How Secure Are Virtual Data Rooms? The Ultimate Guide to VDR Safety

10 min read
3600 reads
secure virtual data room

One of the most important features of virtual data rooms is security. 

The security of sensitive and confidential data, like documents, agreements, financial statements, etc., is heavily dependent on the way we store and share them during the completion of different business processes.

The VDRs are not only an effective way to organize the data but also safe to store and share data. It’s crucial that your potential buyers only see the information you give them access to, so you are not exposing any other sensitive data. The VDR is great for these purposes.

What is a secure data room?

A secure data room is the virtual data room that guarantees reliability with security certifications, user features, and encryption protocols for data. It is also the safest way to ensure that the documents stay protected during different important processes and transactions.

To ensure that the virtual data room is secure, you should:

  • Research the websites of the VDR’s providers to find the needed information about compliance and security features.
  • Pay attention to reviews from the data room users. Check if there are any complaints about security.
  • Find out if the data room’s customer support works well in case you have questions or problems with using the room. It’s important that the customer support is responsive and works effectively to solve the problems as quickly as possible.
  • Make sure all the security options are available by default, with no additional charges.

What makes a virtual data room secure?

Generally, the VDRs are considered secure. It is due to the type of security certifications for cloud storage systems they have. So it’s actually safer to store the sensitive data in a data room than on a computer or a company server.

In fact, there are two key aspects that make a virtual data room secure. Let’s take a closer look at both.

secure data room

Compliance and security assurances

One of the top indicators of a virtual data room provider’s security is its security certifications. Here are the basic and advanced requirements for safety certificates:

  • AICPA – SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70). 

American Institute of Certified Public Accountants offers System and Organization Controls (SOC), like SOC 1 that is intended to meet the needs of entities that use service organizations and the CPAs that audit the user entities’ financial statements, in evaluating the effect of the controls at the service organization (the data room). This certification proves that the use of these reports is restricted to the management of the service organization, user entities, and user auditors. This is good for managing and preventing risks.

  • AICPA – SOC 2 Type II (formerly SAS 70 Type II).

This is a similar certification to the one mentioned above. The data room should be certified as compliant with the SOC standards for secure handling the financial documentation. This certification also proves that the VDR is assessed according to the SOC Security Principles that include communication, risk management, control monitoring, physical data access, system operations, and change management.

  • HIPAA/ITAR compliant. 

It’s also important that the virtual data room provider is compliant with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) if you are in the healthcare industry. Compliance with HIPAA shows that your company adopts national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. HIPAA also protects confidentiality and sensitive patient data.

  • United States International Traffic in Arms Regulations (ITAR) 

controls the export of defense-related articles from the US. It requires that no non-US person can have physical or logical access to the data stored in ITAR-compliant environments, which is also important for data security.

  • ISO 9001 / ISO 27001. 

ISO 9001 is the international standard for a quality management system, which is used by organizations to demonstrate the ability to consistently provide services that meet customer and regulatory requirements. ISO 27001:2013 is also a standard that ensures the best internal practices are used by the VDR provider to verify security, availability, and data privacy.

  • Privacy Shield Compliance. 

The Privacy Shield is basically an agreement between the EU and US that allows transferring personal data from the EU to the US. It’s a mechanism that enables the companies to meet the EU requirements for transferring personal data to the third countries, which is mentioned in Chapter V of the GDPR.

  • GDPR. 

The VDR should be compliant with the General Data Protection Regulation (GDPR) to maintain the personal data privacy and integrity. It’s also important for data exchange between the US and European Union.

Advanced requirements for safety certificates

  • FISMA, DIACAP, and FedRAMP. 

Federal Information Security Management Act (FISMA) covers the compliance parameters on storage and processing of government data. FISMA and FedRAMP both have the same high-level goals, such as the protection of government data and reduction of the risks of unwanted information exposure within federal information systems. FedRAMP is aimed at cloud service providers. The providers should comply with FISMA and FedRAMP regulations to have Authority to Operate (ATO) from the government.

  • FIPS 140-2. 

FIPS 140-2 is This Federal Information Processing Standard, which specifies the security requirements that will be satisfied by a cryptographic module. This module provides four increasing, qualitative levels that are intended to cover a wide range of potential applications and environments.

  • MTCS Level 3. 

MTCS Level 3 is a Multi-Tier Cloud Security standard. It describes the relevant cloud computing security practices and controls for public cloud users, public cloud service providers, auditors, and certifiers. There can be different levels of security requirements in this multi-tier model.

  • PCI DSS Level 1. 

PCI DSS is the Payment Card Industry Data Security Standard. “Level 1” means that the merchant as one processes at least 1 million, 2.5 million, or 6 million transactions per year. The sum depends on the certain credit cards this merchant uses. The “Level 1”  is considered to be the highest, and most strict, of the PCI DSS levels.

