Cloud sharing made teamwork easy - and also made accidental data exposure easy. The majority of collaboration accidents come from three sources: wrong permissions, oversharing links, and outdated shared files. A small set of repeatable habits prevents most mistakes and keeps collaborators working without extra friction.

Core principle

Least privilege, explicit intent, short expiry, and documented ownership.

7 Rules for Safe File Sharing

Rule 1 - Default to private, then share intentionally

When creating a doc, set access to "private" and then add specific people or a secure group. Avoid "Anyone with link" unless the document was created for public consumption.

Rule 2 - Prefer named people & groups over link sharing

Use explicit user permissions or a team group. If you must use a link, restrict to "view only" and require sign-in. For step-by-step settings across Google Drive, OneDrive, and Dropbox, see our Secure File Sharing platform guide.

Rule 3 - Use the right link type & expiry

Use the least powerful link that does the job and add an expiry for temporary access. For contractors, create a link that expires at project end.

Rule 4 - Avoid storing secrets in shared docs

Passwords, API keys, or PII belong in a secure vault, not a shared document. Store secrets in a password manager or shared vault and give access to named people only. For the full identity toolkit including shared vaults, see our Digital Identity Hygiene guide.

Rule 5 - Review invitations and external collaborators monthly

Run an access review: list external domains, inactive users, and files with "anyone" links. Remove or convert them to named access if still required.

Rule 6 - Use logged comments and change history

Use comment/resolve flows, create named versions for major milestones, and use the built-in version history to roll back if needed. For recovery planning, see our Backup & Recovery guide.

Rule 7 - Educate collaborators with a 3-step pre-share checklist

Before you click Share, ask:

  1. Who exactly needs access? (name or group)
  2. Why do they need it? (read, comment, edit)
  3. How long should access last? (set expiry)

Quick Pre-Share Checklist (30 seconds)

  • Set access to named people where possible.
  • If using a link, set view only and sign-in required.
  • Add a 30/60/90-day expiry for temporary shares.
  • Remove stored secrets from the file - put credentials in a shared vault instead.

Common Scenarios & Patterns

Contractor onboarding

Create a project folder, grant a named account, set expiry at contract end, store API keys in the shared vault, and make payments via a virtual card for vendor signup. For the full small-team onboarding checklist, see our Home Office Security guide.

Client delivery

Publish a read-only final deliverable to a view-only folder. For sensitive reports, use a masked email or signed-access portal with an expiry.

Large-team collaboration

Use group roles (editors/reviewers) and require 2FA. Keep critical production docs in a separate, restricted workspace with a named owner responsible for monthly access reviews.

Monthly Maintenance (10 minutes)

  • Run a quick report of files with external shares or "anyone with link" access.
  • Revoke access for people who no longer need it.
  • Rotate any secrets and cancel old virtual cards.
  • Run Ivy's Risk Checkup to surface high-risk exposures and reused passwords.

Share Files Safely Checklist

PRE-SHARE (30 SECONDS)

  • Is access set to named people or a group?
  • If using a link: is it view-only and sign-in required?
  • Did I remove secrets? (If not, move to shared vault.)
  • Did I set an expiry for temporary access?

PERMISSIONS & ROLES

  • Editors = those who must change content; Reviewers = comment only.
  • Use groups for teams (not individual email lists).

SECRETS & PAYMENTS

  • Store secrets in password vault (not doc).
  • Use virtual cards for vendor signups or public payments.

MONTHLY MAINTENANCE (10 MIN)

  • Report files with external / anyone links.
  • Revoke access for inactive users & contractors.
  • Rotate secrets / cancel old virtual cards.
  • Run Risk Checkup.

Safe collaboration is repeatable and low-friction: private defaults, named access, expiries, vaults for secrets, short audits. The 30-second pre-share rule is all it takes to stop most leaks before they happen.

Share files safely with Ivy

Download the checklist and try Ivy's Shared Vault & Risk Checkup to keep your collaboration clean and audited.