FAQ

VDR Compliance FAQ: SOC 2, ISO 27001, GDPR & More

The most comprehensive FAQ on virtual data room compliance — 26 questions covering SOC 2, ISO 27001, GDPR, HIPAA, SEC 17a-4, FINRA, and more.

26 questions answered6 frameworksUpdated June 2026

SOC 2 Type II Compliance

The gold standard for SaaS security — what SOC 2 means and why it matters.

What is SOC 2 Type II?

SOC 2 (Service Organization Control 2) is an independent audit framework developed by the AICPA that evaluates a service organization's controls across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A Type II report evaluates controls over a 6-12 month period, providing strong assurance that security practices are consistently maintained — not just designed on paper.

What's the difference between SOC 2 Type I and Type II?

SOC 2 Type I evaluates controls at a single point in time — it tells you the controls are designed correctly. SOC 2 Type II evaluates controls over an extended period (typically 6-12 months) and tells you the controls actually work consistently. Type II is significantly stronger and is what enterprise customers should require. Always ask for the Type II report, not just a Type I or a SOC 2 logo.

What does the SOC 2 audit cover?

A SOC 2 Type II audit covers the operating effectiveness of controls across five Trust Services Criteria: (1) Security — protection against unauthorized access; (2) Availability — system uptime and disaster recovery; (3) Processing Integrity — accurate and complete data processing; (4) Confidentiality — protection of confidential information; (5) Privacy — collection, use, and disposal of personal information. The audit also reviews logical access, change management, system operations, and risk mitigation.

How often does a VDR get SOC 2 audited?

SOC 2 Type II audits are conducted annually. The audit covers a 6-12 month period, and the resulting report is typically refreshed each year. Leading VDRs also undergo continuous monitoring and quarterly reviews by their auditor between annual audits. Always ask for the most recent SOC 2 Type II report, and check the report period covers the last 12 months.

How can I review a VDR provider's SOC 2 report?

Enterprise VDR providers share their SOC 2 Type II report under NDA. The report includes the auditor's opinion, scope of the audit, control descriptions, test procedures and results, and any noted exceptions. Review the auditor's opinion (it should be unqualified/clean), check for any noted exceptions, and confirm the report period covers recent months. Treat the report as confidential — it is for your security review only.

ISO 27001 Compliance

The international standard for information security management.

What is ISO 27001?

ISO 27001 is the international standard for Information Security Management Systems (ISMS), published by the International Organization for Standardization. It specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system. ISO 27001 certification is awarded by accredited certification bodies after a multi-stage audit process.

How is ISO 27001 different from SOC 2?

SOC 2 is a US-centric framework focused on Trust Services Criteria, primarily used by SaaS companies serving US customers. ISO 27001 is an international standard with a risk-based, process-oriented approach used globally. Many VDRs hold both — SOC 2 for US enterprise customers, ISO 27001 for global and EU customers. Both are strong certifications; ISO 27001 is often required for European and APAC enterprise deals.

What does ISO 27001 require?

ISO 27001 requires: (1) a systematic approach to managing sensitive information; (2) risk assessment and treatment processes; (3) security controls across 14 domains (Annex A) including access control, cryptography, physical security, operations security, and communications security; (4) regular internal audits and management reviews; (5) continuous improvement through corrective actions; and (6) top management commitment and accountability.

How long does ISO 27001 certification take?

A typical ISO 27001 implementation takes 6-12 months for a mature organization, including risk assessment, control implementation, internal audits, and the certification audit. Annual surveillance audits maintain the certification, with a full re-certification audit every 3 years. Once certified, the VDR provider's ISMS is continuously monitored and improved.

GDPR Compliance

The EU's General Data Protection Regulation and what it means for VDR use.

Is a VDR GDPR compliant?

