How Secure Are Virtual Data Rooms? The Ultimate Guide to VDR Safety

10 min read
5511reads
secure virtual data room

Data security is a major concern for general users and even more so for businesses and organizations hindered by 847,376 complaints registered in 2021 by the Internet Crime Complaint Center.

The security performance of confidential information, like documents, agreements, financial statements, etc., depends on where you store them and how you use them.

For that reason, generic file-sharing apps may not be reliable for an initial public offering, restructuring, M&A lifecycle management, project management, and other deals. In contrast, virtual data rooms simplify sensitive data management in these deals extensively. A virtual data room works exceptionally if you need your potential buyers to only see the information you give them access to, so you are not exposing any sensitive documents.

What is a secure data room?

As a notion, VDR implies security at its best. As a particular cloud platform, it may not always meet the highest security standards as VDR providers differ in quality. As a result, VDR users unofficially differentiate secure data rooms.

A secure data room is a virtual data room that meets industry-leading security standards and provides the highest level of information control.

A secure data room is the safest way to protect documents during financial transactions and other complex deals.

To ensure that the virtual data room is secure, you should:

  • Research the VDR provider’s website. Find the needed information about compliance and security features.
  • Familiarize yourself with the subject data room’s security features. Make sure all the security options are available by default, with no additional charges.
  • Pay attention to reviews from the data room users. Research data room review platforms to check the provider’s rating and reputation. Check if there are any complaints about security, recorded security breaches, and related legal procedures.

How to understand how secure a virtual data room provider is?

Follow these steps to ensure the virtual deal room provider offers top-notch security:

  1. Ensure that the provider complies with the data security requirements. Research the VDR provider’s website to identify its security certificates and check their active statuses. This is important, as some safety certifications need to be periodically validated.
  2. Review security options offered by the VDR provider. If possible, subscribe to a free trial to test VDR features firsthand. Ensure the subject VDR enables login security, document controls, access permissions, watermarking, and data encryption.
  3. Inspect NDA and custom contract options. You should be able to apply your own terms of use, NDA, disclaimer, or confidentiality agreement for all users entering your projects.

Top 5 secure virtual data room solutions

Check the table below to compare virtual data rooms based on their security features.

Top 5 virtual data room vendors (based on Getapp ratings)

Security certificates1. iDeals
4.8 (248 reviews)
2. Datasite
4.7 (3 reviews)
3. Intralinks
4.1 (17 reviews)
4. DFIN Venue
5 (2 reviews)
5. Firmex
4.8 (189 reviews)
GDPRYesYesYesYesYes
ISO 27001YesYesYesYesYes
SOC 2 Type IIYesYesYesYesNo
HIPAAYesYesYesYesYes
Privacy Shield/CCPAYesYesYesNoYes
Security features
2-factor authenticationYesYesYesYesYes
Password strength policyYesNoNoNoNo
Single sign-on (SSO)YesYesYesYesYes
Detailed user permissionsYesYesYesYesYes
Document-level permissionsYesNoYesNoNo
Remote shred + no-plugin IRMYesYesYesYesNo
Time and IP restrictionsYesNoNoNoYes
Built-in redactionYesYesYesYesYes
Customizable dynamic watermarkingYesNoNoNoYes
256-bit data encryptionYesYesYesYesYes
Customer-managed encryption keysYesNoYesYesNo
Customizable terms of useYesYesYesYesYes
Full audit logsYesYesYesYesYes

How do you set the security features of a data room?

A secure virtual data room enables 256-bit data encryption at rest and in transit by default so users do not need to configure it manually. Data rooms may also store documents in several locations for emergency and disaster protection. You can also contact a customer support team to choose a particular server location aligning with your security policies.

Two-factor authentication, SSO, granular permissions, and other features should be configured manually. Let us introduce you to VDR security features under access security, document management, and reporting categories.

Access security

  • IP restriction. It allows admins to restrict access for selected IP addresses to protect confidential documents from unauthorized devices. You can apply IP restriction under the security section of the user management menu.
  • Two-factor authentication. It allows you to log into a data room using a password + SMS code or a passcode generated by Google Authenticator or similar apps. You can toggle 2FA in the security settings of user profiles. You can also enable mandatory 2FA on a data room level by contacting a customer support team.
  • Single sign-on (SSO). It allows users to log into the system once a day using one set of credentials. Virtual data room services usually offer several SSO integrations, including Okta, OneLogin, Azure AD, Ping Identity, and others. You can contact a dedicated data room manager to enable SSO procedure unique for each SSO app.

