Data Room Security Questionnaire: How to Evaluate Any VDR Vendor (2026)
Co-founder at Peony. Former M&A at Nomura, early-stage VC at Backed VC, and growth-equity / secondaries investor at Target Global. I write about investors, fundraising, and deal advisors from the deal-side perspective I spent years in.
Data Room Security Questionnaire: How to Evaluate Any VDR Vendor (2026)
Last verified: July 2026
I'm Sean Yu, co-founder of Peony, a data room company. I am also co-founder of GingerControl, a trade-compliance company — which means I sit on both sides of the security questionnaire: answering them as a vendor, and issuing them as a buyer evaluating other people's software. That vantage point is the reason for this post. Most questionnaires I receive, and most I have watched buyers send, ask the wrong half of the question.
Here is the thesis, stated plainly. Certifications verify the vendor's operating discipline; document-level controls protect your deal. A serious evaluation demands both — most questionnaires only ask about the first. A SOC 2 report tells you the company runs a disciplined shop. It tells you nothing about whether the product can stop a leaked bid book. You need to interrogate both, and you need to verify every claim against an artifact rather than a marketing page.
This guide is written for the person who has been handed the security review: often an investment director or operations lead at a lean firm — 10 to 40 people, deals in the tens to low hundreds of millions — who is shortlisting a virtual data room for investor due diligence and has to clear an internal or LP security check. You do not have a 12-person IT security team. You have a two-week window, three vendors, and a stack of "bank-grade security" claims to see through.
Quick answer: Run the evaluation by requesting five artifacts and verifying each against the document, not the marketing page. (1) The SOC 2 Type II report, under NDA — check the observation period, the scope, and the exceptions section. (2) The ISO 27001 certificate, plus the Statement of Applicability if the vendor claims it. (3) A penetration-test attestation letter (the full report stays under NDA). (4) The Article 28 DPA and a public sub-processor list. (5) Uptime history / SLA. Then verify claims against the artifacts, not the sales deck: a real SOC 2 report is shared under NDA, a real ISO 27001 certificate names an accredited body, and "SOC 2-certified AWS" is the cloud provider's attestation, not the vendor's. Certifications prove the vendor's discipline; document-level controls — page permissions, watermarks, revocation, audit logs — protect the deal. Ask for both.
Where this post sits. This is the how-to for running the vendor security evaluation itself — the mechanics of reading a SOC 2 report, checking an ISO certificate, and sending the questionnaire. It is deliberately not the framework-selection post: if your first question is which regulatory regime applies to your documents — SOC 2 versus GDPR versus HIPAA versus CCPA — read which frameworks apply to you first, then come back here to evaluate the vendors against them. For provider shortlists see the top 10 virtual data room providers and, for UK buyers, the best data room providers in the UK; for what all this costs, the virtual data room cost guide.

What is a data room security questionnaire — and what should it actually ask?
A data room security questionnaire is the structured set of questions and evidence requests a buyer sends a VDR vendor to establish that the platform is safe enough to hold the deal — and a good one asks for artifacts, not assurances.
The weak version is a list of yes/no boxes the vendor ticks in a sales deck: "Do you encrypt data? Yes. Are you GDPR compliant? Yes." That proves nothing, because every vendor ticks every box. The strong version asks the vendor to produce the evidence — the SOC 2 report, the certificate, the pen-test letter, the DPA — and then reads it critically. The shift from "do you have X" to "show me X and let me check it" is the whole difference between a security review and security theater.
If you would rather not build the form from scratch, two industry-standard questionnaires exist. The CAIQ — the Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance — is a free, cloud-specific form mapped to the Cloud Controls Matrix (CCM v4 covers 197 control objectives across 17 domains); CAIQ-Lite is a condensed version of roughly 124 questions. The SIG — Standardized Information Gathering, from Shared Assessments — is broader and multi-framework: SIG Core runs to around 855 questions, and SIG Lite trims that to about 126. CAIQ is the pragmatic default for evaluating a cloud VDR; SIG Lite suits a firm that already runs a formal third-party-risk program. Either way, the 20-question template later in this post is the fast path for a lean team on a two-week clock.
SOC 2 Type I vs Type II: what's the difference and which should you require?
