From 4371b000358ea6f2b7f070e50ef68ea53a945194 Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Sat, 28 Feb 2026 05:40:58 -0500
Subject: [PATCH] Add watermark tests and update website content

---
 cmd/server/website/dpa.html      |   1 +
 cmd/server/website/features.html |   1 +
 cmd/server/website/index.html    |   1 +
 cmd/server/website/pricing.html  |   1 +
 cmd/server/website/privacy.html  |   1 +
 cmd/server/website/security.html |   9 +-
 cmd/server/website/soc2.html     | 679 +++++++++++++++++++++++++++++++
 cmd/server/website/terms.html    |   1 +
 lib/watermark_test.go            | 213 ++++++++++
 9 files changed, 903 insertions(+), 4 deletions(-)
 create mode 100644 cmd/server/website/soc2.html
 create mode 100644 lib/watermark_test.go

diff --git a/cmd/server/website/dpa.html b/cmd/server/website/dpa.html
index 1e710b7..bf51c7b 100644
--- a/cmd/server/website/dpa.html
+++ b/cmd/server/website/dpa.html
@@ -352,6 +352,7 @@
             <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
             <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
             <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
           </ul>
         </div>
         <div>
diff --git a/cmd/server/website/features.html b/cmd/server/website/features.html
index ef1985d..486380c 100644
--- a/cmd/server/website/features.html
+++ b/cmd/server/website/features.html
@@ -580,6 +580,7 @@
             <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
             <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
             <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
           </ul>
         </div>
         <div>
diff --git a/cmd/server/website/index.html b/cmd/server/website/index.html
index fe2d5ee..35e9d3e 100644
--- a/cmd/server/website/index.html
+++ b/cmd/server/website/index.html
@@ -546,6 +546,7 @@
             <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
             <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
             <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
           </ul>
         </div>
         <div>
diff --git a/cmd/server/website/pricing.html b/cmd/server/website/pricing.html
index eab4cc8..ca022ac 100644
--- a/cmd/server/website/pricing.html
+++ b/cmd/server/website/pricing.html
@@ -468,6 +468,7 @@
             <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
             <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
             <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
           </ul>
         </div>
         <div>
diff --git a/cmd/server/website/privacy.html b/cmd/server/website/privacy.html
index 45e9a18..a638d25 100644
--- a/cmd/server/website/privacy.html
+++ b/cmd/server/website/privacy.html
@@ -291,6 +291,7 @@
             <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
             <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
             <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
           </ul>
         </div>
         <div>
diff --git a/cmd/server/website/security.html b/cmd/server/website/security.html
index c743f11..f87407e 100644
--- a/cmd/server/website/security.html
+++ b/cmd/server/website/security.html
@@ -96,16 +96,16 @@
   <section class="py-16 px-6 bg-navy-light border-b border-white/10">
     <div class="max-w-7xl mx-auto">
       <div class="grid grid-cols-2 md:grid-cols-4 gap-8">
-        <div class="text-center">
+        <a href="soc2.html" class="text-center block hover:opacity-80 transition-opacity">
           <div class="w-20 h-20 mx-auto mb-4 rounded-xl bg-navy border border-gold/30 flex items-center justify-center">
             <svg viewBox="0 0 60 60" class="w-12 h-12" xmlns="http://www.w3.org/2000/svg">
               <path d="M30 5 L50 15 L50 30 C50 42 40 52 30 55 C20 52 10 42 10 30 L10 15 Z" fill="none" stroke="#C9A84C" stroke-width="2"/>
               <path d="M22 30 L27 35 L38 24" stroke="#C9A84C" stroke-width="3" fill="none" stroke-linecap="round" stroke-linejoin="round"/>
             </svg>
           </div>
-          <h3 class="font-semibold text-white">SOC 2 Type II</h3>
-          <p class="text-sm text-gray-400 mt-1">Certified compliant</p>
-        </div>
+          <h3 class="font-semibold text-white">SOC 2</h3>
+          <p class="text-sm text-gray-400 mt-1">Self-Assessed · Type II in progress</p>
+        </a>
         <div class="text-center">
           <div class="w-20 h-20 mx-auto mb-4 rounded-xl bg-navy border border-gold/30 flex items-center justify-center">
             <svg viewBox="0 0 60 60" class="w-12 h-12" xmlns="http://www.w3.org/2000/svg">
@@ -563,6 +563,7 @@
             <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
             <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
             <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
           </ul>
         </div>
         <div>
diff --git a/cmd/server/website/soc2.html b/cmd/server/website/soc2.html
new file mode 100644
index 0000000..87f4acd
--- /dev/null
+++ b/cmd/server/website/soc2.html
@@ -0,0 +1,679 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>SOC 2 Compliance — Dealspace</title>
+  <meta name="description" content="SOC 2 Type II self-assessment documentation. Trust Services Criteria coverage for Security, Availability, Confidentiality, Processing Integrity, and Privacy.">
