Project Collaboration Platform

Who It's For

The external collaboration platform we develop is designed for organisations that work daily with stakeholders outside the company boundary and need a secure, traceable, and professional channel:

• Creative and communications agencies managing projects with client approvals, content feedback, material delivery, and continuous revisions
• Consulting firms (strategy, legal, financial, HR) sharing confidential documents with clients and requiring complete access traceability
• Engineering and architecture studios collaborating with external designers, contracting authorities, and subcontractors on sensitive technical documents
• IT companies and software houses managing projects with clients who need to approve deliverables, conduct UAT, and track progress
• Research and development companies collaborating with university partners, laboratories, or co-investors on confidential data and research
• Law firms and notarial offices exchanging confidential documents with clients more securely than plain email
• Manufacturing companies collaborating with suppliers on technical specifications, CAD drawings, quality certifications
• Any organisation that wants to stop managing external collaboration via email and finally have a traceable and secure system

This is not a simple cloud storage: it is a project collaboration platform with access control, integrated communication, and audit log — built to fit your sector and your workflow.

---

Problems It Solves

External collaboration happens on insecure, untraceable channels

Emails with attachments, links shared on WhatsApp, Dropbox or Google Drive folders shared with personal addresses: these tools offer no access control, do not record who saw or downloaded what, and do not allow granular access revocation. In the event of a data breach or dispute, there is no documentable trace of who had access to what and when.

No visibility on who read what and when

You sent a confidential commercial proposal to a client. Was it read? By whom? Was it downloaded? With traditional systems, these questions go unanswered. Our platform records every access, every download, every modification — with precise timestamps and the user's IP address.

Documents multiply in uncontrolled versions

"Proposalv3FINALforreal.docx" is a universal problem. Without a versioning system, collaborators work on different versions of the same document, generating confusion, errors, and rework. Our versioning system tracks every change and allows you to return to any previous version.

Suppliers and freelancers see too much or too little

Giving an external supplier access to an entire shared folder often means giving them visibility into other clients' data or irrelevant internal information. On the other hand, creating excessively restricted access means everyone wastes time with constant requests. The granular permissions system solves this problem with surgical precision.

Internal systems cannot be exposed externally

Many companies use internal systems like Jira, Confluence, SharePoint, or proprietary ERPs. Giving external access to these systems means opening a window into internal infrastructure, with security risks, licensing complexity, and compliance issues. The external collaboration platform creates a secure layer between internal and external, without ever exposing core systems.

---

Key Features

Invite-Only Project Workspaces

Each project lives in its own isolated workspace. There is no possibility of one client seeing another client's projects:

• Workspace creation: in a few clicks, create a workspace for each project or client, with name, description, client logo
• Email invitation: external collaborators are invited via email with a secure link that expires after 48 hours. Acceptance requires account creation (or SSO login if configured)
• Predefined roles: Client, Supplier, Freelancer, Team Member — each with a standard permissions set
• Custom roles: create bespoke roles with granular permissions for specific situations
• Workspace archive: completed project workspaces are archived, not deleted — access to archives is restricted to internal members
• Multi-workspace per user: an external collaborator can be invited to multiple workspaces (e.g. a supplier working on several projects) with potentially different permissions in each

Task Management with Kanban and Gantt View

Activity management is the heart of project collaboration:

• Kanban board: customisable columns (Backlog, In Progress, In Review, Done), drag-and-drop tasks, filters by assignee and label
• Gantt view: visual project timeline with task dependencies, milestones, critical path — ideal for showing the plan to clients
• Tasks with subtasks: hierarchical decomposition of work
• Internal and external assignees: a task can be assigned to an internal team member, a freelancer, or even a client contact (for approvals)
• Deadlines and reminders: every task has a due date; the system sends automatic reminders to the assignee
• Per-task comments: every task has its own comment thread, separate from the general workspace chat
• Task attachments: files, links, and documents can be attached directly to tasks
• Task activity history: who did what on the task and when — complete and unmodifiable
• Labels and priorities: task categorisation by type, priority (low/medium/high/critical), sprint, or milestone