Require Type II. Type I reports on whether controls are suitably designed at a single point in time — an "as of" snapshot of the design. Type II reports on whether those controls were suitably designed and operated effectively over a period of time — the "observation window" or look-back, typically 3 to 12 months (commonly 6 to 12). Type II carries far more weight with enterprise and institutional buyers precisely because it tests whether the controls actually ran, not just whether they looked good on paper on one day.
A complete SOC 2 report is not a certificate — it is a document, and the parts matter:
- The Independent Service Auditor's Report (Section 1) — the CPA's opinion letter, the single most important part. It states whether controls were suitably designed and (for Type II) operated effectively, and it sets out scope and limitations.
- Management's Assertion — the vendor's own written statement describing its system and asserting its controls.
- The System Description — scope, boundaries, and control environment.
- The Trust Services Criteria, controls, tests, and results — for Type II, the auditor's actual test procedures and their outcomes.
- The exceptions / deviations section — noted issues. Read this one closely (more below).
Every SOC 2 covers Security — the mandatory "Common Criteria." The other four Trust Services Categories — Availability, Processing Integrity, Confidentiality, and Privacy — are optional and included only if the vendor commits to them. For a data room, Confidentiality and Availability are the ones worth confirming are in scope.
Now the pedantic truth, because it changes how you read vendor wording. SOC 2 is an AICPA attestation, not a certification. A licensed CPA firm examines the controls and issues a professional opinion; there is no pass/fail badge, no certificate, and the AICPA does not "certify" anyone. Strictly, a vendor is "SOC 2 attested" or "has a SOC 2 report." In loose common usage — including by some vendors — "SOC 2 certified" is used as shorthand for "has a SOC 2 report," and you can let that slide colloquially. But it tells you something when a vendor is precise about it, and the distinction matters against ISO 27001, which genuinely is a certification.
How to verify a vendor's SOC 2 Type II report is real and current
Ask for the report under NDA, then verify five things in order. A SOC 2 report is a restricted-use document — it contains detailed system descriptions and test results the vendor will not post publicly, so sharing it under NDA is exactly how it is meant to circulate. A vendor who will not share it even under NDA has answered your question for you.
Once you have the PDF in front of you:
- Check the auditor. It must be a licensed CPA firm. The opinion letter in Section 1 is what you are reading — confirm it is an actual auditor's opinion, not a vendor-written summary.
- Check the observation window end date. Type II covers a period. If that period ended more than about 12 months ago and there is no bridge letter to cover the gap since, treat the report as stale — it no longer describes the vendor as they are today.
- Check the scope. Confirm the System Description covers the product you are actually buying. Vendors sometimes hold a SOC 2 for one service and imply it covers everything; make sure the data room itself is in scope, not just a sibling product or the corporate entity.
- Read the exceptions section. This is the one people skip. An unqualified (clean) opinion can still contain exceptions — deviations the auditor noted but judged mitigated or not fatal to the overall conclusion. Count them, and assess severity. A clean opinion with three minor, remediated exceptions is normal; a pattern of access-control exceptions is a conversation.
- Confirm the Type. Make sure it is Type II, not Type I relabeled. The opinion language will say whether controls "operated effectively" over a period (Type II) or were "suitably designed" as of a date (Type I).
One aside on a substitution trick: if a vendor hands you a SOC 3 instead, know what you are getting. SOC 3 comes from the same examination against the same criteria but is stripped of the control listings, test procedures, and results — it is a short, general-use document a vendor can post publicly. It confirms a SOC 2 examination happened; it does not let you check scope or exceptions. Accept it as a public trust signal, then still ask for the SOC 2 Type II under NDA.
What does "SOC 2-ready" or "SOC 2 certified infrastructure" really mean?
"SOC 2-ready" means the vendor has implemented controls but does not yet hold a completed Type II report; "SOC 2 certified infrastructure" means the cloud layer underneath was audited, not the vendor itself. Both phrases sound reassuring and mean much less than they suggest — both are places vendors hide a gap.
"SOC 2-ready" (or "compliant, report in progress") legitimately means the vendor has designed and implemented controls but does not yet hold a completed report — either the Type II observation window is still running, or a readiness assessment is done but the formal audit has not concluded. That can be perfectly honest for a young vendor. So make it concrete: ask for the target report date, which Type they are pursuing, the observation-window dates, and the readiness assessment output and who performed it. A readiness assessment is a pre-audit gap analysis — it produces a gap register, not an opinion, so it is not a substitute for the report.