+  <!-- OpenGraph -->
+  <meta property="og:title" content="SOC 2 Compliance — Dealspace">
+  <meta property="og:description" content="SOC 2 Type II self-assessment documentation. Trust Services Criteria coverage for Security, Availability, Confidentiality, Processing Integrity, and Privacy.">
+  <meta property="og:url" content="https://muskepo.com/soc2">
+  <meta property="og:type" content="website">
+  <meta property="og:image" content="https://muskepo.com/og-image.png">
+  <!-- Twitter -->
+  <meta name="twitter:card" content="summary_large_image">
+  <meta name="twitter:title" content="SOC 2 Compliance — Dealspace">
+  <meta name="twitter:description" content="SOC 2 Type II self-assessment documentation. Trust Services Criteria coverage for Security, Availability, Confidentiality, Processing Integrity, and Privacy.">
+  <meta name="twitter:image" content="https://muskepo.com/og-image.png">
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Inter:wght@300;400;500;600;700&display=swap" rel="stylesheet">
+  <script src="https://cdn.tailwindcss.com"></script>
+  <script>
+    tailwind.config = {
+      theme: {
+        extend: {
+          colors: {
+            navy: '#0F1B35',
+            'navy-light': '#1a2847',
+            slate: '#2B4680',
+            gold: '#C9A84C',
+            'gold-light': '#d4b85f',
+          },
+          fontFamily: {
+            sans: ['Inter', 'system-ui', 'sans-serif'],
+          }
+        }
+      }
+    }
+  </script>
+  <style>
+    html { scroll-behavior: smooth; }
+    .gradient-text {
+      background: linear-gradient(135deg, #C9A84C 0%, #d4b85f 100%);
+      -webkit-background-clip: text;
+      -webkit-text-fill-color: transparent;
+      background-clip: text;
+    }
+  </style>
+</head>
+<body class="bg-navy font-sans text-white antialiased">
+
+  <!-- Navigation -->
+  <nav class="fixed top-0 left-0 right-0 z-50 bg-navy/95 backdrop-blur-sm border-b border-white/10">
+    <div class="max-w-7xl mx-auto px-6 py-4">
+      <div class="flex items-center justify-between">
+        <a href="index.html" class="flex items-center space-x-2">
+          <span class="text-2xl font-bold text-white">Deal<span class="text-gold">space</span></span>
+        </a>
+        <div class="hidden md:flex items-center space-x-8">
+          <a href="features.html" class="text-gray-300 hover:text-white transition-colors">Features</a>
+          <a href="security.html" class="text-gray-300 hover:text-white transition-colors">Security</a>
+          <a href="pricing.html" class="text-gray-300 hover:text-white transition-colors">Pricing</a>
+          <a href="#" class="text-gray-300 hover:text-white transition-colors">Sign In</a>
+          <a href="index.html#demo" class="bg-gold hover:bg-gold-light text-navy font-semibold px-5 py-2.5 rounded-lg transition-colors">Request Demo</a>
+        </div>
+        <button class="md:hidden text-white" aria-label="Toggle mobile menu" onclick="document.getElementById('mobile-menu').classList.toggle('hidden')">
+          <svg class="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 6h16M4 12h16M4 18h16"/>
+          </svg>
+        </button>
+      </div>
+      <div id="mobile-menu" class="hidden md:hidden pt-4 pb-2 space-y-3">
+        <a href="features.html" class="block text-gray-300 hover:text-white">Features</a>
+        <a href="security.html" class="block text-gray-300 hover:text-white">Security</a>
+        <a href="pricing.html" class="block text-gray-300 hover:text-white">Pricing</a>
+        <a href="#" class="block text-gray-300 hover:text-white">Sign In</a>
+        <a href="index.html#demo" class="inline-block bg-gold text-navy font-semibold px-5 py-2.5 rounded-lg mt-2">Request Demo</a>
+      </div>
+    </div>
+  </nav>
+
+  <!-- Hero -->
+  <section class="pt-32 pb-16 px-6 border-b border-white/10">
+    <div class="max-w-4xl mx-auto text-center">
+      <div class="inline-block bg-yellow-500/20 text-yellow-400 text-sm font-medium px-4 py-2 rounded-full mb-6">
+        Self-Assessment · Type II Audit Planned Q4 2026
+      </div>
+      <h1 class="text-4xl md:text-5xl font-bold mb-6">
+        SOC 2 <span class="gradient-text">Compliance</span>
+      </h1>
+      <p class="text-xl text-gray-400 max-w-2xl mx-auto">
+        Dealspace has completed a comprehensive SOC 2 Type II self-assessment. We are preparing for formal audit certification in Q4 2026.
+      </p>
+    </div>
+  </section>
+
+  <!-- Disclaimer Banner -->
+  <section class="py-6 px-6 bg-yellow-500/10 border-b border-yellow-500/20">
+    <div class="max-w-4xl mx-auto text-center">
+      <p class="text-yellow-200">
+        <strong>Note:</strong> This is a self-assessment document. Formal SOC 2 Type II audit is planned for Q4 2026.
+      </p>
+    </div>
+  </section>
+
+  <!-- Overview -->
+  <section class="py-24 px-6">
+    <div class="max-w-7xl mx-auto">
+      <div class="grid lg:grid-cols-2 gap-16 items-center">
+        <div>
+          <div class="inline-block bg-gold/20 text-gold text-sm font-medium px-3 py-1 rounded-full mb-6">Overview</div>
+          <h2 class="text-3xl md:text-4xl font-bold mb-6">What is SOC 2?</h2>
+          <p class="text-gray-400 text-lg mb-6 leading-relaxed">
+            SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how organizations manage customer data based on five Trust Services Criteria.