Encrypted File Sharing (AES-256)

Secure document sharing is one of the core features:

• AES-256 encryption at rest: all uploaded files are encrypted before being written to storage. Nobody — not even those managing the servers — can read the files without the encryption keys
• TLS 1.3 encryption in transit: all transfers occur over encrypted channels using the most current protocols
• Download control: configure whether files can be downloaded or only viewed in the browser (preview only)
• Temporary sharing links: generate a temporary link with configurable expiry to share a file with someone not in the workspace
• Antivirus scanning: every uploaded file is automatically scanned before being made available
• File size and type limits: configurable per workspace and per role
• Folder structure: file organisation in folders and subfolders, with different permissions per folder
• Full-text search: search in document contents (PDF, Word, text) as well as file names

Document Versioning

Version control eliminates the "filefinalv2_REAL" chaos:

• Automatic versioning: every time a file is replaced, the previous version is automatically retained
• Version history: view all versions with date, author, and file size
• Version restore: return to any previous version with a single click
• Version comparison: for text documents, visual comparison of differences between versions
• Document lock: a user can lock a document while editing it, preventing concurrent modifications
• Checkout/checkin: structured editing workflow for environments requiring formal control over changes
• Visible version number: every file clearly shows the current version (e.g. v1.0, v1.1, v2.0)

In-App Chat for Projects and Tasks

Contextualised communication reduces emails and keeps the conversation close to the work:

• Workspace chat: general communication channel for the entire project team (internal and external)
• Per-task chat: every task has its own comment thread for discussion exclusively about that task
• Topic channels: create specific channels (e.g. "Client Approvals", "Technical Notes", "Urgent Communications")
• Direct messages: private conversations between two users within the platform
• @mentions: push and email notifications when mentioned in a message
• Files in chat: share files directly in chat, with secure upload
• Message search: full-text search in the chat history
• Complete history: all chat is retained and searchable — no important information is ever lost
• No external apps: all communication happens entirely in the platform, without depending on WhatsApp, Telegram, or other personal tools

Granular Permissions: Custom Roles

The permissions system is what distinguishes a professional platform from a simple cloud:

Predefined roles:

• Admin (internal): full access to the entire workspace, can invite/remove users, modify permissions
• Team member (internal): full access to contents, can create and assign tasks, upload files
• Client: can see project progress, comment, approve deliverables; cannot see internal task details or internal documents
• Supplier/Freelancer: access to assigned tasks and relevant folders; cannot see other suppliers' data or client data

Granular permissions:

• For each role, configure specific permissions: can they see tasks? Create them? Assign them? Download files? See internal comments?
• Per-folder permissions: an "Internal Documents" folder can be visible only to team members, while a "Client Deliverables" folder is visible to all
• Temporary permissions: an external user can have expanded access for a specific period (e.g. during a UAT phase)

Complete Audit Log

The audit log is the feature that makes the platform a legally reliable tool:

• Immutable recording: every action is recorded in a log that cannot be modified or deleted, even by the administrator
• What is recorded: login, logout, file viewing, file download, file upload, task creation/modification/deletion, permission changes, user invitation/removal, every message sent
• Data recorded per event: precise timestamp (milliseconds), IP address, user agent, user ID, username, action performed, action subject (which file, which task)
• Log export: export in CSV or JSON format for external analysis or for legal proceedings
• Advanced filters: search by user, action type, time range, or object
• Suspicious activity alerts: notify the admin when anomalous behaviour occurs (e.g. bulk file download, access from unusual IPs, failed access attempts)
• Configurable retention: the log is retained for a configurable period (typically 2-5 years)

Email Notifications and Webhooks

The notification system keeps everyone updated without requiring constant platform monitoring:

• Configurable email notifications by type: task assignment, task comment, file upload in a followed folder, chat mention, approaching deadline
• Daily or weekly digest: instead of receiving every individual notification, choose a periodic summary
• In-app notifications: badges and push notifications for browser users
• Webhooks: for every platform event, configure a webhook that notifies an external system (e.g. Slack, Teams, Jira, your internal project management system)
• Event API: subscribe/publish system for advanced integrations

GDPR Art. 32 — Technical and Organisational Measures

Collaboration with external parties involves personal data processing that must comply with Art. 32 GDPR (technical and organisational measures appropriate to the risk):

Technical measures implemented:

• AES-256 encryption at rest and TLS 1.3 in transit
• Two-factor authentication (2FA) enforceable for all users or specific roles
• Configurable session timeout
• Configurable password policy (minimum length, complexity, expiry)
• No personal data in URLs or system logs
• Encrypted backups with documented retention and disaster recovery
• Periodic vulnerability scanning and penetration testing on request

Organisational measures:

• Strict data separation per workspace
• Immutable access log as accountability evidence
• Data access procedure for data subject requests (Art. 15 GDPR)
• Data deletion procedure (Art. 17 GDPR)
• Pre-drafted DPA (Data Processing Agreement) for the Controller-Processor relationship

NIS2 Compliance for Critical Sectors

For organisations operating in critical sectors (energy, transport, healthcare, digital infrastructure, financial services), the NIS2 Directive (EU Directive 2022/2555) imposes specific security measures for supply chain and third-party collaboration:

• Supply chain risk management: the platform implements controls that limit the data accessible to each supplier to the minimum necessary
• Access segregation: each supplier sees only their own workspaces and cannot access other parties' data
• Incident detection: the audit log and alert system contributes to early detection of security incidents
• NIS2 audit documentation: export of security configuration, logs, and implemented measures to support audit by competent authorities
• Business continuity: high-availability architecture (99.9% SLA) with documented disaster recovery

SSO / SAML 2.0 for Enterprise Companies

Integration with corporate identity systems is fundamental for security and user experience in large organisations:

• SAML 2.0: integration with any corporate Identity Provider (Azure Active Directory / Entra ID, Okta, Auth0, Google Workspace, ADFS)
• Single Sign-On: employees access the platform with their corporate credentials, without additional passwords
• Automatic provisioning (SCIM): when an employee is added to or removed from the corporate IdP, their platform account is automatically created or deactivated
• Enforced SSO: you can require all internal members to use SSO, preventing username/password access
• MFA delegated to IdP: the second authentication factor is managed by the corporate IdP, not the platform (avoiding duplication)
• JIT Provisioning: the account is automatically created on first SSO login, without requiring a manual administrator action

White-Label: Custom Domain and Client Logo

For agencies and consulting firms that want to present the platform under their own brand:

• Custom domain: the platform runs on `collaborate.yourdomain.com` or any chosen subdomain
• Logo and brand identity: logo, primary colours, fonts — the platform appears fully branded with your identity
• Branded emails: all notification emails arrive from your domain (e.g. `noreply@yourdomain.com`) and with your layout
• No Graffico mention: the software is invisible — your clients see only your brand
• Custom terms of service: use your own terms of service and privacy policy
• Client subdomain for portals: if desired, each client can have their workspace accessible from their own subdomain

---

Typical Workflow

Project opening: The internal project manager creates a workspace for the new client in 2 minutes. Assigns internal team members. Invites client contacts via email and, if the project involves suppliers, also supplier contacts — with different roles.

Kickoff: The whole team accesses the platform. Brief documents, signed contracts (if the workflow requires it), and technical specifications are uploaded. The Kanban board is created with project tasks. The client sees only the columns relevant to them.

During the project: The internal team works on tasks. Files are uploaded to the shared folder. The client can comment, approve deliverables, ask questions in the workspace chat. The supplier accesses only the tasks and folders within their remit. Every action is tracked in the audit log.

