FAQ

VDR Security FAQ: Encryption, Permissions, Watermarking & Audit Trails

The most comprehensive FAQ on virtual data room security — 33 questions covering encryption, access controls, watermarking, audit logs, MFA, SSO, data residency, and more.

33 questions answered6 categoriesUpdated June 2026

Encryption & Data Protection

How VDRs encrypt data at rest and in transit, and protect against breaches.

How is data encrypted in a virtual data room?

A modern VDR encrypts data at two layers: at rest using AES-256 encryption (the same standard used by governments and financial institutions for classified data) and in transit using TLS 1.3 (the latest transport layer security protocol with forward secrecy). Encryption keys are managed through a dedicated KMS (Key Management Service) with role-based access controls and automatic key rotation.

What is AES-256 encryption and why does it matter?

AES-256 is the Advanced Encryption Standard with a 256-bit key length. It is the encryption standard used by the U.S. government for top-secret classified data, by financial institutions, and by major cloud providers. A 256-bit key is mathematically infeasible to brute-force with current computing technology — there are more possible keys than atoms in the observable universe.

What is TLS 1.3 and how is it different from older versions?

TLS 1.3 is the latest version of the Transport Layer Security protocol used to encrypt data in transit between your browser and the VDR server. Compared to TLS 1.2, it offers faster handshakes, removes support for outdated cryptographic algorithms, and provides forward secrecy by default — meaning a compromised key cannot be used to decrypt past sessions.

Can the VDR provider decrypt my documents?

With standard encryption, the VDR provider technically holds the encryption keys and could access data. For maximum control, enterprise VDR tiers offer customer-managed encryption keys (CMEK), where the customer controls the keys in their own KMS and the provider cannot decrypt data without the customer's key. This is critical for highly regulated industries and zero-trust architectures.

Are backups encrypted?

Yes. Enterprise VDRs encrypt backups with AES-256 using separate key sets from the primary data. This means a backup tape or snapshot cannot be read without the backup encryption keys, even if it is physically exfiltrated. Backup encryption is a SOC 2 Type II and ISO 27001 control requirement.

What happens to my data if the VDR provider is breached?

A well-architected VDR protects against provider breaches through: AES-256 encryption at rest (data is unreadable without keys), customer-managed keys (provider cannot decrypt even if breached), immutable audit logs (tamper-evident), and geographic redundancy (data replicated across multiple secure data centers). A breach of the provider should not result in a breach of your documents.

Access Controls & Authentication

How VDRs control who can access what, and verify user identity.

What is multi-factor authentication (MFA) and is it required?

Multi-factor authentication requires users to provide two or more verification factors (something they know, something they have, something they are) before gaining access. Enterprise VDRs require MFA on all accounts, supporting TOTP authenticator apps (Google Authenticator, Authy), hardware security keys (YubiKey), and SMS as a fallback. MFA should never be optional for a VDR handling confidential deal data.

What is SSO and does my VDR support it?

Single Sign-On (SSO) allows users to log in to the VDR using their existing corporate identity (Okta, Azure AD, Google Workspace, OneLogin) via SAML 2.0 or OpenID Connect. Enterprise VDRs support SSO with SCIM provisioning, which automatically creates, updates, and deactivates user accounts based on HR systems. This eliminates password reuse and ensures terminated employees lose access immediately.

How granular can VDR access permissions be?

Enterprise VDRs support permissions at the user, group, folder, document, and even page level. You can set view-only access, no-download, no-print, watermarked download, time-limited access, IP-restricted access, and per-document expiration. The principle of least privilege is foundational — give each user or group only the access they need to do their job.

Can I restrict access to specific IP addresses?

Yes. Enterprise VDRs support IP whitelisting, which restricts access to specific IP addresses or CIDR ranges (e.g., your office network, your VPN, your home IP). Combined with device binding, this means even a compromised password cannot be used to log in from an unauthorized network or device. IP whitelisting is a common requirement for transactions involving classified or highly sensitive data.

What is just-in-time access provisioning?

Just-in-time (JIT) access provisioning automatically grants temporary access to specific documents or folders for a defined period (e.g., 24 hours, 7 days). After the period expires, access is automatically revoked. JIT is used for highly sensitive documents where even long-term authorized users should only have access for the time they need to complete their review.