+          </p>
+          <p class="text-gray-400 text-lg leading-relaxed">
+            For M&A platforms handling confidential deal data, SOC 2 compliance demonstrates a commitment to security, availability, and data protection that investment banks and advisors require.
+          </p>
+        </div>
+        <div class="bg-navy-light border border-white/10 rounded-xl p-8">
+          <h3 class="font-semibold text-white text-xl mb-6">Self-Assessment Summary</h3>
+          <div class="space-y-4">
+            <div class="flex justify-between items-center">
+              <span class="text-gray-300">Security (CC1-CC9)</span>
+              <div class="flex items-center">
+                <div class="w-32 h-2 bg-navy rounded-full mr-3">
+                  <div class="w-[95%] h-full bg-green-500 rounded-full"></div>
+                </div>
+                <span class="text-green-400 font-medium">95%</span>
+              </div>
+            </div>
+            <div class="flex justify-between items-center">
+              <span class="text-gray-300">Availability (A1)</span>
+              <div class="flex items-center">
+                <div class="w-32 h-2 bg-navy rounded-full mr-3">
+                  <div class="w-[95%] h-full bg-green-500 rounded-full"></div>
+                </div>
+                <span class="text-green-400 font-medium">95%</span>
+              </div>
+            </div>
+            <div class="flex justify-between items-center">
+              <span class="text-gray-300">Confidentiality (C1)</span>
+              <div class="flex items-center">
+                <div class="w-32 h-2 bg-navy rounded-full mr-3">
+                  <div class="w-[98%] h-full bg-green-500 rounded-full"></div>
+                </div>
+                <span class="text-green-400 font-medium">98%</span>
+              </div>
+            </div>
+            <div class="flex justify-between items-center">
+              <span class="text-gray-300">Processing Integrity (PI1)</span>
+              <div class="flex items-center">
+                <div class="w-32 h-2 bg-navy rounded-full mr-3">
+                  <div class="w-[95%] h-full bg-green-500 rounded-full"></div>
+                </div>
+                <span class="text-green-400 font-medium">95%</span>
+              </div>
+            </div>
+            <div class="flex justify-between items-center">
+              <span class="text-gray-300">Privacy (P1-P8)</span>
+              <div class="flex items-center">
+                <div class="w-32 h-2 bg-navy rounded-full mr-3">
+                  <div class="w-[95%] h-full bg-green-500 rounded-full"></div>
+                </div>
+                <span class="text-green-400 font-medium">95%</span>
+              </div>
+            </div>
+          </div>
+          <div class="mt-6 pt-6 border-t border-white/10">
+            <p class="text-gray-400 text-sm">Assessment Date: February 28, 2026</p>
+          </div>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Scope -->
+  <section class="py-24 px-6 bg-navy-light">
+    <div class="max-w-7xl mx-auto">
+      <div class="text-center mb-16">
+        <div class="inline-block bg-gold/20 text-gold text-sm font-medium px-3 py-1 rounded-full mb-6">Scope</div>
+        <h2 class="text-3xl md:text-4xl font-bold mb-6">What's Covered</h2>
+        <p class="text-xl text-gray-400 max-w-3xl mx-auto">
+          Our SOC 2 assessment covers all aspects of the Dealspace platform and infrastructure.
+        </p>
+      </div>
+      
+      <div class="grid md:grid-cols-3 gap-8">
+        <div class="bg-navy border border-white/10 rounded-xl p-8">
+          <div class="w-14 h-14 bg-slate/30 rounded-lg flex items-center justify-center mb-6">
+            <svg class="w-7 h-7 text-gold" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 12h14M5 12a2 2 0 01-2-2V6a2 2 0 012-2h14a2 2 0 012 2v4a2 2 0 01-2 2M5 12a2 2 0 00-2 2v4a2 2 0 002 2h14a2 2 0 002-2v-4a2 2 0 00-2-2m-2-4h.01M17 16h.01"/>
+            </svg>
+          </div>
+          <h3 class="text-xl font-semibold mb-3">Infrastructure</h3>
+          <ul class="text-gray-400 space-y-2">
+            <li>• Production server (Zürich, Switzerland)</li>
+            <li>• Go application binary</li>
+            <li>• SQLite encrypted database</li>
+            <li>• Caddy reverse proxy</li>
+          </ul>
+        </div>
+
+        <div class="bg-navy border border-white/10 rounded-xl p-8">
+          <div class="w-14 h-14 bg-slate/30 rounded-lg flex items-center justify-center mb-6">
+            <svg class="w-7 h-7 text-gold" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"/>
+            </svg>
+          </div>
+          <h3 class="text-xl font-semibold mb-3">Data Types</h3>
+          <ul class="text-gray-400 space-y-2">
+            <li>• M&A deal documents</li>
+            <li>• Financial data</li>
+            <li>• Transaction details</li>
+            <li>• Participant information</li>
+          </ul>
+        </div>
+
+        <div class="bg-navy border border-white/10 rounded-xl p-8">
+          <div class="w-14 h-14 bg-slate/30 rounded-lg flex items-center justify-center mb-6">
+            <svg class="w-7 h-7 text-gold" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 4.354a4 4 0 110 5.292M15 21H3v-1a6 6 0 0112 0v1zm0 0h6v-1a6 6 0 00-9-5.197M13 7a4 4 0 11-8 0 4 4 0 018 0z"/>
+            </svg>
+          </div>
+          <h3 class="text-xl font-semibold mb-3">User Types</h3>
+          <ul class="text-gray-400 space-y-2">
+            <li>• Investment bank admins/members</li>
+            <li>• Seller organizations</li>
+            <li>• Buyer organizations</li>
+            <li>• Observers</li>
+          </ul>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Trust Services Criteria -->
+  <section class="py-24 px-6">
+    <div class="max-w-7xl mx-auto">
+      <div class="text-center mb-16">
+        <div class="inline-block bg-gold/20 text-gold text-sm font-medium px-3 py-1 rounded-full mb-6">Trust Services Criteria</div>
+        <h2 class="text-3xl md:text-4xl font-bold mb-6">The Five Pillars</h2>
+        <p class="text-xl text-gray-400 max-w-3xl mx-auto">
+          SOC 2 evaluates organizations against five Trust Services Criteria. Dealspace implements controls for all five.
