Support
a) Is there any security for documents being viewed--for example, the ability to control copying and printing, as well as some form of encryption? (This is especially important for documents downloaded for offline reading.)
b) I see that the API supports annotations, but where are they stored--locally or in the cloud? If they're stored locally, is there some way to export them to the cloud and import them if the user opens the document from a different device?
------------
Regarding security XOD files can be protected with standard AES or proprietary encryption algorithms. For an example of how to implement a custom encryption handler please see https://groups.google.com/d/topic/pdfnet-webviewer/KGDN8WqP1Ko/discussion. Besides support for proprietary encryption the next update to PDFNet/Cloud API will include built-in AES support (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) so there would be 'no programming required for ‘out of box’ security features. The WebViewer also includes source code for the ReaderControl which can be used to customize every aspect of the user experience (i.e. you can remove some options add extra features etc.) – i.e. all of customization and flexibility that is important for any DRM system.
----
Re: annotations, they can be stored either locally (e.g. in HTML5 local storage) or remotely (i.e. as part of your cloud database).
Annotation can be serialized/saved as XFDF string (http://partners.adobe.com/public/developer/en/xml/XFDF_Spec_3.0.pdf.). Also every time the document is loaded, the WebViewer can also fetch annotations and display them in document view. As a starting point, attached is short intro to annotation and collaboration facilities in the WebViewer.