How do I revoke access when someone leaves the deal?

VDRs allow instant access revocation through the user management console. You can deactivate individual users (their login stops working immediately) or remove them from specific groups (losing access to group-restricted documents). For maximum security, enterprise VDRs also support automatic deprovisioning via SCIM when an employee leaves your identity provider.

Document Protection

How VDRs protect individual documents from copying, printing, and redistribution.

What is dynamic watermarking?

Dynamic watermarking renders a visible overlay on every page of every document viewed or downloaded in the VDR. The watermark typically includes the viewer's name, email address, IP address, and a timestamp. Dynamic watermarks are a powerful forensic deterrent — if a document leaks, the watermark identifies exactly which user leaked it. The watermark is rendered server-side and cannot be removed by the viewer.

What is view-only mode with screenshot protection?

View-only mode (also called screen shield) prevents users from downloading, printing, or copying text from documents. The document is rendered as an image in the browser, and additional protections block common screenshot tools, right-click, copy/paste, and screen recording attempts. View-only mode is used for highly sensitive materials like unreleased financial statements, M&A targets, and pre-IPO information.

Can I disable printing and downloading?

Yes. VDRs allow you to set per-document or per-folder policies: allow download, allow watermarked download only, view-only with no download, or no access. You can also disable printing entirely or allow printing only with watermarks. These controls can be set at the deal level, document level, or user level.

What is screen capture prevention?

Screen capture prevention (also called screenshot blocking) uses browser-based protections to block the most common screenshot and screen recording tools (Snipping Tool, Snagit, OBS, etc.) when view-only mode is enabled. The protection renders documents on top of an overlay that makes screenshots show as black or blurred. While no client-side protection is 100% effective, screen capture prevention deters the vast majority of casual and opportunistic leakage.

Can documents be revoked after being downloaded?

Once a document is downloaded to a user's device, the VDR cannot technically reach into the device to delete it. However, dynamic watermarks identify who downloaded what, and the legal framework (NDAs, watermarks serving as forensic evidence) provides strong recourse. For maximum control, view-only mode keeps documents in the VDR browser viewer and prevents any local copy.

Audit & Monitoring

How VDRs track, log, and report on every action in the data room.

What is an immutable audit trail?

An immutable audit trail is a tamper-proof log of every action taken in the VDR — logins, document views, downloads, prints, permission changes, Q&A exchanges, watermarks applied. The log is append-only (entries cannot be modified or deleted by any user, including administrators) and cryptographically signed so any tampering is detectable. Immutable audit trails are court-admissible and regulator-ready.

What is recorded in a VDR audit log?

VDR audit logs typically record: who accessed what document, when, for how long, from which IP address and device, what they did (view, download, print, share), and any Q&A activity. Enterprise logs also capture permission changes, user invitations, failed login attempts, and administrative actions. Logs are exportable as CSV, PDF, or via API for compliance and regulatory reporting.

Can audit logs be deleted or modified?

No. Immutable audit logs cannot be modified or deleted by any user, including administrators. Each entry is timestamped and cryptographically chained to the previous entry, so any tampering is detectable. This is a SOC 2 Type II control requirement and is essential for court-admissible evidence in litigation or regulatory investigations.

How long are audit logs retained?

Audit log retention varies by plan: standard plans typically retain logs for the life of the data room plus 1-2 years; enterprise plans can retain logs for 7-10 years or longer to meet regulatory requirements (SEC Rule 17a-4 requires 6 years, HIPAA requires 6 years, some financial regulations require 7+ years). Logs are typically exportable for archival in your own records management system.

Can I get real-time alerts on suspicious activity?

Yes. Enterprise VDRs support real-time alerts on suspicious activity: unusual login locations, bulk downloads, access from a new device, failed login attempts exceeding a threshold, downloads outside business hours, and other anomaly patterns. Alerts are sent via email, SMS, or webhook to deal administrators, security teams, or SIEM systems.

Security Infrastructure

How VDRs are hosted, replicated, and protected at the infrastructure level.

Where is VDR data physically stored?