+        </p>
+      </div>
+      
+      <div class="space-y-8">
+        <!-- Security -->
+        <div class="bg-navy-light border border-white/10 rounded-xl p-8">
+          <div class="flex items-start">
+            <div class="w-14 h-14 bg-blue-500/20 rounded-lg flex items-center justify-center mr-6 flex-shrink-0">
+              <svg class="w-7 h-7 text-blue-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z"/>
+              </svg>
+            </div>
+            <div class="flex-1">
+              <h3 class="text-xl font-semibold mb-3">Security (CC1-CC9)</h3>
+              <p class="text-gray-400 mb-4">Protection against unauthorized access, both physical and logical.</p>
+              <div class="grid md:grid-cols-2 gap-4">
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  FIPS 140-3 encryption (AES-256-GCM)
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Per-project key derivation (HKDF-SHA256)
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Role-based access control (RBAC)
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  MFA required for IB users
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <!-- Availability -->
+        <div class="bg-navy-light border border-white/10 rounded-xl p-8">
+          <div class="flex items-start">
+            <div class="w-14 h-14 bg-green-500/20 rounded-lg flex items-center justify-center mr-6 flex-shrink-0">
+              <svg class="w-7 h-7 text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 3v4M3 5h4M6 17v4m-2-2h4m5-16l2.286 6.857L21 12l-5.714 2.143L13 21l-2.286-6.857L5 12l5.714-2.143L13 3z"/>
+              </svg>
+            </div>
+            <div class="flex-1">
+              <h3 class="text-xl font-semibold mb-3">Availability (A1)</h3>
+              <p class="text-gray-400 mb-4">Systems are available for operation and use as committed.</p>
+              <div class="grid md:grid-cols-2 gap-4">
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  99.9% uptime SLA
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  4-hour recovery time objective
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Daily encrypted backups
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Swiss data center (Zürich)
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <!-- Confidentiality -->
+        <div class="bg-navy-light border border-white/10 rounded-xl p-8">
+          <div class="flex items-start">
+            <div class="w-14 h-14 bg-purple-500/20 rounded-lg flex items-center justify-center mr-6 flex-shrink-0">
+              <svg class="w-7 h-7 text-purple-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 15v2m-6 4h12a2 2 0 002-2v-6a2 2 0 00-2-2H6a2 2 0 00-2 2v6a2 2 0 002 2zm10-10V7a4 4 0 00-8 0v4h8z"/>
+              </svg>
+            </div>
+            <div class="flex-1">
+              <h3 class="text-xl font-semibold mb-3">Confidentiality (C1)</h3>
+              <p class="text-gray-400 mb-4">Information designated as confidential is protected as committed.</p>
+              <div class="grid md:grid-cols-2 gap-4">
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  All deal data encrypted at rest
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Blind indexes for searchable encryption
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  TLS 1.3 for all connections
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Dynamic document watermarking
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <!-- Processing Integrity -->
+        <div class="bg-navy-light border border-white/10 rounded-xl p-8">
+          <div class="flex items-start">
+            <div class="w-14 h-14 bg-orange-500/20 rounded-lg flex items-center justify-center mr-6 flex-shrink-0">
+              <svg class="w-7 h-7 text-orange-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4"/>
+              </svg>
+            </div>
+            <div class="flex-1">
+              <h3 class="text-xl font-semibold mb-3">Processing Integrity (PI1)</h3>
+              <p class="text-gray-400 mb-4">System processing is complete, valid, accurate, timely, and authorized.</p>
+              <div class="grid md:grid-cols-2 gap-4">
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Input validation on all data
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Parameterized SQL queries
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Optimistic locking (ETag)
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  ACID transaction compliance
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <!-- Privacy -->
+        <div class="bg-navy-light border border-white/10 rounded-xl p-8">
+          <div class="flex items-start">
+            <div class="w-14 h-14 bg-pink-500/20 rounded-lg flex items-center justify-center mr-6 flex-shrink-0">
+              <svg class="w-7 h-7 text-pink-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z"/>
+              </svg>
+            </div>
+            <div class="flex-1">
+              <h3 class="text-xl font-semibold mb-3">Privacy (P1-P8)</h3>
+              <p class="text-gray-400 mb-4">Personal information is collected, used, retained, and disclosed in conformity with commitments.</p>
