Modern Virtual Data Rooms Explained: How To Pick The Best VDR Provider

A virtual data room (VDR) is a secure cloud platform that enables managing and sharing of sensitive company documents. Most traditional VDR platforms focus on financial transactions such as merger and acquisitions (M&A). But modern VDRs are often much broader, more user-friendly and have more security and compliance certifications.  They are designed to meet the needs for any industry, line of business or use-case. Employees often share sensitive documents, intellectual property, contracts or confidential information. It's important to have a secure and modern platform to manage this content. 

In this article we'll cover the difference between traditional and modern VDRs. This comprehensive guide describes how to select a modern VDR that fits your business's needs.

What Is A Virtual Data Room?

A VDR offers a secure platform to store and share confidential materials, while maintaining strict security and traceability. Most companies need a secure platform to share data and files with external third-parties. This can include customers, vendors, auditors, contractors and advisors. Strong security controls ensure that critical business information is private and accessible only to authorized users. Owners can manage document viewing, printing and downloading permissions for individual users. They can grant and restrict access, track statistics and download reports.

What is The Difference Between a Traditional and Modern Virtual Data Room?

Traditional VDRs have features focused on addressing specific needs for M&A transactions. For example, some traditional providers have features that need users to download and install plugins or desktop software to enable certain security features. That can impede the user experience or wholly prevent prospective buyers or partners from accessing the data room. The software can be slow, need companion software (such as Java) and be incompatible with certain systems. Furthermore, many companies restrict employees from self-installing software due to security risks. Slowing a transaction or contract creates a lot of risk and frustration. 

Modern Virtual Data Rooms weren't born as VDRs serving M&A deals. They are cloud-based content platforms that focus on a best-in-class user experience and extended product features. These platforms address many uses-cases and have very high levels of security. Modern VDRs have the vast majority of features that traditional VDRs have. For example, one can use Box as a Virtual Data Room to securely share any files through desktop or mobile, enable granular user permissions, watermark documents, store unlimited file versions, and much more. Box is also FedRAMP Certified, where federal agencies certify Box with 325+ security controls to manage some of the country's most sensitive information. The platform also has advanced malware and ransomware protection. Most traditional VDRs do not have these certifications or protections. It may seem these enhanced security features mean more costs for customers. But it many cases, Box is cheaper than a traditional VDR as it uses a favorable price per seat model. Most companies are better off choosing Box. They get world-class security at an attractive price point.

Who Should Use A Modern Virtual Data Room? 

Any company, team or individual that needs to have a high level of security, sharing, and privacy controls would benefit from a modern VDR. Traditional VDRs focus on bankers and lawyers who work on financial M&A transactions. But most employees who need to collaborate on sensitive documents aren't bankers. Whether it’s a project with proprietary intellectual property, sensitive marketing materials for a new product launch or private contracts, a modern VDR provides the security, accessibility and peace of mind to all parties involved.

What Are The Benefits of a Modern VDR?

Modern VDRs provide many benefits that go beyond traditional VDRs. They have robust features for collaborative work and privacy controls for sharing data. 

1. High Security and Compliance Certifications

Modern VDRs must address use cases across many industries. So they often have many more security and compliance certifications. This can include FedRAMP, FINRA, HIPAA, GDPR and others that many traditional VDRs do not have. 

2. Modern Security Controls

All have basic security controls to manage and track access to the data rooms. Admins can grant different levels of access permissions to specific file and folders, such as view-only, download or editing access. Modern VDRs can apply real-time vector watermarking to documents or classification labels. They also detect and restrict abnormal behavior (employee downloading entire company's files) or malware detection.

3. Reporting, Auditing & Analytics

Modern VDRs also provide reports and analytics for administrators to track data room activity. This can include file views, downloads and edits by each user and time of action. Admins can use such features to monitor user behavior and ensure that data rooms use is appropriate. 

4. Collaboration and Ease of Use

Modern VDRs are a lot easier to use. They provide a modern user experience and strong collaboration tools. These advanced features include robust search, editing, commenting, annotating and sharing across platforms, third-party integrations, unlimited storage and unlimited file versions. 

5. Integrated e-Signature Solution

Contracts and data rooms go hand in hand. NDAs, supplier contracts, merger agreements and legal documents all need signatures. The best VDRs offer e-Signature natively within the platform. Parties can negotiate, edit and sign contracts within the data room itself, either through desktop or mobile. Everything remains confidential and secure. Emailing drafts back and forth and signing through fax or a third-party eSign provider introduce more security risks. 

6. Advanced Search and Document Processing

It can be difficult to find information in a data room filled with thousands of pages of documents. Some providers can only search file names or basic text documents. A modern VDR has advanced document processing features. So it can detect text many file types such as PDF and Excel. Furthermore, it can scan and convert documents into searchable PDFs. 

