Due DiligenceDue DiligenceData Rooms

Virtual Data Rooms for Due Diligence: How They Work

A virtual data room is the room where a deal either holds together or quietly falls apart. I have run due diligence from both sides of the table, as a founder raising money and as someone reviewing ot

By Rohan Nayak12 min readUpdated July 2026
Virtual Data Rooms for Due Diligence: How They Work
On this page

A virtual data room is the room where a deal either holds together or quietly falls apart. I have run due diligence from both sides of the table, as a founder raising money and as someone reviewing other people's documents, and the pattern is always the same. The companies that close fast are the ones whose data room made the reviewer's job easy. The ones that stall are usually buried under a folder called "Final_v3_REAL" sitting in a shared drive that nobody can navigate.

This guide is about the practical mechanics: how a virtual data room is actually used during a diligence process, from the moment you create the room to the moment you archive it after closing. I will tie the steps to how I set things up in Plox, because that is the tool I run my own rooms in, but the process maps cleanly onto any serious data room product.

What a virtual data room does in a diligence process

Strip away the marketing and a virtual data room is three things at once: a place to store confidential documents, a permission system that controls who sees what, and an audit trail that records every action. During diligence, all three matter.

Storage you could technically replicate with a cloud folder. The other two you cannot. When a buyer's lawyer asks for the cap table, you do not want to email it as an attachment that gets forwarded around with no expiry. You want to grant access to one named person, watch them open it, and revoke it the day the deal dies. That control, plus the record of who looked at what and when, is the entire reason data rooms exist as a category instead of just being a shared folder.

Here is the difference in plain terms.

CapabilityShared cloud folderVirtual data room
Per-user document permissionsLimited, clumsyGranular, per folder or per file
View tracking and audit logNoneFull record of opens, downloads, time spent
Watermarking and download controlNoYes
Access expiry and instant revokeManual at bestBuilt in
Q&A tied to specific documentsNoYes in most rooms
Clean impression for investorsPoorProfessional

The middle column is where deals leak. The right column is why a data room earns its place even on a small raise.

Setting up the room

The setup phase is unglamorous and it is where most of the value gets created. Get this right and the rest of diligence runs on rails.

I start by deciding the scope of the room before I upload a single file. A seed raise and a full acquisition need very different rooms. For a priced round I keep it lean: the reviewer wants to confirm a handful of things quickly, not wade through five years of receipts. For an M&A due diligence process the room is larger, more granular, and lives for months rather than weeks.

In Plox I create the data room, name it after the deal rather than the company (so I can run two processes in parallel without confusion), and set new documents to private until I deliberately share them. Defaulting to closed rather than open is the single habit that prevents the worst data room mistakes.

Then I gather documents against a list rather than uploading whatever is lying around. A structured due diligence data room checklist is worth more than any feature, because it turns a vague "send us everything" request into a finite, completable task, and it surfaces the gaps early rather than mid review.

Folder structure that reviewers can navigate

A reviewer forms an opinion about your company in the first ninety seconds inside the room, before they have read a word of substance, based purely on whether they can find things. Structure is the first signal of how the company is run.

I organize top-level folders by workstream, because that mirrors how diligence teams split the work. A typical structure looks like this:

  • 01 Corporate: incorporation documents, cap table, board minutes, shareholder agreements
  • 02 Financials: historical accounts, management accounts, the model, debt schedule
  • 03 Commercial: top customer contracts, pipeline, pricing
  • 04 Legal: material agreements, IP assignments, litigation
  • 05 Product and Technology: architecture overview, security posture, roadmap
  • 06 People: org chart, key employment agreements, option pool
  • 07 Data Protection: privacy policy, processing records, breach log

Numbering the folders forces a deliberate order and stops the system from sorting them alphabetically into nonsense. Within each folder I keep filenames consistent and dated, because "Customer_MSA_Acme_2025-03.pdf" tells the reviewer everything before they click and "doc1final.pdf" tells them nothing.

The workstreams also map onto the specialist reviews that will happen in parallel. The financials folder feeds financial due diligence, the technology folder feeds technical due diligence, and the commercial folder feeds the commercial due diligence the buyer's strategy team will run. When you structure the room around those workstreams from day one, each specialist can be pointed straight at their section instead of being granted the whole room.

Permissions and access control

Permissions are where a data room stops being a folder and starts being a deal tool. The principle I hold to is simple: grant the least access that lets the person do their job, and grant it explicitly.

In practice that means tiers. Not everyone in a diligence process should see everything, and treating access as all-or-nothing is how sensitive material ends up in the wrong inbox.

Reviewer typeWhat they getWhat stays closed
Lead investor or acquirerMost folders, full read accessPending legal items until cleared
Their lawyersLegal and corporate foldersDetailed financial model internals
Their accountantsFinancials and commercialPeople and personal data
Junior analystsRead-only, often watermarkedDownload rights on sensitive files

In Plox I set these by inviting people to specific folders rather than the whole room, switching on watermarking for the most sensitive documents so any screenshot carries the viewer's identity, and turning off download where view-only is enough. The most underused control is access expiry. I set an expiry date when I invite someone, so access lapses on its own rather than relying on me to remember to pull it. When a deal dies, and plenty do, you want the access to die with it automatically.

If the process involves verifying the identity of the people on the other side, that overlaps with customer due diligence and the heavier checks that fall under enhanced due diligence. A data room does not replace those checks, but knowing exactly who has been granted access and confirming their identity before you grant it is the practical first step.