+              <div class="grid md:grid-cols-2 gap-4">
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  GDPR/FADP/CCPA compliant
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  Data export on request
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  No third-party tracking
+                </div>
+                <div class="flex items-center text-gray-300">
+                  <svg class="w-5 h-5 text-green-400 mr-2" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                    <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+                  </svg>
+                  No data sales
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Controls Summary -->
+  <section class="py-24 px-6 bg-navy-light">
+    <div class="max-w-7xl mx-auto">
+      <div class="text-center mb-16">
+        <div class="inline-block bg-gold/20 text-gold text-sm font-medium px-3 py-1 rounded-full mb-6">Controls Summary</div>
+        <h2 class="text-3xl md:text-4xl font-bold mb-6">Key Security Controls</h2>
+      </div>
+      
+      <div class="grid md:grid-cols-2 lg:grid-cols-3 gap-6">
+        <div class="bg-navy border border-white/10 rounded-xl p-6">
+          <h3 class="font-semibold text-white mb-2">Encryption</h3>
+          <p class="text-gray-400 text-sm">FIPS 140-3 validated AES-256-GCM with per-project keys derived via HKDF-SHA256</p>
+        </div>
+        <div class="bg-navy border border-white/10 rounded-xl p-6">
+          <h3 class="font-semibold text-white mb-2">Authentication</h3>
+          <p class="text-gray-400 text-sm">JWT tokens with 1-hour expiry, MFA required for IB users, session management</p>
+        </div>
+        <div class="bg-navy border border-white/10 rounded-xl p-6">
+          <h3 class="font-semibold text-white mb-2">Authorization</h3>
+          <p class="text-gray-400 text-sm">Role hierarchy (IB → Seller → Buyer → Observer), invitation-only access</p>
+        </div>
+        <div class="bg-navy border border-white/10 rounded-xl p-6">
+          <h3 class="font-semibold text-white mb-2">Infrastructure</h3>
+          <p class="text-gray-400 text-sm">Swiss data center, UFW firewall, SSH key-only, automatic security updates</p>
+        </div>
+        <div class="bg-navy border border-white/10 rounded-xl p-6">
+          <h3 class="font-semibold text-white mb-2">Audit Logging</h3>
+          <p class="text-gray-400 text-sm">All access logged with actor, timestamp, IP. 7-year retention for compliance</p>
+        </div>
+        <div class="bg-navy border border-white/10 rounded-xl p-6">
+          <h3 class="font-semibold text-white mb-2">Backup & Recovery</h3>
+          <p class="text-gray-400 text-sm">Daily encrypted backups, 4-hour RTO, 24-hour RPO, tested recovery procedures</p>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- Policy Documents -->
+  <section class="py-24 px-6">
+    <div class="max-w-7xl mx-auto">
+      <div class="text-center mb-16">
+        <div class="inline-block bg-gold/20 text-gold text-sm font-medium px-3 py-1 rounded-full mb-6">Documentation</div>
+        <h2 class="text-3xl md:text-4xl font-bold mb-6">Policy Documents</h2>
+        <p class="text-xl text-gray-400 max-w-3xl mx-auto">
+          Our SOC 2 program is supported by comprehensive policy documentation.
+        </p>
+      </div>
+      
+      <div class="grid md:grid-cols-2 lg:grid-cols-3 gap-6">
+        <a href="/docs/soc2/soc2-self-assessment-2026.md" class="bg-navy-light border border-white/10 rounded-xl p-6 hover:border-gold/50 transition-colors group">
+          <div class="flex items-center mb-4">
+            <svg class="w-8 h-8 text-gold mr-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z"/>
+            </svg>
+            <h3 class="font-semibold text-white group-hover:text-gold transition-colors">Self-Assessment Report</h3>
+          </div>
+          <p class="text-gray-400 text-sm">Complete SOC 2 Type II self-assessment with control mappings</p>
+        </a>
+        
+        <a href="/docs/soc2/security-policy.md" class="bg-navy-light border border-white/10 rounded-xl p-6 hover:border-gold/50 transition-colors group">
+          <div class="flex items-center mb-4">
+            <svg class="w-8 h-8 text-gold mr-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 12l2 2 4-4m5.618-4.016A11.955 11.955 0 0112 2.944a11.955 11.955 0 01-8.618 3.04A12.02 12.02 0 003 9c0 5.591 3.824 10.29 9 11.622 5.176-1.332 9-6.03 9-11.622 0-1.042-.133-2.052-.382-3.016z"/>
+            </svg>
+            <h3 class="font-semibold text-white group-hover:text-gold transition-colors">Security Policy</h3>
+          </div>
+          <p class="text-gray-400 text-sm">Security requirements for systems, data, and operations</p>
+        </a>
+        
+        <a href="/docs/soc2/incident-response-plan.md" class="bg-navy-light border border-white/10 rounded-xl p-6 hover:border-gold/50 transition-colors group">
+          <div class="flex items-center mb-4">
+            <svg class="w-8 h-8 text-gold mr-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z"/>
