Abstract editorial illustration in coral and off-white for the topic: What documents go in a data room? A checklist by deal type
How To

What documents go in a data room? A checklist by deal type

  • virtual data room
  • due diligence
  • checklist
  • m and a
  • fundraising
Summarize with AI ChatGPTClaudePerplexityGrok
On this page
  1. The short answer
  2. The seven families every room is built from
  3. Read the index the way a reviewer will
  4. M&A: a room built around liabilities
  5. Fundraising: a room built around growth
  6. Lending: a room built around cash and collateral
  7. Real estate and fund reporting: the outliers
  8. How much should you actually prepare?
  9. What to keep out, or redact first
  10. Building the checklist, in order
  11. Keeping the documents controlled once inside
  12. Frequently asked questions

The short answer

What goes in a data room? Whatever a counterparty needs to confirm that your business is what you say it is, before they wire money, sign a purchase agreement, or extend a loan.

In practice that resolves to seven families of paperwork: corporate and formation records, three years of financials, material contracts, tax filings, commercial performance data, intellectual property, and people records. Add a short data-protection layer and you have the spine of almost every room ever built.

So what actually changes from deal to deal? Not the seven families. They are near-constant.

The deal type in front of you decides which of them gets read line by line and which gets a polite skim. This guide walks the contents folder by folder, then shows how the weighting shifts across the deal types that lean on data rooms most: M&A, fundraising, lending, real estate and fund reporting.

One framing is worth holding from the start. When a counterparty opens the room, they are not browsing; they are working through a request list, ticking off documents that match their checklist.

The room’s job is to answer that list before anyone has to ask. Do it well and due diligence moves fast. Leave gaps, and each missing file turns into a question in the Q&A log that slows the deal and quietly erodes confidence.

The seven families every room is built from

Which folders should you always plan for? The same seven, whatever the deal.

Reviewers expect them, request lists assume them, and their absence reads as disorganisation rather than discretion. Treat these as the spine; the deal-specific material hangs off it.

The seven core folders and what belongs in each

FolderWhat goes insidePriority
Corporate & formationCertificate of incorporation, bylaws, shareholder register, board minutes, org chart, cap tableEssential
FinancialAudited statements (3 years), management accounts, budgets, the financial model, debt scheduleEssential
Legal & contractsMaterial customer, supplier and partner agreements, leases, insurance, licences, litigation recordsEssential
TaxCorporate tax returns, VAT/GST filings, correspondence with tax authorities, transfer-pricing docsHigh
CommercialPipeline, top-customer analysis, churn and cohort data, marketing metrics, competitive positioningHigh
Intellectual propertyPatents, trademarks, domain and software registers, assignment agreements, open-source inventorySituational
People (HR)Org structure, key-employee contracts, option plans, policies, redacted headcount dataSituational
Priority reflects how early most reviewers reach for each folder; every business weights these differently. Redact or minimise personal data in the people folder before upload.

Why are two of the seven marked situational? Because their weight depends entirely on what your business is.

A software company lives or dies on its intellectual property folder, so it belongs near the front. A services firm with few registered assets can keep that folder thin without anyone blinking.

The priority column, then, is not a law. It is a reminder that folder order should mirror where value and risk actually sit in your business.

A biotech pushes patents and regulatory filings to the top. A marketplace leads with cohort economics and unit metrics. Same seven families, different centre of gravity.

The figure below stacks the folders the way reviewers tend to reach for them, from the essentials they open first down to the situational material they consult when a specific question arises.

Layered stack of the seven core data room folders, each tagged essential, high or situational by how early reviewers reach for it

Read the index the way a reviewer will

What saves more time than any single document? Structuring the room to match the diligence request list, not your internal drive.

Buyers and their advisers work from a standard checklist. A room whose top-level folders map to that checklist lets a reviewer self-serve instead of raising a question for every file.

A numbered, logical data room index is the single biggest driver of a fast review, and it is the first thing an experienced adviser judges you on.

Two habits do most of the work.

  • Number the hierarchy. Label folders 1. Corporate, 2. Financial, 3. Legal, and so on, so the order is stable and easy to reference in the Q&A.
  • Keep it shallow. Three levels is usually enough. A key contract buried five folders deep will get missed, and a missed document becomes a question.

Name files so the version and date are unmistakable, then turn on full-text indexing so reviewers can search rather than click.

Want a ready-made starting point? The data room folder structure template lays out a numbered tree you can copy, and the guide on how to set up a virtual data room walks through building and permissioning the room end to end.

M&A: a room built around liabilities

What is an acquirer really buying? Your liabilities as well as your assets.

So a sell-side M&A room leans hardest on contracts, obligations and anything that could survive the transaction as a claim. The financials establish value; the legal and commercial folders establish risk.