Enterprise VDRs offer data residency options across major regions: US, EU (Ireland, Germany, Netherlands), UK, Canada, Australia, Singapore, Japan, UAE, and more. For GDPR compliance, EU data should be stored in EU data centers. For HIPAA, US data centers with BAA support are required. For other regulations, choose a data center location that meets your jurisdictional requirements.

What is the VDR's uptime SLA?

Enterprise VDRs commit to 99.9% uptime SLAs (about 9 hours of allowed downtime per year), with contractual penalties for missing the SLA. Leading providers offer 99.99% (about 53 minutes of allowed downtime per year) for mission-critical transactions. SLA guarantees are backed by multi-region redundancy, automatic failover, and 24/7 monitoring.

What happens if a VDR data center goes down?

Enterprise VDRs use multi-region replication and automatic failover. If a primary data center becomes unavailable, traffic is automatically routed to a secondary region with no data loss. Users experience no disruption, and the data room remains accessible. Multi-region replication is a SOC 2 Type II and ISO 27001 control requirement.

Does the VDR undergo penetration testing?

Yes. Enterprise VDRs undergo independent third-party penetration testing at least annually, with the results used to remediate findings and improve security posture. SOC 2 Type II audits include review of penetration testing, and the VDR provider should share executive summaries of pen test reports with enterprise customers under NDA. Continuous vulnerability scanning runs in production to detect new issues.

Is the VDR provider SOC 2 Type II certified?

Yes. Enterprise VDRs hold SOC 2 Type II certification, which is an independent audit of the provider's security controls over a 6-12 month period. SOC 2 Type II is significantly stronger than Type I (which only audits controls at a point in time). Request the actual SOC 2 Type II report and review the auditor's opinion and any noted exceptions before selecting a VDR.

Common VDR Security Questions

The questions deal teams, legal teams, and security teams ask most often.

Is a VDR more secure than email for sharing deal documents?

Yes, dramatically. Email is not encrypted end-to-end, has no access controls (once sent, you lose control), no audit trail, and is the #1 vector for data breaches. A VDR encrypts at rest and in transit, provides granular access controls, logs every action, prevents forwarding, supports dynamic watermarking, and meets regulatory requirements that email never will.

Is a VDR more secure than Dropbox, Google Drive, or SharePoint?

Yes, for sensitive deal data. Consumer and general-purpose cloud storage tools were designed for collaboration, not for controlled, auditable information exchange. They lack per-document permissions, dynamic watermarking, immutable audit trails, ethical wall enforcement, NDA workflows, and the regulatory certifications (SOC 2 Type II, ISO 27001, HIPAA, SEC 17a-4) that deal teams require.

Can I use a VDR for classified or top-secret data?

Standard VDRs are not designed for government-classified data (which has specific physical and personnel security requirements). For top-secret or classified government data, you need a VDR deployed in a classified environment with appropriate facility clearance and personnel clearances. For most commercial M&A, fundraising, legal, and healthcare transactions, a SOC 2 Type II certified VDR is more than sufficient.

What happens if a VDR user shares their password?

VDRs detect and prevent password sharing through: mandatory MFA (a shared password still requires the second factor from the original user), IP whitelisting (shared password from a new IP is blocked), device binding (shared password from a new device is blocked), concurrent session limits, and anomaly detection (impossible travel, unusual hours, bulk activity). All of these are logged and alert deal administrators.

Can I tell if a document has been leaked?

Dynamic watermarks make it possible to identify the source of any leaked document. Each downloaded or printed document is stamped with the viewer's identity, and any leaked copy can be traced back to the specific user. Combined with NDA enforcement, this creates a strong deterrent — most leaks never happen because the leaker knows they can be identified.

What questions should I ask a VDR provider about security?

Ask for: (1) their SOC 2 Type II report and ISO 27001 certificate; (2) the location of their data centers and data residency options; (3) their encryption standards and key management approach; (4) their MFA and SSO support; (5) their audit log retention period and immutability; (6) their incident response plan and breach notification process; (7) their pen testing history; (8) their uptime SLA and disaster recovery approach; (9) references from financial services or healthcare customers; (10) their vulnerability disclosure program.

See the SpaceNexus security stack in action

SOC 2 Type II certified, ISO 27001 accredited, GDPR compliant. Get a security overview, our SOC 2 report under NDA, and a personalized demo.