Deliverables and approvals: When a deliverable is ready, it is uploaded to a specific folder. The client receives a notification, enters the platform, views (or downloads, if permitted), and leaves feedback in the task thread or chat. Formal approval can be managed with a digital signature mechanism or explicit tracked confirmation.

Project closure: The workspace is archived. Documents remain accessible to internal members for the configured period. At the end of the retention period, client data is automatically deleted with the deletion recorded in the audit log. If the client requests deletion of their data before the deadline (Art. 17 GDPR), the procedure is executed manually with documentation.

---

Possible Integrations

• Internal project management systems (Jira, Asana, Monday, ClickUp): synchronise tasks between the internal system and the external workspace — the client sees a simplified view of tasks coming from Jira
• Corporate storage (SharePoint, OneDrive, Google Drive): files can be selectively synchronised from the internal repository to the external platform
• Microsoft Teams and Slack: platform event notifications (new comment, file uploaded, task completed) directly in internal channels
• Digital signature systems (DocuSign, Yousign, Namirial): document signing flow integrated in the platform
• CRM (Salesforce, HubSpot): the workspace is linked to the client's record in the CRM
• Time tracking tools (Toggl, Harvest, Clockify): tracking of time worked per project, with integration into invoicing
• Company ERP: export of hours and costs to the accounting system
• Active Directory / LDAP: internal user synchronisation
• REST API + Webhooks: integration with any system via documented API

---

Custom vs Off-the-Shelf

Tools for external collaboration exist (Basecamp, Notion, ClickUp with guest access, Huddle, SharePoint Extranet). Why a custom system?

Limitations of generic tools:

• Guest access with limited and inflexible permissions
• Audit log absent or insufficient for legal and compliance use
• File encryption not guaranteed or not documented
• No certified compliance (GDPR, NIS2) — you trust the vendor's policy
• White-label absent or very expensive
• SSO/SAML only available in the most expensive enterprise plans
• Data on US servers with no EU localisation guarantees
• Inability to adapt permissions to your specific processes
• Vendor dependency for the product's future

Advantages of Graffico custom development:

• Immutable audit log certifiable in legal proceedings
• Documented AES-256 encryption with key management under your control
• GDPR and NIS2 compliance designed from the start, not bolted on
• Native white-label with your domain
• SSO/SAML included without surcharge
• Data in Italy or EU on infrastructure you control
• Permissions modelled exactly on your workflows
• Code ownership: the system is yours, you depend on no vendor

---

Timeline, Budget & Process

How We Work

1. Discovery (1-2 weeks): Analysis of your external collaboration workflows, stakeholder types, required integrations, and security and compliance requirements 2. Design (2-3 weeks): Permissions system architecture, workspace design, audit log specification, SSO specifications 3. MVP Development (8-12 weeks): Workspaces, file management, task management, chat, notifications, basic audit log 4. Security hardening (2 weeks): Penetration testing, vulnerability assessment, configuration review 5. Go-live and training (1-2 weeks): Internal team training, onboarding of first external clients/suppliers, monitoring 6. Continuous evolution: Sprints to add SSO, white-label, specific integrations, advanced features

Indicative Budget

• Basic system (workspaces, encrypted file sharing, versioning, Kanban tasks, chat, audit log, notifications): indicatively €22,000 – €38,000
• Complete system (all of the above + Gantt view, advanced granular permissions, SSO/SAML, white-label, webhook integrations): indicatively €38,000 – €65,000
• Enterprise system (documented NIS2 compliance, penetration testing, complex ERP/CRM integrations, agency multi-tenant, integrated digital signature): from €65,000 upward

Monthly hosting (servers, encrypted storage, backups, monitoring): typically €200 – €800/month depending on the number of workspaces and file volumes.

Contact us for a free analysis: the initial discovery has no cost.