Watch the bridge letter here too. A bridge letter covers the gap between the end of a prior report's period and your review date — but it is a management-signed self-attestation, not the auditor's, stating no material control changes have occurred. Most buyers and auditors cap its useful coverage at roughly 3 months (90 days). It is a stopgap pending the next Type II, and it carries less weight than the audited report because it is the vendor vouching for itself.
"SOC 2 certified infrastructure" — or "we run on SOC 2 / ISO 27001-certified AWS" — is the one to watch hardest, because it quietly swaps one entity for another. Under the shared responsibility model, the cloud provider's certification covers the infrastructure, not the vendor's application, configuration, access management, or data handling. AWS frames it exactly: AWS is responsible for "security of the cloud" (the hardware, software, networking, and facilities that run its services), while the customer — here, the VDR vendor — is responsible for "security in the cloud": managing their data and encryption, classifying assets, and using IAM to set the right permissions. GCP operates the same split.
The takeaway is blunt: a vendor inheriting AWS's SOC 2 has not been audited itself. AWS secures the cloud; the vendor secures what is in it — and only the vendor's own SOC 2 report tells you whether they do that well. When a claim is about the hyperscaler, ask for the vendor's own attestation.
ISO 27001 vs SOC 2: do you need both?
Not necessarily both — but you need to know which one your counterparty expects, because they are different instruments for different markets.
ISO/IEC 27001 is the international standard for an Information Security Management System — a risk-based management program, not a checklist — and, unlike SOC 2, it produces an actual certificate. That certificate only means something if it comes from an accredited certification body (in the UK, one accredited by UKAS). The certification runs on a 3-year cycle: initial certification via Stage 1 and Stage 2 audits, then annual surveillance audits in years one and two, and a recertification audit at year three. The 2022 revision defines 93 Annex A controls (down from 114 in 2013), reorganized into four themes. And every certified vendor maintains a Statement of Applicability (SoA) — a mandatory document listing every Annex A control, whether it applies, and why. If a vendor claims ISO 27001, ask for the certificate and the SoA; the SoA is where you see what they actually scoped in.
SOC 2, by contrast, is a US-market attestation — a CPA's opinion and report against the Trust Services Criteria, re-run (usually annually) rather than certified on a fixed cycle.
Here is the honest way to choose. The two overlap heavily on the underlying controls, so a vendor with a strong program often maps to both. The difference is recognition: for a UK or EU counterparty, ISO 27001 reads as the familiar, expected credential; for US counterparties, SOC 2 is the default they will ask for first (though ISO is increasingly recognized globally). So "do you need both" is really "who is judging you?" If your LPs and their auditors are UK/EU institutions, an ISO 27001 certificate lands cleanly; if they are US funds, a current SOC 2 Type II is what unblocks the review. A vendor that holds both removes the question entirely — which is why the enterprise incumbents tend to carry the pair.
How do you verify an ISO 27001 certificate is valid and in scope?
Ask for three things. The certificate itself — check the expiry date and the accredited certification body (UKAS-accredited in the UK). The Statement of Applicability — the SoA tells you which of the 93 Annex A controls were scoped in, and a certificate without its SoA is hiding its scope. And confirmation the certified entity and system are the ones selling to you — a certificate naming a parent company or a different product line is the ISO version of the inherited-infrastructure trick.
Which VDR providers are UK GDPR compliant with EU/UK data residency options?
Start by refusing to let the vendor collapse three separate questions into one flag on a map. Residency is where data is physically stored. Access is who can technically reach it — vendor staff, sub-processors, support engineers — regardless of where it sits. Sovereignty is whose law applies: a US-owned provider can be reachable under US law even when the data is hosted in the EU. A vendor that leads with "EU data residency" has answered only the first of the three, and you should still ask the other two.