+            </svg>
+            <h3 class="font-semibold text-white group-hover:text-gold transition-colors">Incident Response Plan</h3>
+          </div>
+          <p class="text-gray-400 text-sm">Procedures for detecting and responding to security incidents</p>
+        </a>
+        
+        <a href="/docs/soc2/disaster-recovery-plan.md" class="bg-navy-light border border-white/10 rounded-xl p-6 hover:border-gold/50 transition-colors group">
+          <div class="flex items-center mb-4">
+            <svg class="w-8 h-8 text-gold mr-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15"/>
+            </svg>
+            <h3 class="font-semibold text-white group-hover:text-gold transition-colors">Disaster Recovery Plan</h3>
+          </div>
+          <p class="text-gray-400 text-sm">Recovery procedures following disasters affecting systems</p>
+        </a>
+        
+        <a href="/docs/soc2/data-retention-policy.md" class="bg-navy-light border border-white/10 rounded-xl p-6 hover:border-gold/50 transition-colors group">
+          <div class="flex items-center mb-4">
+            <svg class="w-8 h-8 text-gold mr-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M19 11H5m14 0a2 2 0 012 2v6a2 2 0 01-2 2H5a2 2 0 01-2-2v-6a2 2 0 012-2m14 0V9a2 2 0 00-2-2M5 11V9a2 2 0 012-2m0 0V5a2 2 0 012-2h6a2 2 0 012 2v2M7 7h10"/>
+            </svg>
+            <h3 class="font-semibold text-white group-hover:text-gold transition-colors">Data Retention Policy</h3>
+          </div>
+          <p class="text-gray-400 text-sm">Data retention periods and deletion procedures</p>
+        </a>
+        
+        <a href="/docs/soc2/risk-assessment.md" class="bg-navy-light border border-white/10 rounded-xl p-6 hover:border-gold/50 transition-colors group">
+          <div class="flex items-center mb-4">
+            <svg class="w-8 h-8 text-gold mr-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M9 19v-6a2 2 0 00-2-2H5a2 2 0 00-2 2v6a2 2 0 002 2h2a2 2 0 002-2zm0 0V9a2 2 0 012-2h2a2 2 0 012 2v10m-6 0a2 2 0 002 2h2a2 2 0 002-2m0 0V5a2 2 0 012-2h2a2 2 0 012 2v14a2 2 0 01-2 2h-2a2 2 0 01-2-2z"/>
+            </svg>
+            <h3 class="font-semibold text-white group-hover:text-gold transition-colors">Risk Assessment</h3>
+          </div>
+          <p class="text-gray-400 text-sm">Identified risks and mitigation controls</p>
+        </a>
+      </div>
+    </div>
+  </section>
+
+  <!-- Status -->
+  <section class="py-24 px-6 bg-navy-light">
+    <div class="max-w-4xl mx-auto text-center">
+      <div class="inline-block bg-gold/20 text-gold text-sm font-medium px-3 py-1 rounded-full mb-6">Status</div>
+      <h2 class="text-3xl md:text-4xl font-bold mb-6">Audit Timeline</h2>
+      
+      <div class="bg-navy border border-white/10 rounded-xl p-8 text-left">
+        <div class="space-y-6">
+          <div class="flex items-start">
+            <div class="w-8 h-8 bg-green-500/20 rounded-full flex items-center justify-center mr-4 mt-1 flex-shrink-0">
+              <svg class="w-4 h-4 text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M5 13l4 4L19 7"/>
+              </svg>
+            </div>
+            <div>
+              <h4 class="font-semibold text-white">February 2026 — Self-Assessment Complete</h4>
+              <p class="text-gray-400">Comprehensive self-assessment against all five Trust Services Criteria completed. Policy documentation created.</p>
+            </div>
+          </div>
+          
+          <div class="flex items-start">
+            <div class="w-8 h-8 bg-blue-500/20 rounded-full flex items-center justify-center mr-4 mt-1 flex-shrink-0">
+              <svg class="w-4 h-4 text-blue-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 8v4l3 3m6-3a9 9 0 11-18 0 9 9 0 0118 0z"/>
+              </svg>
+            </div>
+            <div>
+              <h4 class="font-semibold text-white">Q2 2026 — Gap Remediation</h4>
+              <p class="text-gray-400">Address recommended action items including backup restore testing and external penetration test.</p>
+            </div>
+          </div>
+          
+          <div class="flex items-start">
+            <div class="w-8 h-8 bg-yellow-500/20 rounded-full flex items-center justify-center mr-4 mt-1 flex-shrink-0">
+              <svg class="w-4 h-4 text-yellow-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 7V3m8 4V3m-9 8h10M5 21h14a2 2 0 002-2V7a2 2 0 00-2-2H5a2 2 0 00-2 2v12a2 2 0 002 2z"/>
+              </svg>
+            </div>
+            <div>
+              <h4 class="font-semibold text-white">Q4 2026 — Formal SOC 2 Type II Audit</h4>
+              <p class="text-gray-400">Engage third-party auditor for formal SOC 2 Type II certification.</p>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </section>
+
+  <!-- CTA -->
+  <section class="py-24 px-6 border-t border-white/10">
+    <div class="max-w-4xl mx-auto text-center">
+      <h2 class="text-3xl md:text-4xl font-bold mb-6">Questions About Compliance?</h2>
+      <p class="text-xl text-gray-400 mb-8">
+        Contact our security team for detailed documentation or to discuss your compliance requirements.