Expect the buyer’s counsel to read every material agreement in full, hunting for change-of-control clauses, assignment restrictions and unusual indemnities. Beyond the seven core folders, a sell-side room typically adds a handful of deal-specific schedules:

  • Change-of-control schedule. Every contract with a clause a sale would trigger, flagged up front, because the buyer will find them anyway.
  • Customer concentration analysis. Revenue by top ten customers, showing how exposed the business is if one leaves.
  • Employee and pension liabilities. Accrued obligations, key-person dependencies and any retention arrangements.
  • Environmental and regulatory records. Permits, compliance history and open matters, especially for physical or regulated operations.
  • Prior transaction documents. Past funding rounds, acquisitions or restructurings that shape the current cap table.

Which platform holds all this? Banking-grade sell-side processes often run on heavyweight ones.

On a large-cap deal, providers like Datasite and Intralinks are built for that volume, while leaner rooms suit lower-mid-market sales. The roundup of the best data rooms for M&A scores them side by side.

Fundraising: a room built around growth

What is an equity investor buying? Future growth, not a snapshot of the past.

So a fundraising room prioritises the cap table, the financial model and the metrics that prove traction, rather than the exhaustive contract review an acquirer runs.

Why keep early rounds lean? Because over-sharing at that stage slows the raise and exposes information you have no reason to reveal yet. A Series A room is deliberately smaller than an M&A room.

A well-built fundraising room usually leads with a short, curated set: the pitch deck, a clean cap table showing fully diluted ownership, the financial model with clear assumptions, historical statements, and cohort or retention data that backs the growth story.

Corporate documents sit alongside, from incorporation to prior SAFEs or convertible notes and board consents, because investors will confirm they are buying into a clean structure.

Where do customer contracts and detailed HR files go? To later stages or a follow-up request, not the opening room.

The best data rooms for fundraising hub compares the platforms founders reach for when speed and a tidy first impression matter more than banking-grade scale.

Lending: a room built around cash and collateral

What is a lender underwriting? Your ability to repay.

So a debt-financing room centres on cash flow, collateral and covenant compliance rather than the ownership questions an equity investor asks.

Who is the reviewer here? A credit team, with a checklist that is narrower but deeper on the numbers. They want proof that the business generates predictable cash and that the assets securing the loan are real and unencumbered.

Expect a lender’s room to prioritise:

  • The debt schedule and existing facility agreements.
  • Three years of audited financials plus rolling management accounts.
  • A cash-flow forecast tied to the loan structure.
  • Asset registers and valuations for anything pledged as security.
  • Any inter-creditor or guarantee documents.

Do litigation and tax still matter? Yes, because an unexpected claim can jump ahead of the lender in a default. What matters less is the full commercial and IP narrative an acquirer or VC pores over.

Real estate and fund reporting: the outliers

Which deal types break the mould? Two, enough to note separately.

Real estate is the clearest outlier. A property data room is built around title deeds, leases, surveys, valuations and planning consents, with company financials in a supporting role rather than the lead.

Providers with a real-estate pedigree, such as Drooms, organise around the asset; the best data rooms for real estate hub covers the field.

Fund or limited-partner reporting is the other. It is recurring rather than transactional, so it emphasises periodic statements, capital-account reporting and audited fund accounts over one-off contracts.

The matrix below maps the common deal types against the major document categories, so you can see at a glance where to concentrate effort.

Document emphasis by deal type

Document categoryM&A saleFundraisingReal estateLender / debtFund / LP reporting
Cap table & ownership Yes Yes N/A Summary Yes
Audited financials Yes Yes Partial Yes Yes
Material contracts Yes Later Yes Key only Summary
IP & assignments Yes Yes N/A Rare Rare
Title, leases & surveys If property Rare Yes If secured Rare
Debt schedule & covenants Yes Later Partial Yes Summary
Financial model / forecast Yes Yes Yes Yes Partial
Yes means routinely expected in that deal type. Labels flag where a category is partial, deferred to a later round, or not applicable. Adapt to your sector.

Read the matrix as a heat map, not a rulebook. The core folders stay constant across every column; what moves is which cells light up.

That is the whole thesis of this guide in one grid: the skeleton holds, the emphasis travels.

How much should you actually prepare?

How big is a serious sell-side room? Commonly eight to twelve top-level folders and several hundred individual files, with buyers routinely requesting three years of audited financials as the baseline.

Is volume the goal? Never. Completeness is. A tidy room of the right 300 documents beats a sprawling dump of 3,000, every time.

7
Core folders in almost every room
3 yrs
Audited financials buyers expect
8-12
Top-level folders in a sell-side room

Size your preparation for the peak of the process, not its quiet opening. A late document request, or a second round of bidders, can double the room’s contents overnight.

Budget time for that growth, and budget cost too if your provider bills by page or storage. Included storage and page allowances differ widely, so the individual provider reviews record each one, and the guide to what drives virtual data room pricing explains how document volume feeds the invoice.

What to keep out, or redact first

Does everything belong in the room? No, and some documents belong there only after treatment.

Personal data is the sharpest example. Employee records, customer lists and payroll files routinely carry names, salaries and identifiers that must be minimised or redacted before upload.

