How to Balance Security Needs and Usability When Assessing a Virtual Data Room

Virtual data room

All virtual data room providers promise a high level of security in their VDR. Most software delivers on this promise when compared to common alternatives like Google Drive or Dropbox. When compared to a business’s actual security needs, however, some options fall short.

A virtual data room should provide security equal to or greater than that exercised in a physical deal room space. The best VDRs balance cutting-edge security options with usability, making information simple to protect and difficult to compromise.

What Security Does Your Virtual Data Room Need?

To know which security features you require, first seek to understand the parties involved and the work to be done. “The heart of risk management is to understand the risks you are managing,” says Kip Peters, a leadership partner in Gartner’s enterprise information technology leadership service.

Virtual data rooms are commonly used during business transactions like mergers and acquisitions, in which large volumes of sensitive data must be organized, tracked and made available only to certain vetted individuals. When a VDR purchaser understands the security requirements of their data, they can more easily compare a VDR provider’s offerings to their own needs, Peters says.

Certain data security features should be standard in all software as a service (SaaS) systems, Kim Crawley writes at AT&T. In a virtual data room, these features should form the foundation of the system’s additional security measures.

For instance, a VDR should offer a robust data encryption system. “The encryption keys should be managed and stored securely within a key management system,” Crawley says. Various key management system options exist; the right VDR provider for your business will be able to offer an option that fits your needs.

Similarly, the VDR should have data loss prevention (DLP) mechanisms built in. These tools and processes help protect data from loss, misuse or unauthorized access. DLP tools typically come in two forms: those that detect imminent threats to data security and those that address the threats.

All VDRs need robust data loss prevention mechanisms. When researching DLP options in particular virtual data room offerings, look at the following:

  • Whether the tools are compatible with systems that need to communicate with the VDR.
  • What types of threats the tools address best.
  • Which regulations you must comply with.

Some VDRs and their embedded data loss prevention mechanisms also allow your organization to see how data is accessed or altered and by whom, which can provide an added layer of transparency and oversight, Ellen Zhang writes at Digital Guardian.

When foundational security measures are in place, companies can begin to look for tools and features that help them tailor their data security and privacy needs to the particular deal or business they intend to transact within the virtual data room space. The best choice will be based on an informed comparison of VDR companies’ offerings.

Comparing VDR Providers’ Security Offerings

All VDR software options are created with the same goal in mind: to protect information used in sensitive negotiations or projects like M&A due diligence, audits or lawsuits. How each VDR provider chooses to reach that goal varies, however, which means that not every VDR will be ideal for your particular needs.

With a clear understanding of what types of data it needs to protect, and what interactions with that data could carry risk, a company can compare VDR offerings on several different points.

Document Viewing and Redaction

VDR software often offers tools for performing many data room-related tasks within the software itself. For instance, the software not only protects the information, but it also allows users to view, redact or edit information in the same ways they’d be able to in a physical deal room space.

For instance, a VDR with high usability will allow administrators not only to control who views which documents, but also to control which portions of each document are available to each user or class of users.

Documents in a usable VDR do not need to be redacted by hand before they are uploaded. Instead, redaction can be performed within the VDR itself. This feature allows documents to be uploaded once and viewed in their relevant or permissible portions by all authorized users rather than uploading a custom-redacted document for each party.


A usable VDR also balances security with transparency through the use of tools like role-based access control (RBAC).

This gives VDR users access based on their role in the deal or organization. This form of control allows VDR administrators to set permissions for specific groups and redact documents in ways tailored to each group’s assigned tasks. Look for a VDR that offers robust role-based access control that is simple for administrators to navigate.

Role-based access control offers transparency as well as security, says Anne Dorthe Gyldenkærne, vice president of marketing at Omada. For instance, RBAC can immediately attach a name to any activity that occurs within the VDR. Whenever a document is opened, the system will log who opened it. Requests for assistance, attempts to make edits or attempts to access unauthorized materials are also logged with information about who took those steps.

Integrating the Software With In-House Options

Finally, ask whether a VDR provider’s software integrates easily with existing in-house cybersecurity measures.

For a September 2019 McKinsey study, Rich Cracknell and fellow researchers surveyed chief information officers and other cybersecurity professionals. The researchers found that most businesses prefer not to leave cybersecurity measures entirely in the hands of third-party software vendors, even when the software offered customer-friendly, cutting-edge security technologies.

Instead, begin with a clear overview of your company’s own data protection measures. Then, seek a VDR that offers the additional protections your situation requires.

Do You Have to Compromise Security for Usability’s Sake?

The most robustly secure VDR in existence is of limited help unless it is also usable. Balancing usability with data protection is a must for an effective virtual data room.

The term “usability” covers a broader range of considerations than the term “ease of use,” says Whitney Quesenbery, cofounder of the Center for Civic Design. Usable design offers ease of use, but it is also user-centered and improves through feedback from real-world applications.

In a VDR, one of the largest usability concerns focuses on applying security controls to the documents controlled by the VDR. Look for VDR software that provides robust security via controls that are simple and satisfying to navigate.

Also, look for a system that is easy to learn. Some or all of those involved in a particular deal may be new to using a particular virtual data room. As a result, the entire team faces a learning curve when it comes to navigating the software.

“The best way to support ease of learning is to design systems that match a user’s existing mental models,” says Andreas Komninos at the Interactive Design Foundation. A mental model is a pre-existing map or idea our minds have of how the world works and how to navigate it.

For instance, a VDR that uses redaction methods that look like real-world redaction done on paper, or that organizes files and folders in a way similar to existing file managers or filing cabinets, matches our mental models of what redacted documents, files and folders look like. This makes it easier for our brains to navigate the new environment because we already have a sense of what should happen when we take certain actions, like clicking on a folder.

When a VDR balances security demands with usability, its full range of protections is available for business teams to use in their transactions. Greater confidence in the available tools can lead to better peace of mind and an improved ability to focus on the business at hand.

Recommended for you