Encryption in transit
Protecting data with TLS while it moves between the user’s browser and the data room servers.
Encryption in transit is the protection applied to your data while it is moving across a network, in a virtual data room that means every byte travelling between a user’s browser and the provider’s servers. It is delivered with Transport Layer Security, the modern successor to SSL and the same technology behind the padlock in your address bar. Without it, the pages you view, the files you download, the passwords you type, and the session cookie that keeps you logged in would cross the public internet as readable text that anyone on the path could capture. TLS wraps that traffic in an encrypted tunnel and verifies you are actually talking to the real data room and not an impostor, so a login on hotel Wi-Fi, a document opened from a client office, or an upload over a shared corporate link stays confidential end to end.
How does encryption in transit work in a data room?
Every request your browser makes to the data room begins with a TLS handshake. The server presents a certificate that proves its identity, the two sides agree on cipher keys, and from that point on all traffic is encrypted with those short-lived keys. A capable room enforces this everywhere: it redirects plain HTTP to HTTPS, sets HSTS so the browser refuses to downgrade, uses TLS 1.2 or 1.3 with modern cipher suites, and applies the same tunnel to its API and any file-download endpoints, not just the login page.
Encryption in transit guards data while it moves; its partner, encryption at rest, guards the same data once it lands and sits idle on disk. The two protect different moments in a file’s life, and a serious room needs both. Transit closes the network gap; rest closes the storage gap.
Why does it matter for M&A and due diligence?
In a deal, sensitive documents cross the network constantly: a buyer’s analyst in one country downloads a financial model, a lawyer in another opens a contract, an advisor uploads a revised cap table over an airport connection. Each of those trips is exactly where a network attacker would try to intercept confidential data. Encryption in transit is the control that makes those trips safe, and it is why buyers probing your setup during due diligence expect TLS as a non-negotiable baseline. It is also woven into the compliance frameworks that govern deal data. SOC 2 and ISO 27001 both treat encrypting data in motion as a core control, and GDPR-aligned practice assumes it, so an audited certification is your evidence that the TLS claim holds under scrutiny rather than living only on a marketing page.
A concrete example
An acquirer’s advisory team reviews a target company from a hotel conference room over shared Wi-Fi. An attacker on the same network runs a tool that captures every packet passing through the access point. Because the data room enforces TLS 1.3 with HSTS, every request, the login, the document views, the downloads, appears to that attacker as encrypted noise with no readable filenames or contents. The session cookie cannot be replayed and no document is exposed. Had the room allowed a plain HTTP fallback, the same capture would have handed over credentials and a stack of confidential deal files.
How should you evaluate encryption in transit?
“Encrypted connection” on a feature page is not enough. Look for specifics.
- Protocol version: TLS 1.2 as a floor, TLS 1.3 preferred; older SSL or TLS 1.0 or 1.1 should be disabled.
- No downgrade: HTTP redirects to HTTPS, HSTS is set, and there is no plain-text fallback.
- Everywhere, not just login: the same tunnel covers the app, the API, and every file-download and upload path.
- Independent proof: the TLS posture holds up in third-party penetration testing and is covered by a current SOC 2 or ISO 27001 audit.
The common mistakes are assuming a padlock icon means the whole system is protected, confusing transit with rest and buying only one, and never checking whether downloads and the API use the same encryption as the login screen. For the wider picture, read our guide to virtual data room security and the practical VDR security features checklist. When encryption details decide your shortlist, our side-by-side comparisons and hands-on provider reviews record what each vendor actually enforces.
FAQ
Is encryption in transit the same as HTTPS? Effectively yes for a web-based data room. HTTPS is HTTP carried inside a TLS tunnel, and that tunnel is what encrypts your data in transit. The nuance is coverage: a room should apply TLS to its API and file-transfer endpoints, not only to the pages that show the padlock, and it should refuse any unencrypted fallback.
Does encryption in transit protect my stored files too? No. It protects data only while it moves across the network. Once a file is written to the provider’s disks it is idle, and protecting it there is the job of encryption at rest. A secure data room combines both so the file is covered in motion and at rest, and pairs them with strong secure file sharing controls.
What TLS version should a data room use? TLS 1.2 is the acceptable minimum and TLS 1.3 is the current best practice, with legacy SSL and TLS 1.0 and 1.1 switched off. If a provider will not state its supported versions and confirm that downgrades are blocked, treat that vagueness as a red flag rather than a reassurance.