7. Automated Workflow & Processes

These features allow VDRs to be a central hub for any automation of in-process workflows, process approvals, and decisions. Examples could be creating a workflow for signing an NDA, managing invoice approvals, or authorizing files for upload into a data room.

8. File Request

A modern VDR can generate custom links where third-parties can submit their files on a customized drag-and-drop page without the need to login or create an account. This file request feature is a perfect solution for RFPs and RFQs given it involves multiple parties. It is also very suitable for application or document submissions. Examples include a lender requesting financial information or an insurance company requesting evidence of damage.

9. Third-Party App & API Integration

Most modern VDRs offer data integration with third-party applications. Examples of such integrations include Office 365, G Suite, and Salesforce.  This allows users to open, update and share data within the third-party app while storing it on a secure platform. 

10. Full-Featured Mobile App

Traditional VDRs often do not have mobile applications. But a Modern VDR such as Box has a mobile app natively designed for file viewing, annotating, editing and sharing. The app can also play multimedia such as video and audio. It can also scan documents into searchable PDFs using the phone's camera or record audio through the microphone.

What is the Most Secure Virtual Data Room?

All VDRs deploy a base level of security and encryption. But how does one know which VDR has the most security? 

There's no way to directly audit each platform. Instead, the best way is to rely on the rigorous compliance certifications that the platform has obtained. The most secure VDRs will heavily invest in resources to ensure they meet all security and compliance requirements of the most stringent certifications. 

Here are the security and regulatory compliance certifications to look for:

1. FedRAMP Authorized

This certification has some of the most rigorous security requirements in the world. US Federal Agencies require providers to meet stringent security measures due to the sensitive data they work with. Providers must undergo continuous monitoring in perpetuity to maintain its certification. 

2. ISO 27017 and 27108 (Not only ISO 27001)

These two certifications are a new and updated version of 27001, which is very important to have in a modern VDR.  ISO 27017 is a cloud security standard, and ISO 27108 provides specific guidance on the protection of Personally Identifiable Information (PII). If any of your documents have PII, such as personal data relating to employees or customers, it is crucial to have this certification. There can be significant fines for any personal data leaks.

3. SOC 2

SOC 2 is an industry standard for operational security controls. SOC 2 requires an organization to have a documented security program and internal knowledge of information security risks. SOC 2 certification is good way to showcase strong security and has established certification process.

4. FINRA SEC 17a-4

This is a regulation enforced by FINRA, for the retention and storage of electronic broker-dealer records. Any financial services firm should look for a platform that enables companies to comply with retention requirements.

5. HIPAA/HITech Compliance

Any health or life sciences entity should ensure that they can configure their VDR in a HIPAA-compliant manner due to the sensitivity of patient data.


If you have any data on EU Citizens (common if you have any customers, employees, or offices based in the EU), it's important that the platform be GDPR-ready to comply.

7. Ransomware/Malware Protection

Whether having dozens of parties access thousands of files or receiving contracts from vendors, companies are facing increasing risk from infected content. A modern VDR that can provide protection to your most sensitive files adds another level of security against these cyber threats. It can scan malware threats across all files and automatically classify and restrict sensitive files. Most traditional VDRs do not offer such protection

8. Abnormal User Detection

Some modern VDRs apply algorithms to detect abnormal activity. This could be an employee who downloads confidential information before leaving a company. Or a hacker could use compromised credentials to steal information. The platform can alert security of abnormal activity.

How Much Does A Virtual Data Room Cost? What Are The Virtual Data Room Pricing Options?

Many of traditional VDRs have an opaque pricing model that requires you to speak to a sales rep before revealing the cost. Costs can range from a few dollars to tens of thousands. Payment terms can also vary from a monthly to an annual commitment. It's important to fully understand costs before signing any contract. In fact, it's often better to first use VDRs that provide transparent pricing to evaluate if the platform fits your needs.  

Here are the most common pricing options

1. Per user (Charge For Employees Only)

This option is often the most cost effective and appropriate for most. A solution like Box costs as low as $15/user/month for unlimited data rooms, unlimited storage and unlimited guest viewers. Note that a user is an employee who manages the data rooms. So you can buy seats for only those that are involved with the data room. There is no additional charge for external viewers that you invite. For example, you could invite fifty bidders and their advisors to view your data rooms for free. There is also unlimited data rooms and storage. So there is no extra fee based on number of projects or size of files. 

If you need more security features or need external collaborators to work your data room files, a bundle with Box Shield is a very cost effective option. This option has more compliance and security features, and yet is still often a cheaper solution.