+      </p>
+      <div class="flex flex-col sm:flex-row gap-4 justify-center">
+        <a href="mailto:security@muskepo.com" class="bg-gold hover:bg-gold-light text-navy font-semibold px-8 py-4 rounded-lg transition-colors">
+          Contact Security Team
+        </a>
+        <a href="security.html" class="border border-white/20 hover:border-white/40 text-white font-semibold px-8 py-4 rounded-lg transition-colors">
+          View Security Page
+        </a>
+      </div>
+    </div>
+  </section>
+
+  <!-- Footer -->
+  <footer class="border-t border-white/10 py-12 px-6">
+    <div class="max-w-7xl mx-auto">
+      <div class="grid md:grid-cols-4 gap-8 mb-12">
+        <div>
+          <span class="text-2xl font-bold text-white">Deal<span class="text-gold">space</span></span>
+          <p class="text-gray-400 mt-4">The M&A workflow platform that Investment Banks trust.</p>
+        </div>
+        <div>
+          <h4 class="font-semibold mb-4">Product</h4>
+          <ul class="space-y-2 text-gray-400">
+            <li><a href="features.html" class="hover:text-white transition-colors">Features</a></li>
+            <li><a href="security.html" class="hover:text-white transition-colors">Security</a></li>
+            <li><a href="pricing.html" class="hover:text-white transition-colors">Pricing</a></li>
+          </ul>
+        </div>
+        <div>
+          <h4 class="font-semibold mb-4">Legal</h4>
+          <ul class="space-y-2 text-gray-400">
+            <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
+            <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
+            <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
+          </ul>
+        </div>
+        <div>
+          <h4 class="font-semibold mb-4">Contact</h4>
+          <ul class="space-y-2 text-gray-400">
+            <li><a href="mailto:sales@muskepo.com" class="hover:text-white transition-colors">sales@muskepo.com</a></li>
+            <li><a href="mailto:security@muskepo.com" class="hover:text-white transition-colors">security@muskepo.com</a></li>
+          </ul>
+        </div>
+      </div>
+      <div class="border-t border-white/10 pt-8 flex flex-col md:flex-row justify-between items-center">
+        <p class="text-gray-500 text-sm">© 2026 Muskepo B.V. All rights reserved.</p>
+        <p class="text-gray-500 text-sm mt-4 md:mt-0">Amsterdam · New York · London</p>
+      </div>
+    </div>
+  </footer>
+
+<link rel="stylesheet" href="/chat.css">
+<script src="/chat.js"></script>
+</body>
+</html>
diff --git a/cmd/server/website/terms.html b/cmd/server/website/terms.html
index f702ca7..da03a92 100644
--- a/cmd/server/website/terms.html
+++ b/cmd/server/website/terms.html
@@ -325,6 +325,7 @@
             <li><a href="privacy.html" class="hover:text-white transition-colors">Privacy Policy</a></li>
             <li><a href="terms.html" class="hover:text-white transition-colors">Terms of Service</a></li>
             <li><a href="dpa.html" class="hover:text-white transition-colors">DPA</a></li>
+            <li><a href="soc2.html" class="hover:text-white transition-colors">SOC 2</a></li>
           </ul>
         </div>
         <div>
diff --git a/lib/watermark_test.go b/lib/watermark_test.go
new file mode 100644
index 0000000..39fbd48
--- /dev/null
+++ b/lib/watermark_test.go
@@ -0,0 +1,213 @@
+package lib
+
+import (
+	"archive/zip"
+	"bytes"
+	"image"
+	"image/color"
+	"image/png"
+	"testing"
+)
+
+// TestWatermarkPDF tests PDF watermarking with a minimal PDF.
+func TestWatermarkPDF(t *testing.T) {
+	// Minimal valid PDF (empty page)
+	minimalPDF := []byte(`%PDF-1.4
+1 0 obj
+<< /Type /Catalog /Pages 2 0 R >>
+endobj
+2 0 obj
+<< /Type /Pages /Kids [3 0 R] /Count 1 >>
+endobj
+3 0 obj
+<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] >>
+endobj
+xref
+0 4
+0000000000 65535 f 
+0000000009 00000 n 
+0000000058 00000 n 
+0000000115 00000 n 
+trailer
+<< /Size 4 /Root 1 0 R >>
+startxref
+192
+%%EOF`)
+
+	label := "CONFIDENTIAL - Test User - 2026-02-28 - TestProject"
+
+	out, err := WatermarkPDF(minimalPDF, label)
+	if err != nil {
+		t.Fatalf("WatermarkPDF failed: %v", err)
+	}
+
+	// Basic checks
+	if len(out) == 0 {
+		t.Fatal("WatermarkPDF returned empty output")
+	}
+
+	// Watermarked PDF should be larger than original
+	if len(out) <= len(minimalPDF) {
+		t.Errorf("Watermarked PDF (%d bytes) should be larger than original (%d bytes)", len(out), len(minimalPDF))
+	}
+
+	// Should still start with PDF header
+	if !bytes.HasPrefix(out, []byte("%PDF")) {
+		t.Error("Output doesn't look like a PDF (missing %PDF header)")
+	}
+}
+
+// TestWatermarkImagePNG tests image watermarking with PNG.