A VDR itself is not 'compliant' — it is a tool that supports GDPR compliance when used correctly. A GDPR-compliant VDR deployment requires: (1) Data Processing Agreement (DPA) with the provider; (2) data residency in the EU for EU data subjects; (3) encryption at rest and in transit; (4) granular access controls; (5) immutable audit logs; (6) breach notification infrastructure (72-hour notification); (7) support for data subject rights (access, erasure, portability). SpaceNexus supports all of these requirements.

Where should EU data be stored under GDPR?

GDPR does not require EU data to stay in the EU, but transfers outside the EEA require appropriate safeguards: (1) adequacy decision (e.g., EU-US Data Privacy Framework for certified US organizations); (2) Standard Contractual Clauses (SCCs); (3) Binding Corporate Rules. For maximum simplicity, choose a VDR provider with EU data centers (Ireland, Germany, Netherlands) so data stays in the EEA by default. SpaceNexus offers EU data residency options.

Does the VDR provider need to sign a DPA?

Yes. Under GDPR, when a VDR provider processes personal data on behalf of a controller, the provider is a 'processor' and must sign a Data Processing Agreement (DPA). The DPA specifies the scope, purpose, and duration of processing, the types of personal data processed, the security measures in place, and the provider's obligations. SpaceNexus offers GDPR-compliant DPAs for all enterprise customers.

What is a Records of Processing Activities (ROPA)?

A ROPA (Article 30 of GDPR) is a record of all processing activities carried out by an organization, including the categories of data, purposes of processing, recipients, transfers outside the EEA, and retention periods. When using a VDR, the controller's ROPA should document the VDR as a processing tool, the categories of personal data in the data room, and the VDR provider as a sub-processor. SpaceNexus supports ROPA documentation with detailed processor information.

What is the 72-hour breach notification under GDPR?

GDPR Article 33 requires organizations to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. The VDR must support this with real-time monitoring, anomaly detection, and incident response infrastructure. SpaceNexus provides 24/7 security monitoring and a documented incident response plan with breach notification SLAs that meet the 72-hour requirement.

HIPAA Compliance

Healthcare data protection requirements for VDRs handling PHI.

Can a VDR be used for HIPAA-protected health information (PHI)?

Yes, but only with proper configuration: (1) Business Associate Agreement (BAA) with the VDR provider; (2) HIPAA-compliant configuration (audit logs with 6-year retention, access controls, encryption); (3) minimum-necessary access controls; (4) breach notification infrastructure. SpaceNexus offers HIPAA-ready configurations and BAA execution for healthcare customers, supporting pharmaceutical licensing, biotech M&A, and clinical trial data sharing.

What is a Business Associate Agreement (BAA) for VDR?

A BAA is a written contract required by HIPAA between a covered entity (or business associate) and a vendor that processes PHI on their behalf. The BAA specifies the permitted uses of PHI, requires the vendor to implement HIPAA security safeguards, mandates breach notification, and allocates liability. Without a signed BAA, the VDR provider cannot legally process PHI for your organization.

What is the minimum necessary standard under HIPAA?

HIPAA's minimum necessary standard requires that PHI shared during due diligence or any other activity be limited to the minimum necessary to accomplish the purpose. In a VDR context, this means: (1) redacting PHI not needed for the diligence objective; (2) de-identifying patient data where possible; (3) limiting access to individuals with a legitimate need; (4) tiered access for different user groups. SpaceNexus provides granular access controls and redaction tools to support this.

How long must HIPAA audit logs be retained?

HIPAA requires audit logs and documentation to be retained for 6 years from the date of creation or the date when the document was last in effect, whichever is later. VDRs handling PHI must support audit log retention for at least 6 years, with secure export and archival capabilities. SpaceNexus offers configurable retention policies with cryptographic deletion verification after the retention period expires.

SEC & FINRA Compliance

Financial services regulations and VDR requirements for broker-dealers and investment advisors.

What is SEC Rule 17a-4 and how does it affect VDRs?