Document management security

  • Granular permissions. Reliable virtual data rooms offer the following permissions: uploading, downloading, printing, view-only access, restricted viewing, and no access. You can apply them to multiple parties upon initial and additional user invitation or in the folder and document settings.
  • Information rights management (IRM) security. It allows you to manage permissions and advanced security settings for downloaded files on local devices. IRM security ensures complete control over files and is available under the encrypted download option in the document settings.

Reporting

  • Document activity tracking. The analytics section offers details on the most viewed documents and the most active users at a specific time. You can track document engagement by author, date, and time.
  • Custom audit trail reports. The analytics section also provides configurable data room activity reports with heat maps and color-coded graphs. You can download custom reports in Excel format.

What makes a virtual data room secure?

A survey by Forescout, a cybersecurity firm, indicates that 62% of businesses face significant cybersecurity risks during M&A deals. Potential security issues force companies to seek virtual data room software capable of proving its credibility.

The best data room can prove its reliability with security certifications for the cloud storage systems it has. 

secure data room

Such security assurances are given by the world’s best standardization authorities, including but not limited to:

  • The International Organization for Standardization (ISO).
  • The Association of International Certified Professional Accountants (AICPA).
  • The U.S. Department of Health and Human Services (HHS).
  • The U.S. Department of State through the Directorate of Defense Trade Controls (DDTC).
  • The U.S. Department of Commerce (DOC).
  • The European Commission (EC).

Security certification requirements

The best virtual data rooms use over 100 sensitive information controls covering an entire company,  defined in the ISO and other standards. For instance, ISO 27001 and other ISO standards indirectly related to security define the following requirements.

Security areasRequirements
Information security systemsIndicate the security requirements of customers.
Define information assets under protection.
Specify secure online repository specifics, storage size, and data server locations. 
Online security measuresDefine security practices, such as SSO, encryption, corporate firewall, file sync across all systems.
Apply security measures to all internal systems.
Apply data protection to mobile applications and devices, and external systems such as Google Drive
Product usability and secure collaborationEnsure security options are easy for the end user and minimize misconfiguration risks.
Provide user-friendly interface and user experience features such as full-text search and communication tools.
Ensure clients can manage security risks quickly and keep the data safe
Risk assessment and treatmentEstablish risk assessment frameworksIdentify and evaluate cybersecurity risks.
Develop risk treatment methodology.
Develop data recovery plans and scale them to unlimited documents across all systems
Security roles and responsibilitiesDefine and establish security roles in the company.
Establish employee security frameworks and customer interaction methodology.
Train employees for security
Physical and environmental securityEstablish security methodology across physical data rooms and systems.
Apply anti-disaster measures, physical access controls, and equipment protection.
Define equipment assessment methodology

Certified data rooms provide features so robust that it is safer to upload files in the cloud and store documents in a data room than on a computer or a company server.

Compliance and security assurances

Check the most common security certifications and their meaning for virtual data rooms.

SOC (System and Organization Controls) 1/2/3 by AICPA

SOC reports ensure online data rooms adhere to AICPA internal controls standards. SOC 1/2/3 reports inspect whether a data room can efficiently protect its financial information and the financial documents of its customers.

HIPAA (the U.S. Health Insurance Portability and Accountability Act of 1996) by HHS

HIPAA-compliant online data room providers adopt national standards for electronic healthcare transactions, healthcare employee information, health plans, and patient data. 

ITAR (United States International Traffic in Arms Regulations) by DDTC

ITAR controls the import and export of the US military and military-related documentation. An ITAR-compliant VDR provider applies appropriate security measures to store and manage defense-related sensitive information.

ISO 9001 / ISO 27001 by ISO

This certification demonstrates the VDR provider’s ability to consistently improve its secure file-sharing procedures, tools, systems, and infrastructures.

GDPR (General Data Protection Regulation) by EU parliament

A GDPR-compliant VDR company meets the EU security standards and operates its systems according to European laws. It’s also important for data exchange between the US and European Union.

Privacy Shield

Privacy Shield is a mechanism that enables the US VDR companies to meet the EU requirements for transferring personal data to third countries, which is mentioned in Chapter V of the GDPR.

Virtual data room security functions

Here are the main categories of security functions.

Functions that guarantee online storage safety

The safety of your documents online and infrastructure security is very important, that’s why many VDR providers have the following functions:

  1. Physical data protection with strict access policies.
  2. 99.95% uptime to share sensitive data in a highly resilient fail-safe environment with infrastructure’s redundant design.
  3. Real-time data backup, so no document is lost.
  4. Disaster recovery for prevention of the loss of data in centers from natural disasters.
  5. Multi-layered data encryption with 256-bit AES keys. Encryption keys and Key Vaults are stored separately from the encrypted data for security reasons.