  • DOD CSM Levels 1-5. 

DOD CSM is the U.S. Department of Defense’s Cloud Security Model. It allows DoD customers to conduct development and integration activities and includes additional security controls specific to the DoD.

Virtual data room security functions

The second aspect that makes the virtual data room secure is the security functions. Here are the main categories of security functions:

Functions that guarantee online storage safety

The safety of your documents online and infrastructure security is very important, that’s why leading VDR providers  have the following functions:

  1. Physical data protection with strict access policies
  2. 99.95% uptime to deliver highly resilient fail-safe environment with infrastructure’s redundant design
  3. Real-time data backup, so no document is lost
  4. Disaster recovery for prevention of the loss of data in centers from natural disasters
  5. Multi-layered data encryption with 256-bit AES keys. Encryption keys and Key Vaults are stored separately from the encrypted data for security reasons.

Functions that guarantee access security

The access security functions are:

  1. Logging and reporting feature, so all user activity can be tracked and reviewed.
  2. User security impersonation feature that helps administrators see the document access from any user’s perspective.
  3. Two-factor verification, which requires a password and a single-use code sent to the authorized user’s phone.
  4. Time and IP-address restriction feature allowing the administrator to restrict login from the particular IP address, configure policies for session duration and file access expiration date.
  5. Different levels of document access rights, such as granular, or role-based, access to the data. 
  6. Granular permission settings, meaning the access permission can be defined by user’s role and access rights to certain sections of the room separately for each user or the group.

Functions that guarantee data/document security

Data security is the key priority for the VDR providers and to ensure the documents are safe. Top VDR providers should have the following digital rights management functions:

  1. Digital watermarks with user’s name, IP address, date, and time of access. This is very helpful when you need to identify the source of the leak in case of a breach of security.
  2. Fence view with a barred screen area that helps to prevent any security breaches through screenshotting or unauthorized viewing.
  3. Secure spreadsheet viewer, so you can securely manipulate data in Excel spreadsheets online. You can also protect Excel spreadsheets by setting different access levels.
  4. Remote wipe that allows the administrator to remotely lock and wipe encrypted data from a lost or stolen device 
  5. Remote Shred to set the time for which each document is available to download. 

How to understand how secure a virtual data room provider is?

One of the great signs of a secure data room provider is the customer support and service that it provides. You or your clients might face some issues using the data room, that’s why it’s important that the provider has 24/7 support, which is able to quickly solve problems.

To better understand how secure a virtual data room provider is, you need to: 

  • Ensure that the provider complies with the data security requirements. 

Using the guidelines provided above in this article, you will be able to check if the VDR provider is compliant with basic or advanced security certifications.

  • Familiarize yourself with the availability and date of confirmation of the relevant security certificates. 

This is important, as some of the safety certifications need to be periodically validated.

  • What data security functions are provided by the VDR provider. 

The functions mentioned above are needed for supporting the highest standard of document security possible.

  • What guarantees of data confidentiality the provider offers in the contract/NDA. 

In a secure data room, you should be able to apply your own terms of use, NDA, disclaimer, or confidentiality agreement for all users that enter any of your projects.

Where can I learn about the security features and certifications of virtual data room providers?

You can find all of the needed information about security features and certifications on the provider’s website, as it often shows how intuitive the product will be. Check the interface if it’s visually pleasing, etc. Product intuitiveness shows the provider’s professionalism as well.

Also, a good way to get more information and ask specific questions is to directly contact technical support, so they can send you the needed information via email or over chat. Doing this will also show you how the support team works, how helpful they are, and what is their response time.

You should also check the provider’s security page. Security is one of the main reasons why professionals choose virtual data rooms for storing confidential information to deal with different processes and transactions.

The successful outcomes highly depend on sharing sensitive documentation, so don’t trust this data to ill-equipped and insecure providers. You always need to check all the details regarding security on the provider’s website to be sure you’re choosing the trusted company.


  1. Jan, 2018. “How Secure Is Your Data When It’s Stored in the Cloud?” by Haibin Zhang. Scientific American, Inc.
  2. Apr, 2019. “Understanding Cybersecurity Standards”. CGI.
  3. Cybersecurity standards. Wikipedia.
  4. Sep, 2019. “Why It’s Important To Have Information Security Standards”. Certitude Security.
  5. Complete guide to GDPR compliance.
  6. Privacy Shield Frameworks.
  7. American Institute of CPAs.
  8. International Organization for Standardization ISO Central Secretariat.

Recommended for you

investment bansk M&A
61 reads
The Role of Investment Banks in M&A Deals
5 min read
financial due diligence checklist
Due Diligence
195 reads
Financial Due Diligence Checklist
5 min read
Looking for virtual data room software?
Check out the Top 10 VDR Providers
View providers