2. Per user (Each Visitor)

Some traditional VDRs bill on each user that requires access to the data room. This would include charges for each invitee, including potential bidders, bankers, lawyers, auditors, vendors, and suppliers. This can become cost prohibitive if your project requires a large number of collaborators. 

3. Per page

Some providers charge on a per-page basis for documents uploaded to the data room. These fees can be as high as $1.00 per page. This works best for small projects with a defined set of documents. However, this pricing can add up rapidly if a company has a lot of documents to share. Intense employee labor is needed to optimize documents for uploads to avoid costs. There have been cases where a poorly formatted excel file with a few tables can print into hundreds of pages. This can lead to very high surcharges in favor of the provider. Avoid this option unless the project is very small and well-defined.

4. Per Project/Data Room

Some providers bill on a per data room or project basis. This option is the simplest if you have only one data room and only need to share material for one finite project. There are additional limitations for each data room, including limits on storage size or number of users. Surcharges will incur for any overages. Fees typically start in the several hundreds of dollars per project per month. So this can still be much more expensive than a per user solution like Box.

5. Storage Size

Another pricing structure is to bill based on storage size. This is based on purchasing a committed amount of storage upfront (i.e. 5GB) per data room. There are often overage fees if the storage exceeds the limit, but no refunds if there is unused storage. This option is viable if most documents are text-based (word, pdf, excel). If there are multimedia files (video, powerpoint, CAD, audio, images) or databases (exome, clinical trial data), then it may be better to use an unlimited storage option.

There are a lot of options available. Always consider exploring providers with transparent and cost-effective pricing first. Then you can budget costs based on the project.

How Do I Choose A Virtual Data Room Provider?

There are many VDR options available. The most commonly evaluated features are security & compliance, cost, usability, and reliability.

1. Security & Compliance

All VDRs have a base level of security and user access controls. So it can be hard to differentiate. Look for those that have some of the highest levels of security certifications in the world such as FedRAMP, FINRA. These platforms should also enable companies to obtain certain compliance certifications such as HIPAA and GDPR.

2. Cost

Expensive doesn't mean better! Avoid VDRs that place limits on # of pages, # of projects, storage or guest users. Some modern VDRs have no limits and very high security measures. Modern VDRs are also often the least expensive solution available. Don't spend time thinking about risks of hitting limits and receiving overage bills. Focus on the project itself. 

3. Usability

It's important to have a modern easy-to-use platform. Traditional platforms can be clunky and challenging to navigate for users. Users can get frustrated if they have to install plugins, can't drag and drop files, no mobile app access or poor good viewing/editing capabilities. The experience should be frictionless, not frustrating.

4. Reliability

A VDR is only as good as the company that is hosting it. Look for those who have excellent up-time and customer support. For example, large established public companies have invested billions of dollars in infrastructure and R&D to ensure that customers have great reliability and access to documents. 

How to Setup a Virtual Data Room

Creating a virtual data room is a very easy process. Here are some steps to follow to get started:

1. Select a provider either through self-service or contacting sales

2. Add colleagues and co-workers as users

3. Create a project folder and sub-folders

4. Invite colleagues to project folder to upload and manage documents

5. Select files and folders for watermarking, if desired

6. Choose appropriate user access levels and invite third-parties to the data room

7. Track user activity during your project

8. Adjust or revoke user access as needed

Top Use Cases For Modern Virtual Data Rooms

Many people think the data rooms are only for M&A transactions, but there are actually dozens of use cases across many industries. Here are a few of the most common use cases:

1. M&A

Merger and acquisitions (M&A) is one of the most used instances for VDRs. Investment banks, law firms, accounting firms and corporate executives use them to discuss, manage and evaluate sensitive information about a seller and its business. They can track all activities and comments on these documents, download and print them for their own records, and enforce protections on who can view the documents. 

Deals can be small with a single seller and buyer. Or deals can be large and complex, with transaction sizes in the billions of dollars with dozens of parties involved. Regardless of deal size, the stakes are high. These confidential documents need the highest level of protection. Any information leak could disrupt a transaction and affect the seller's business. So, businesses must always carefully track and manage the M&A process to ensure success.

2. Capital Fundraising (Venture Capital, Crowd Funding, Private Equity, IPO, Debt)

Fundraising is a frequent use case for virtual data rooms. Companies looking to raise capital, through issuing equity or debt, have a strong need to control and share sensitive information. A startup could reach out to dozens of investors. A large company could host roadshows or conferences speaking up to fifty investors in a week. 

They must manage who has access to information, documents, data and financial statements. Often, this information deals with current and future investors. If any confidential information is mismanaged, it can lead to delays and limitations on future financings. Virtual data rooms give owners full control over access to documentation or data, and allows them to communicate and collaborate on all aspects of the financing process.

