end encryption will be your best bet.

It's been fun sharing my knowledge in this space. If there's any solution I've missed or if there's any topic you want me to write on, please don't hesitate to reach out :)