Under the data-minimisation principle, you should share only personal data that is adequate, relevant and limited to what the diligence genuinely needs. The UK ICO’s guidance on data minimisation sets that standard, and the EU’s GDPR frames the same duty across Europe.

Handle with care before upload

Pros

  • Redact salaries, IDs and personal contact details from HR and payroll files
  • Use view-only rendering and watermarking for the most sensitive contracts
  • Stage highly commercial data (customer names, pricing) for a later diligence phase
  • Keep a clean audit trail so you can prove exactly who saw each document

Cons

  • Do not upload unredacted personal data because it is convenient
  • Do not include privileged legal advice unless counsel has cleared it
  • Do not share raw customer databases when aggregated cohorts will do
  • Do not leave stale or superseded versions in the room to confuse reviewers

What is the practical answer to most of this? Phasing.

Many sellers run a two-stage room: a first phase with corporate, financial and high-level commercial documents open to all bidders, then a second, tighter phase where confirmed parties reach the most sensitive contracts and people data.

Granular permissions at the group level make that possible without hand-editing individual users; the guide to data room permissions covers how to structure those tiers.

Building the checklist, in order

Where should you start? The request list, working outward, so the room answers the counterparty’s questions instead of mirroring your internal filing.

Five steps get a defensible, well-indexed room ready.

How to build a data room document checklist

A repeatable method for assembling the right documents in the right order before you invite reviewers.

Estimated time: 3h

  1. Start from the request list

    Get the buyer's or investor's diligence checklist (or a standard one for your deal type) and use it as the master index. Every top-level folder should map to a section of that list.

  2. Assign folder owners

    Give each core folder an owner (finance, legal, HR, product) responsible for collecting and dating its documents, so gaps surface early instead of at signing.

  3. Collect, version and date

    Gather the current, final version of each document, remove superseded drafts, and label files clearly so reviewers never guess which version governs.

  4. Redact and stage sensitive data

    Minimise or redact personal data, and decide which documents open in phase one versus a later confirmed-bidder phase.

  5. Index, upload and test

    Number the folder hierarchy, upload in bulk, run full-text indexing, then walk the room as a reviewer to confirm nothing essential is missing or misfiled.

What catches more problems than any checklist? That final walk-through, reviewing the room the way an outsider would.

If a document you expected to find is hard to reach, a real reviewer will simply raise it in the Q&A, and that costs you time and momentum. For a sense of how long the review then runs, the guide on how long due diligence takes sets realistic expectations.

Keeping the documents controlled once inside

What are the documents in a data room, by definition? The ones you cannot afford to leak.

So the room itself has to add control beyond storage: granular permissions, dynamic watermarking, view-only rendering and a complete audit trail.

Those controls are what let you share a change-of-control schedule or a redacted HR file with a competitor-turned-bidder, and still revoke access the moment a deal changes course.

Before you invite anyone, confirm the room enforces the essentials on the document set you have just organised. Independent certification is the shorthand buyers trust.

ISO/IEC 27001 is the international information-security management standard, and SOC 2 attests to the same discipline for US-facing counterparties. The VDR security features checklist covers the full list, but the non-negotiables are folder-level permissions, watermarking on downloads, two-factor authentication and an exportable activity log.

Some providers, Ellty among them, fold these into the standard tier rather than charging for them as add-ons, which is worth checking when you compare rooms for a document set this sensitive.

Frequently asked questions

Frequently asked questions

What is the single most important folder in a data room?

The financial folder, closely followed by corporate records. Reviewers reach for audited statements, management accounts and the cap table first, because they establish both the value and the ownership of the business. A room that leads with clean, current financials sets a confident tone for everything that follows.

How far back should financial documents go?

Three years of audited financial statements is the standard buyer and investor expectation, alongside recent management accounts and a current-year budget or model. Younger companies share whatever full history they have plus monthly management accounts to fill the gap.

Can I put employee and payroll records in the data room?

Yes, but minimise or redact personal data first. Share only what the diligence genuinely needs, remove salaries and identifiers where they are not required, and rely on view-only rendering and permissions to limit exposure. Storing unredacted personal data because it is convenient creates a data-protection liability.

How is a fundraising data room different from an M&A room?

A fundraising room is leaner and leads with the cap table, financial model and traction metrics, because investors are underwriting future growth. An M&A room is exhaustive and leans on material contracts, liabilities and employee obligations, because an acquirer inherits all of them.

Should I open the whole room to every bidder at once?

Usually not. Many sellers phase access: a first tranche of corporate, financial and high-level commercial documents for all bidders, then a tighter phase where confirmed parties see the most sensitive contracts and people data. Group-level permissions make this straightforward.

A data room is only as useful as its documents are complete, current and correctly permissioned. Start from the request list, build the seven core families, then adjust the emphasis to your deal type, and the room will do the one thing it exists to do: answer the counterparty’s questions before they have to ask them. When you are ready to choose the platform that will hold this document set, compare providers side by side on security, workflow and pricing.