Organizations spend millions hardening perimeters: firewalls, zero trust architectures, identity and access management, endpoint detection. And then someone clicks "share" on a sensitive file and sends it to a business partner using a tool that was never designed for compliance or control.
Brett McCrae, VP of Customer Success at Virtru, framed the problem bluntly during a recent webinar introducing Virtru Collaborate: "How and why do we spend all of this time and effort and budget implementing all of these different tools only to let that data walk out the front door like it never mattered at all?"
Cole Grolmus, founder of Strategy of Security and former PwC advisory consultant, explained why this gap matters.
"You can't anchor your security model around the perimeter anymore. You have to have controls around data now. Data is a standalone object that is ultimately what attackers are after, and it is what regulation is actually regulating."
The tools most organizations use to share files (Google Drive, Box, SharePoint, Slack) were built for internal collaboration first. Once a third party downloads a file and takes it outside the workspace, control ends. Your compliance obligations don't.
Virtru built Collaborate to solve that gap using the Trusted Data Format (TDF), an open standard developed at the NSA.
Watch the full webinar here, or keep reading for what makes this approach fundamentally different.
Mike Morper, Virtru's Senior Vice President of Product Marketing, explained what drove Collaborate's development.
"We had historic customers that used our secure email products say, 'Works great, fantastic, but we also have file-based workflows that we need to orchestrate as well.' It was specifically CMMC that was the tipping point. They came to us and said, 'We are no longer going to be able to conduct business with the US national government if we do not have a way to meet these regulatory obligations, specifically CMMC Level 2.'"
CMMC Level 2 enforcement became a hard requirement for defense contractors in November 2025. But the structural problem applies everywhere: healthcare providers sharing under HIPAA, law enforcement exchanging CJIS data, financial services firms navigating GLBA. Every regulated industry faces compliance obligations that extend beyond the perimeter, applied to collaboration workflows that weren't designed with compliance in mind.
CMMC just made the timeline non-negotiable for defense contractors. The problem it exposes applies everywhere sensitive data needs to move.
Virtru Collaborate is built on the Trusted Data Format (TDF), an open data security standard originally developed at the NSA by Virtru co-founder Will Ackerly. It's the same technology the U.S. intelligence community and military use to protect classified and sensitive information.
TDF isn't proprietary to Virtru. It's an open standard, which means any vendor can build applications on top of it and organizations aren't locked into a single provider. But what it does architecturally is fundamentally different from how traditional file sharing platforms handle security.
When you upload a file to Virtru Collaborate, it's encrypted client-side and wrapped as a .tdf object. Inside that object is a manifest that includes:
In traditional file sharing platforms, access control lives in the platform. If someone downloads a file and takes it outside the workspace, the controls stop applying. With TDF, the policy is embedded in the file. The file itself enforces who can open it, what they can do with it, and for how long, regardless of where it goes.
Virtru Collaborate is 100% browser-based. No software to install. No training required. The design philosophy centers on patterns users already know from Google Drive, Dropbox, and SharePoint (upload, view, share) but with data-centric security enforcement underneath.
Workspaces in Collaborate function as secure enclaves. The data owner creates the workspace, invites participants, and sets the security posture. Files uploaded into a workspace inherit its policies automatically.
Morper walked through what this looks like in practice during the live demo of Virtru Collaborate. A law enforcement investigator shares evidence files with a district attorney by creating a secure workspace and uploading files. Those files are instantly wrapped as TDF objects. The district attorney receives a notification, authenticates using his existing Google credentials (no new account required), and sees the files in his own workspace view.
Grolmus confirmed the experience from the recipient side: "I was in my workspace, and I instantly saw it when you shared it. I was able to sign in with my existing Google credentials. Super simple: less than thirty seconds."
That frictionless experience matters because security tools that add friction get bypassed. But the control persistence matters more because compliance obligations don't end when you click send.
The workspace model maps cleanly to real-world collaboration patterns: a defense contractor sharing CUI with a subcontractor, a healthcare provider collaborating with a specialist on patient imaging, a financial institution exchanging audit documentation with regulators.