Tracking who reviewed what

This is the capability that surprises founders the first time they use a real data room. You can see, file by file, who opened a document, when, how long they spent on it, and whether they came back.

That information is genuinely useful, not just a vanity metric. If the lead investor has spent an hour in the financials and keeps reopening the debt schedule, you know where their concern sits before they raise it, and you can prepare. If a folder has had zero opens a week before the committee meeting, you know the process has stalled and you can nudge. I have re-sequenced an entire follow-up call based on what the activity log told me the other side actually cared about.

The audit trail matters after the deal too. A complete record of who accessed which confidential document, and when, is exactly what you want if a question about information handling ever comes up later. In Plox every open and download is logged automatically, so the trail builds itself.

Running Q&A

Diligence is a conversation, not a one-way upload. Questions will come back, and how you handle them shapes how fast the deal moves.

The weak version is questions arriving by email, scattered across threads, half of them duplicates, with no link to the document in question. The strong version keeps questions attached to the room. When a reviewer can ask "is this the current version of the master services agreement?" against the actual file, and your answer lands in the same place, nothing gets lost and the exchange stays in one searchable record.

A few habits keep Q&A from becoming a bottleneck:

  • Assign an owner per workstream. Financial questions go to the person who owns the model, legal questions to counsel. Routing by topic beats one founder trying to answer everything.
  • Answer with documents, not prose. If the answer is a clause, point to the file rather than retyping it. It is faster and it is verifiable.
  • Track open questions like a punch list. Closing a round is partly just closing out the question list, so treat it as one.

Closing and what happens after

When the deal completes, the room does not just get deleted. It gets archived, deliberately.

I lock the room to read-only so the final state is preserved exactly as it was at signing. The audit trail, the document versions, the Q&A record: all of it becomes part of the deal history, and you may need to reference it during the warranty period or if anything is disputed later. For a deal that closes, that archived room is a record of what was disclosed and when, which protects both sides.

For the deals that do not close, and most early conversations do not, the closing step is the opposite. I revoke every external invite, confirm in the audit log that access has actually lapsed, and keep the room intact internally for the next process. Reusing a well-built room for the next investor is one of the quiet advantages of having set it up properly the first time.

How this maps to Plox

I run my own rooms in Plox because it collapses the setup-permission-tracking loop into something I can manage without a data room administrator. The folder structure, the per-user folder permissions, the watermarking, the view tracking, the access expiry, and the audit log are the features that map directly onto the steps above. The product page at /data-rooms covers the specifics, and the pricing is structured so that running a single raise does not commit you to an enterprise seat minimum.

That last point catches a lot of founders out. The legacy enterprise rooms are quote-based and built for billion dollar transactions, which is the wrong shape for a seed or Series A raise. If you are weighing the trade-offs, the breakdown of virtual data room cost and the comparison of the best data room for due diligence go deeper than I can here, and they credit the alternatives honestly rather than pretending one tool wins every scenario.

The honest summary: for a large, lawyer-heavy acquisition, the heavyweight incumbents earn their keep. For a founder running a raise or a smaller M&A process, a modern room like Plox gives you the controls that actually matter without the overhead. Match the tool to the deal.

Frequently asked questions

Do I really need a virtual data room for a small seed raise?

For a friends-and-family round, a clean shared folder might be enough. The moment you have an institutional investor doing real diligence, a data room earns its place, mostly because of permission control and the audit trail. Being able to grant one person access, watch them review, and revoke it cleanly when the conversation ends is worth far more than the modest cost of the room.

How long should I keep a data room open after a deal closes?

Archive it rather than delete it, and keep it read-only for at least the length of any warranty or indemnity period in the deal documents, which is often a year or two. The archived room is your record of exactly what was disclosed and when. For deals that fall through, revoke external access immediately but keep the structure internally so you can reuse it.

What is the difference between a virtual data room and just using Google Drive?

The core difference is control and accountability. A data room gives you per-user permissions, view tracking, watermarking, download restrictions, and a full audit log, none of which a standard cloud folder provides in any usable form. For casual sharing a drive is fine. For confidential documents that reviewers will scrutinize, the lack of an audit trail in a plain drive is a real liability.

How do I structure folders so reviewers can find things?

Organize by workstream, number the folders so they sort in a deliberate order, and name files consistently with dates. A structure that mirrors how the diligence team splits its work (corporate, financials, commercial, legal, technology, people) lets each specialist be pointed straight at their section. Build the structure from a due diligence checklist rather than uploading whatever you have lying around.

Can the other side see how much I have looked at their documents?

In your own room, the tracking runs in your favour: you can see who on the buy side opened what and for how long. Whether they can see your activity depends on whose room it is. In a two-sided process each party typically controls and sees the analytics for the documents they host. Always assume your activity in someone else's room may be logged, because in a well-run room it almost certainly is.

Who should get download rights versus view-only access?

Default to view-only for anyone who does not strictly need a local copy, and reserve download rights for the lead reviewer and their core advisors. For the most sensitive files, watermark even the view-only access so any screenshot carries the viewer's identity. The general rule holds throughout: grant the least access that lets the person do their job, and grant it explicitly rather than by default.

Rohan Nayak

Written by Rohan Nayak · Co-founder, Plox

Rohan co-founded Plox. He spends most of his time with founders working out how to share a deck or a data room without losing control of it.

Connect on LinkedIn