SEC Rule 17a-4 (17 CFR 240.17a-4) requires broker-dealers to retain certain records in a non-rewritable, non-erasable format (WORM — write once, read many) for specified periods (typically 6 years). For VDRs handling regulated financial data, this means audit trails and key documents must be stored in tamper-evident WORM format. SpaceNexus supports SEC 17a-4 retention with immutable audit logs and configurable retention periods.

What is the Sarbanes-Oxley (SOX) Section 802 requirement?

SOX Section 802 imposes criminal penalties for altering, destroying, or concealing documents relevant to federal investigations. For VDRs, this means data rooms involved in SEC-regulated transactions must maintain tamper-evident records for the duration of the investigation and any subsequent retention period. SpaceNexus's immutable audit logs and cryptographic record protection support SOX 802 compliance.

What is FINRA Rule 3110 and how does it apply to VDRs?

FINRA Rule 3110 requires member firms to establish and maintain a supervisory system for the activities of their business, including electronic communications. VDRs used by broker-dealers and investment advisors must support retention of all deal communications and document exchanges for FINRA-mandated periods. SpaceNexus provides the audit trail, retention controls, and supervisory workflows required for FINRA compliance.

What is Regulation FD and how does it relate to VDRs?

Regulation FD (Fair Disclosure) prohibits selective disclosure of material non-public information (MNPI) by public companies. VDRs used for due diligence must have strict access controls to prevent unauthorized disclosure of MNPI, and audit trails to demonstrate compliance. SpaceNexus provides per-user, per-document access controls with full audit trails that support Regulation FD compliance for public company transactions.

Industry-Specific Compliance

Compliance requirements specific to financial services, legal, healthcare, and other regulated industries.

What compliance certifications do VDRs need for financial services?

For financial services (investment banking, PE, broker-dealers), VDRs need: (1) SOC 2 Type II; (2) ISO 27001; (3) SEC Rule 17a-4 compliance; (4) FINRA-compliant retention; (5) SOX 802-compliant record protection; (6) Regulation FD-compliant access controls; (7) information barrier (Chinese wall) enforcement; (8) MNPI handling controls. SpaceNexus supports all financial services compliance requirements.

What compliance certifications do VDRs need for legal use?

For law firm and corporate counsel use, VDRs need: (1) SOC 2 Type II; (2) ISO 27001; (3) court-admissible audit logs (immutable, tamper-evident); (4) privilege protection with granular access controls; (5) ethical wall enforcement; (6) state bar data security compliance; (7) GDPR for cross-border matters; (8) HIPAA BAA for healthcare matters. SpaceNexus provides legal-grade compliance with privilege hierarchies, ethical walls, and court-admissible audit logs.

What compliance certifications do VDRs need for healthcare?

For healthcare M&A, pharmaceutical licensing, and clinical trial data, VDRs need: (1) SOC 2 Type II; (2) HIPAA BAA availability; (3) HITRUST certification (for some healthcare systems); (4) FDA 21 CFR Part 11 compliance (for electronic records and signatures); (5) GDPR for European clinical trials; (6) minimum necessary access controls; (7) 6-year audit log retention. SpaceNexus supports HIPAA-ready configurations and FDA 21 CFR Part 11 compliance.

What is FDA 21 CFR Part 11 and why does it matter for VDRs?

FDA 21 CFR Part 11 governs the use of electronic records and electronic signatures in FDA-regulated industries (pharmaceutical, biotech, medical device). For VDRs handling clinical trial data, regulatory submissions, or pharmaceutical M&A, Part 11 requires: (1) electronic records with tamper-evident audit trails; (2) electronic signature controls; (3) role-based access controls; (4) time-stamped records; (5) data integrity controls. SpaceNexus supports Part 11 compliance with immutable audit logs and configurable e-signature workflows.

Get the SpaceNexus compliance pack

SOC 2 Type II report, ISO 27001 certificate, GDPR DPA, HIPAA BAA, and penetration test summary — all under NDA.