+func TestWatermarkImagePNG(t *testing.T) {
+	// Create a minimal test PNG (100x100 red square)
+	img := image.NewRGBA(image.Rect(0, 0, 100, 100))
+	red := color.RGBA{255, 0, 0, 255}
+	for y := 0; y < 100; y++ {
+		for x := 0; x < 100; x++ {
+			img.Set(x, y, red)
+		}
+	}
+
+	var buf bytes.Buffer
+	if err := png.Encode(&buf, img); err != nil {
+		t.Fatalf("Failed to create test PNG: %v", err)
+	}
+	originalPNG := buf.Bytes()
+
+	label := "CONFIDENTIAL - Test User - 2026-02-28"
+
+	out, err := WatermarkImage(originalPNG, "image/png", label)
+	if err != nil {
+		t.Fatalf("WatermarkImage failed: %v", err)
+	}
+
+	// Basic checks
+	if len(out) == 0 {
+		t.Fatal("WatermarkImage returned empty output")
+	}
+
+	// Verify it's still a valid PNG
+	_, err = png.Decode(bytes.NewReader(out))
+	if err != nil {
+		t.Errorf("Output is not a valid PNG: %v", err)
+	}
+}
+
+// TestWatermarkDOCX tests DOCX watermarking with a minimal document.
+func TestWatermarkDOCX(t *testing.T) {
+	// Create a minimal DOCX (which is a ZIP file with specific structure)
+	minimalDOCX := createMinimalDOCX()
+
+	label := "CONFIDENTIAL - Test User - 2026-02-28 - TestProject"
+
+	out, err := WatermarkDOCX(minimalDOCX, label)
+	if err != nil {
+		t.Fatalf("WatermarkDOCX failed: %v", err)
+	}
+
+	// Basic checks
+	if len(out) == 0 {
+		t.Fatal("WatermarkDOCX returned empty output")
+	}
+
+	// Watermarked DOCX should be larger (we added header)
+	if len(out) <= len(minimalDOCX) {
+		t.Errorf("Watermarked DOCX (%d bytes) should be larger than original (%d bytes)", len(out), len(minimalDOCX))
+	}
+
+	// Should still be a valid ZIP
+	if !bytes.HasPrefix(out, []byte("PK")) {
+		t.Error("Output doesn't look like a DOCX/ZIP (missing PK header)")
+	}
+}
+
+// TestWatermarkDispatch tests the main dispatch function.
+func TestWatermarkDispatch(t *testing.T) {
+	tests := []struct {
+		name     string
+		mimeType string
+		data     []byte
+	}{
+		{"unknown type passthrough", "application/octet-stream", []byte("hello world")},
+		{"text passthrough", "text/plain", []byte("hello world")},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			out, err := Watermark(tt.data, tt.mimeType, "test label")
+			if err != nil {
+				t.Errorf("Watermark failed: %v", err)
+			}
+			// Unknown types should pass through unchanged
+			if !bytes.Equal(out, tt.data) {
+				t.Error("Unknown MIME type should pass through unchanged")
+			}
+		})
+	}
+}
+
+// TestWatermarkEmptyInput tests error handling for empty inputs.
+func TestWatermarkEmptyInput(t *testing.T) {
+	_, err := WatermarkPDF(nil, "test")
+	if err == nil {
+		t.Error("WatermarkPDF should fail on nil input")
+	}
+
+	_, err = WatermarkImage(nil, "image/png", "test")
+	if err == nil {
+		t.Error("WatermarkImage should fail on nil input")
+	}
+
+	_, err = WatermarkDOCX(nil, "test")
+	if err == nil {
+		t.Error("WatermarkDOCX should fail on nil input")
+	}
+}
+
+// createMinimalDOCX creates a minimal valid DOCX for testing.
+func createMinimalDOCX() []byte {
+	var buf bytes.Buffer
+	w := zip.NewWriter(&buf)
+
+	// [Content_Types].xml
+	contentTypes := `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types">
+  <Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/>
+  <Default Extension="xml" ContentType="application/xml"/>
+  <Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/>
+</Types>`
+	f, _ := w.Create("[Content_Types].xml")
+	f.Write([]byte(contentTypes))
+
+	// _rels/.rels
+	rels := `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+  <Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>
+</Relationships>`
+	f, _ = w.Create("_rels/.rels")
+	f.Write([]byte(rels))
+
+	// word/document.xml
+	doc := `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
+  <w:body>
+    <w:p>
+      <w:r>
+        <w:t>Test Document</w:t>
+      </w:r>
+    </w:p>
+  </w:body>
+</w:document>`
+	f, _ = w.Create("word/document.xml")
+	f.Write([]byte(doc))
+
+	// word/_rels/document.xml.rels
+	docRels := `<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+</Relationships>`
+	f, _ = w.Create("word/_rels/document.xml.rels")
+	f.Write([]byte(docRels))
+
+	w.Close()
+	return buf.Bytes()
+}