Every file in Collaborate has entitlements attached to it. Those entitlements specify what users can do: view only, download, edit (coming soon). Entitlements aren't managed through a separate admin panel. They're set at the workspace level and inherited by every file in that workspace.
Morper showed how this works in the legal workspace example. The workspace owner can toggle settings: allow viewing but block downloads, watermark files with viewer email addresses, restrict access to specific users.
The watermark feature addresses a common objection: "If someone can view it, they can screenshot it." True. But screenshots of watermarked documents with the viewer's email address painted across them create attribution and deterrence that screenshots of unmarked documents don't.
More importantly, the policy enforcement happens at the file level, not the platform level. If someone forwards the .tdf file to an unauthorized user, that user can't open it. If the data owner revokes access after sharing, previously authorized users lose access—even if they've already downloaded the file.
Collaborate doesn't require organizations to abandon existing workflows. It integrates with Google Drive and OneDrive, allowing users to pull files from those environments into secure workspaces without downloading and re-uploading.
Morper demonstrated logging into his Google Workspace account from within Collaborate, browsing his Drive folders, and selecting a file to transfer into a secure workspace. The file moved from a perimeter-based environment (Google Drive) into a FedRAMP Moderate authorized environment (Virtru's infrastructure) while maintaining the familiar user experience.
This extensibility matters for adoption. Organizations already collaborating in Google Workspace or Microsoft 365 don't need to retrain users on entirely new interfaces. They add a secure layer for sensitive files without disrupting workflows for non-sensitive collaboration.
The demo included a preview of functionality launching in the near future: real-time collaborative editing of Microsoft Office documents inside secure workspaces. Users will be able to click on Word, Excel, or PowerPoint files and edit them directly in the browser while maintaining TDF encryption and access controls.
Morper framed this as solving the core tension between security and collaboration: "The way organizations work today is real-time, back and forth. Not just throw it over the fence and wait for someone to do something days later. Real-time joint collaboration must take place. Data owner maintains governance and control. This is all courtesy of the Trusted Data Format."
CMMC drove initial urgency, but Collaborate's use cases extend far beyond the defense industrial base.
Defense contractors managing CUI under CMMC Level 2 requirements need FedRAMP authorized environments and the ability to share files with subcontractors, primes, and government customers while maintaining audit trails and revocation capabilities.
Recommended Reading: Virtru Collaborate vs PreVeil Drive
Healthcare providers sharing imaging files, lab results, and patient records with specialists, insurance companies, and patients themselves need HIPAA-compliant workflows that don't require recipients to create accounts or install software.
Law enforcement agencies and legal teams exchanging evidence with district attorneys, sharing investigative materials with federal partners, or collaborating with schools on CJIS-regulated information need attribution, watermarking, and revocation for sensitive case files.
Financial services firms working with auditors, regulators, and third-party risk assessors need to share sensitive financial data while retaining the ability to revoke access for M&A or other purposes, when engagements end.
State and local government agencies collaborating across jurisdictional boundaries need sovereignty over data that crosses organizational perimeters while meeting locality and retention requirements.
McCrae highlighted the breadth of use for Collaborate: "We have customers using us to share CJIS information from a school to a local law enforcement agency. We have customers using us to send really big sensitive medical files, like imaging files, from a provider to a patient, which seems like it should be really easy but it's not to do that today in a secure way."
The common thread across industries is the same structural problem. Compliance obligations extend beyond organizational control, applied to collaboration workflows that require external sharing.
Grolmus identified a trend that most security practitioners feel but few articulate clearly: "We're heading towards a world where compliance is mature. That's something we're going to have to deal with. We've accepted it. We're going to move on. Business expectations and customer expectations and partner expectations are becoming such that we need to be able to work with regulated data and still have a good experience at collaborating around it."
That intersection is where compliance and collaboration become complementary capabilities instead of competing priorities. Virtru Collaborate brings data-centric security to file sharing. For industries facing regulatory deadlines that make the old approach untenable, the timing matters.
Watch the full webinar to see the platform in action and hear the complete conversation about why data-centric security makes compliance and collaboration compatible at scale.
Or, book a one-on-one demo to see Virtru Collaborate in action.