Functions that guarantee access security

The access security functions are:

  1. Logging and reporting feature, so all user activity can be tracked and reviewed.
  2. User security impersonation feature that helps administrators see the document access from any user’s perspective.
  3. Two-step verification, which requires a password and a single-use code sent to the authorized user’s phone.
  4. Time and IP-address restriction feature allowing the administrator to restrict login from the particular IP address, configure policies for session duration, and file access expiration date.
  5. Different levels of document access rights, such as granular, or role-based, access to the data.
  6. Granular permission settings, meaning the access permission can be defined by user role and access rights to certain sections of the room separately for each user or the group.

Functions that guarantee data/document security

Data security is the key priority for the VDR providers and ensures the documents are safe. Top VDR providers should have the following digital rights management functions:

  1. Digital watermarks with a user’s name, IP address, date, and time of access. This is very helpful when you need to identify the source of the leak in case of a breach of security.
  2. Fence view with a barred screen area that helps to prevent any security breaches through screenshotting or unauthorized viewing.
  3. Secure spreadsheet viewer, so you can securely manipulate data in Excel spreadsheets online. You can also protect Excel spreadsheets by setting different access levels.
  4. Remote wipe that allows the administrator to remotely lock and wipe encrypted data from a lost or stolen device.
  5. Remote Shred to set the time for which each document is available to download. 

Examples of VDR’s security breaches

While virtual deal rooms are by far the most secure way to share confidential documents, hackers may sometimes take over this arms race. Check the most impactful data breaches related to data rooms.

Citrix Systems data breaches

Citrix Systems is one of the data room industry leaders, helping over 100 million users in 100 countries with the due diligence process, fundraising, and other deals. Seemingly unhackable, this tech giant experienced several security issues.

Hackers had access to Citrix employee and client information for five months in 2018-2019. This security breach resulted in 6TB of stolen confidential data and $2.275 million in damages this company settled in 2021.

In November and December 2022, cyber attackers disrupted Citrix authentication measures and deployed ransomware across its devices. The consequences are yet to unfold as thousands of Citrix servers remain vulnerable to hackers.

Box data leak

Box is a cloud storage service with virtual data room capabilities for corporate transactions, investment banking, contract negotiations, and more. It powers over 100,000 organizations with over 40 million users worldwide. 

Box users can share files and folders with their coworkers inside and outside the company through secure links, making file-sharing both convenient and … vulnerable.

Thus, Adversis, a cybersecurity firm, discovered that over 90 companies (and even Box staff) left terabytes of data publicly accessible by misconfiguring shared links. Worse yet, files and folders shared this way appeared in search engine results as search engine crawlers could easily index them. 

Fortunately, Box acknowledged this issue and updated their file-sharing tools while customers reported positive outcomes post-incident.

Where can I learn about the security features and certifications of virtual data room providers?

You can find all of the needed information about security options, file-sharing features, and certifications on the provider’s website. You should also check the provider’s security page. 

Also, you can directly contact technical support to discover different features a VDR company applies for keeping data safe. 

The successful outcomes highly depend on sharing all the documents through the entire deal process, so don’t trust this data to ill-equipped and insecure providers. You always need to check all the details regarding security on the provider’s website to be sure you’re choosing the trusted online data room.

References

  1. Jan, 2018. “How Secure Is Your Data When It’s Stored in the Cloud?” by Haibin Zhang. Scientific American, Inc. https://www.scientificamerican.com/page/about-scientific-american/
  2. Apr, 2019. “Understanding Cybersecurity Standards”. CGI. https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf
  3. Cybersecurity standards. Wikipedia. https://en.wikipedia.org/wiki/Cybersecurity_standards
  4. Sep, 2019. “Why It’s Important To Have Information Security Standards”. Certitude Security. https://www.certitudesecurity.com/blog/analysis-and-assessments/why-its-important-to-have-information-security-standards/
  5. Complete guide to GDPR compliance. https://gdpr.eu/
  6. Privacy Shield Frameworks. https://www.privacyshield.gov/welcome
  7. American Institute of CPAs. https://www.aicpa.org/
  8. International Organization for Standardization ISO Central Secretariat. https://www.iso.org/home.html

Recommended for you

We use cookies on our website to ensure the best user experience. By clicking "Agree" you are letting us use cookies according to our cookie policy. Learn more