This quick HOWTO is inspired by the trial-and-error learnings we've had at RevenueLoan over the last several months of getting into business. I'm using the example of a new company called, uncreatively, "NewCo." (If your business has an absurdly long name, pick a nice abbreviation with no spaces or punctuation, e.g. "Consolidated Anglo-Sudanese Hamstertraps Company, GmbH" => "cashco")
I. When you are 1-2 people (founders).
Use ONE Dropbox folder off of the root. Put everything of note into it. The first few folders will probably look like this:
Since the only people using it at this point are founders, don't worry about who-can-see-what. (DO, however, worry about general security; see below for "Paranoia.")
However, one VERY important thing should be settled here: who will "own" the Dropbox folder setup. In general, this should be someone very unlikely to leave. If you're a non-technical CEO, there may be a temptation to punt this to an early dev hire or such; I suggest you use this simple HOWTO to manage it yourself.
If you have significantly more than 2 founders, chances are you're doing it wrong ... but nonetheless, move on to II. below because you'll need to add some more structure soon.
II. When you hire your first non-founder employee(s).
Once you start actually hiring people, even contractors, you will want and need to keep certain things private. This is not just for Machiavellian reasons; it's a duty you owe people who must, by law, trust you with their personal information (like SSN, salary info, etc.).
The RIGHT WAY to do this is to create a new Dropbox folder off of the root, and call it "newco-everybody". (This creates a big screaming warning flag that "everybody" in the company can see this folder.)
Then, move ONLY those particular files and folders from your "newco" folder into the "newco-everybody" folder, which everybody (or nearly everybody) needs to see. These include:
- * Logos (do everyone a favor and make vector art easy to find!)
- * Blank NDAs
- * Marketing collateral / PDFs / handouts
- * Letterhead / templates
The old "newco" folder is kept only accessible to executives. I recommend only the CEO and CFO, in an early company, plus maybe a trusted admin or bookkeeper. (Later, you might add a controller or inside counsel to this inner circle.) Obviously, at this point, you'll need to start choosing where new documents go. Our pattern has been to put the following ONLY in the executive / founder folder:
- * Employment agreements
- * Executed NDAs
- * IRS forms (e.g. W-2 forms)
- * Budgets (which include salary info)
- * Insurance or other benefits info
- * Articles of Incorporation, Cap Table, etc.
- * Investor details
When you're comfortable with how this is all set up, there's one final important thing to do. Go onto the Dropbox site, and under the "Account Info" tab in "Account," sign up for "Packrat" unlimited undo history. (Unless you're planning on pulling a "full Enron" and being totally evil, I guarantee this feature will save your ass at some point. Once you become a big enough company to install real document management, you will have expensive laywers to tell you not to do this, and you should listen to them then.)
III. When you start sharing GIANT files.
Dropbox has a great policy about disk use. You get a lot for free. But, their policy is subtlely nefarious, and you gotta love it: the free space limit applies to ALL the Dropbox folders on a given computer, and, you can only have ONE account per computer. This means that the moment your "newco-everybody" folder reaches the free-account limit, EVERYBODY in your company now has to sign up for the paid account.
Now, I'm all for paying for Dropbox when you need it. But, it's silly if you have 20 people and only 3 of them need the paid account, to shell out for everyone.
So, make a THIRD folder off of the Dropbox root, and call it "newco-giant" (or something). Chances are, unless you have a unique business model I haven't thought of, the only stuff going in here will be .MPEG files of video to be edited, or large backups, or disk ISO images etc. -- any of which are generally only used by a subset of your team (e.g., just the creatives, or just the IT ops guys). Hence, only those folks should need to pay.
IV. When you start collaborating and partnering outside the firm.
With each partner or group of partners that you start working with on a particular project, create a "deal room" or "project" folder. You should be loathe to permit any non-employee or non-contractor to access the "everybody" folder.
V. When people must leave the firm.
Alas, all good (and not so good) things come to an end. So when a colleague leaves the company, it's important to remind them to voluntarily return all originals and destroy all copies; your NDAs and agreements with these folks should have such clauses included. However, you should also be sure to log into Dropbox, and for each "root" folder (e.g. "newco-everybody",) ensure that their access is removed and that they are *not* permitted to retain a copy.
(If you do want to leave employees with copies of certain information, make a non-Dropbox folder to put the files in, and give them that in a zipfile ... or in a dedicated, separate Dropbox folder ;)
VI. General tips, OCD, and paranoia.
Your mileage may vary, but I do recommend the following:
- * Use ONLY letters, numbers, underscores (_), dashes (-), and periods in folder and filenames. Other characters are unlikely to, but may potentially, cause trouble across the various platforms on which Dropbox works. (Plus, if you ever use such a filename in a URL, you're guaranteed it'll come out legible and useable; not so if there are spaces and other metacharacters.)
- * Require a signed NDA from each employee or contractor before granting first access; store the hard copy in a paper file and the digital copy in the "executive" folder.
- * Define some level of secure information above which you do NOT trust even the "executive" folder. For us, that means crypto keys, financial account credentials, and usernames/passwords to important services; these all go in separately encrypted files that never get written to disk without going through encryption.
- * Define some level of secure information which MUST go ONLY in the "executive" folder. For us, that's social security numbers and similar.
- * Have a founders' agreement / vesting agreement in place and signed before doing anything else. It should be crystal clear what happens if things turn sour between you and your cofounder(s). (I know this isn't a Dropbox item per se, but it's crucial IMO for peer-founded startups; trust me, I've been there.) This agreement should also specify that anyone who leaves must promptly turn over any credentials (such as Dropbox passwords) to prevent "foot dragging" from holding the company's data hostage.
- * Have at least one computer connected to all Dropbox folders with a physically secured "Time Machine" or other incremental backup. Yes, I know this is overkill. But if you ever have to restore your entire business's file
- sharing system from scratch, you'll be glad A. to have it there at Firewire/SCSI speeds, and B. not to be reliant on Dropbox 100% if, Heavens forbid, they go under.
- * Think hard about what to do with laptops and volume encryption. If a laptop gets boosted, chances are the bad guy will just pawn it, but more and more these things get scanned for saleable information (credit card numbers, social security numbers, user profiles, etc.). You may or may not have a big risk here; if it's 5 employees' payroll data, the risk is probably acceptable, but if it's 50,000 customers' payroll data, it's proabaly not. Seek disk volume encryption on each individual endpoint (laptop) if you judge it necessary.
Comments welcome, of course.