3.  Product Launch and Marketing Assets

A commercial product launch, such as a new phone or shoe, requires a company to share marketing plans and strategies with vendors, partners and distributors. They could share confidential branding strategies, ad campaigns and product sales forecasts. This is to best prepare for and execute the product launch. A leak of product specs could ruin a launch or give competitors a head start. Using a VDR is the most secure and organized way for all business partners to collaboratively discuss marketing materials, pricing schemes and product availability. 

4. Partnerships and Strategic Alliances

A partnership or alliance involves two or more organizations that come together to share business interests. They may specialize in different areas, such as marketing, sales, research and development and manufacturing. Businesses that are part of a partnership often have a high level of cohesion, including sharing confidential information, strategies and product roadmap. 

This type of collaboration is an important aspect to any successful business venture. Types of companies that form partnerships can be large corporations or startups looking to enter into multi-million dollar relationships with each other. Using a virtual data room is the most effective way for businesses to collaborate, communicate and share information with one another.

5. Commercial Contracts: MSA (Master Service Agreement), RFP (Request For Proposal), RFQ (Request For Quote)

Commercial contracts are also used in a variety of situations. Businesses must deal with vendors and suppliers contracts on a daily basis. Agreements can often come in the form of a MSA. These deals can be quite complex with both parties sharing sensitive information about the contract and its terms. In these cases, the documents contain sensitive and confidential information that must be carefully handled. 

A RFP (request for proposal) or RFQ (request for quote) is a formal document that a company requests from vendors or suppliers to solicit offers for goods and/or services. An RFP outlines what the requirements are and terms of such a transaction. It contains instructions on how to respond to it by submitting an offer. An RFQ can be very concise or can be combined with a detailed RFQ. For either situation, the data room is used to receive responses. Having a modern VDR enables user-friendly, secure features that allow companies to collaborate collect and manage these documents. A modern VDR can create a custom link for each party to submit their responses without risk of interfering with other competitors.

6. NDAs (Non-Disclosure Agreements)

Non-Disclosure Agreements are often the standard contract signed between two parties before disclosure of confidential information. They can be cumbersome to manage as it can often take time to edit and negotiate the agreement between two parties. A traditional VDR acts as simple storage for completed agreements. But, a modern VDR can create automated workflows for NDAs including eSignatures with a few simple clicks, streamlining the process. 

7. Intellectual Property Management

When companies invent or develop intellectual property, they have to protect it from theft. Trademarks, trade secrets, patents, licenses and designs are some of the most sensitive documents that need great protection and security. In 2013, The Commission on the Theft of American Intellectual Property estimates that annual costs from IP losses range from $225 billion to $600 billion. Yet, sharing confidential materials may be necessary to strike lucrative contracts. So, intellectual property owners should take a proactive approach to safeguard their content and information. 

8. eDiscovery, Litigation, Legal Holds

When a company faces litigation it must investigate and collect data relating to the case. Conducting any search can be time consuming and costly, and the staff involved in the process must be absolutely sure that all documents and data are protected. A legal hold is a process where companies are legally required to preserve data, e.g. eDiscovery. A modern VDR can act as a safe and secure system to store and share data with legal counsel on any pending litigation.

9. Financial Audit

A financial audit is a review of an organization's or individual's financial statements, often done on quarterly or annual basis. The auditor verifies financial statements to see if they are accurate. Audits provide information on everything from revenue generated to expenses incurred. So, it's important to secure confidential documents and sensitive information as auditors will need access to these materials to perform the audit. 

10. Talent Acquisition, Employee Onboarding and Offboarding

Talent acquisition focuses with recruiting and hiring workforce. Onboarding is a process for introducing new employees to the company and offboarding refers to handling the termination of employees. All three processes come with their own paperwork. Managing all documents and contracts for a specific employee in one folder is crucial for HR management. A VDR can collect and store all these important documents for an indefinite period of time.


There have been significant advancements with modern virtual data room providers. Traditional VDRs were designed for a narrow set of customers in the investment banking industry. But the new generation of VDRs are designed for a very broad range of companies and industries. They are not limited to just those working on M&A and fundraising transactions. Any business that shares confidential information would benefit from a modern VDR. A modern virtual data room is an essential tool for any company or organization to succeed. Businesses can easily collaborate and protect their content in a cost effective manner with a modern VDR. 

Still have questions? Reach out to us and we'd love to help.

Learn more about what Box has to offer

**While we maintain our steadfast commitment to offering products and services with best-in-class privacy, security, and compliance, the information provided in this blogpost is not intended to constitute legal advice. We strongly encourage prospective and current customers to perform their own due diligence when assessing compliance with applicable laws.