UK GDPR compliance itself is a contract-and-transparency question, not a hosting one. The core instrument is the Article 28 Data Processing Agreement — because a SaaS VDR is typically a processor, the processing must be governed by a binding written contract that sets out, among other things: processing only on your documented instructions, a duty of confidence, appropriate Article 32 security measures, rules on sub-processors (only with your authorization), assistance with data-subject rights and with your own compliance, deletion or return of data at the end, and submission to audits. Alongside it you want sub-processor transparency — a published, current sub-processor list and a mechanism to notify you of changes so you can object. And where data leaves the UK, you want a valid transfer tool: the standalone UK IDTA, or EU SCCs paired with the UK Addendum.
On residency options specifically, the market does vary. Per their trust pages, Firmex documents a residency choice of EU (Germany), Canada, or US; Drooms processes exclusively in Germany or Switzerland, with relocation requiring customer consent — the UK provider shortlist walks the residency column vendor by vendor. On the transfer backdrop: EU-UK adequacy was renewed on 19 December 2025 and runs until 27 December 2031, with a review after four years. Adequacy decisions are time-limited by design — check the ICO's international-transfers guidance for the current position before you rely on one.
Now the honest point a lot of residency marketing obscures. Deal documents in a data room are corporate confidential data — financial models, IP, deal strategy — not consumer personal data. The DPA and transfer posture still matter, but mostly as a signal of vendor discipline rather than as the thing standing between you and a leak. Residency is a legal-preference question, not a security guarantee: an EU-hosted room with weak access controls is less safe than a US-hosted room with strong ones. So weigh residency where your LPs or counsel require it — and then judge the access controls and document controls just as hard.
What does a penetration test summary prove?
It proves an independent tester actually attacked the system, found what they found, and that the vendor fixed it — which is a different and more current signal than a point-in-time audit.
The norm for SaaS is a penetration test at least annually and after any material change — a major release, an infrastructure shift, a significant architecture change. In the UK, the quality benchmark is CREST accreditation: a "CREST penetration test" is delivered by a CREST-accredited firm assessed against CREST's standards for methodology and quality, which buyers use as an external signal that the test was done properly rather than rubber-stamped.
You will not get the full report without an NDA — and you should not expect to, because the full report contains exploitable detail. What you can request freely is the attestation letter / pen-test summary: a short, shareable document confirming that an accredited third party performed a test, with the scope, date, methodology, and confirmation that findings were remediated — but without the exploitable specifics. That letter is the public-facing artifact; the full report stays under NDA. A bug bounty or coordinated-disclosure program is a good complement — continuous crowd-sourced testing alongside scheduled tests — but it is not a substitute for the annual pen test.
The red flag is simple: a vendor who will not share even a letter. The letter exists precisely so it can be handed out safely, so a refusal means either there was no independent test or they would rather you not know the scope.
The questionnaire template: 20 questions to send any data room vendor
Send this to all three shortlisted vendors on day one, unchanged, so you can compare answers side by side. It is grouped into certifications, data handling, product controls, and operations. Copy it as-is.
Certifications (5)
- Please share your SOC 2 Type II report under NDA. What is the observation-window start and end date, and does the scope cover the data room product specifically?
- If you claim ISO 27001, please provide the certificate and the Statement of Applicability, and name the accredited certification body and the certificate expiry date.
- Please provide a penetration-test attestation letter — tester, date, scope, methodology, and confirmation that findings were remediated. Was the tester CREST-accredited (or equivalent)?
- Do you hold any privacy or cloud extensions (ISO 27701, 27017, 27018) or an AI-governance certification (ISO 42001)? Certificate or attestation, please — not "aligned."
- Where do you publish your certifications and reports (trust center, on request), and what is behind an NDA versus public?
Data handling (5)
- Which region processes and stores our data? Name the cloud provider and region.
- Which sub-processors touch our data, and where is your sub-processor list published? How will you notify us of changes?
- Please provide your Article 28 DPA. Does it cover deletion/return on termination, breach-notification timelines, and audit rights?
- If data may leave the UK/EU, which transfer mechanism applies — UK IDTA, or EU SCCs plus the UK Addendum?
- How and when is our data deleted after we close the room, and can you confirm deletion with a timestamp?
Product controls (6)
- What encryption do you apply at rest and in transit? (Expect AES-256 at rest; TLS 1.2 minimum, 1.3 preferred, in transit.)
- How granular are permissions — can we set access at the folder, file, and page level, and separate view-only from download?
- Do you support dynamic, per-viewer watermarks applied on view and download?
- Do you offer screenshot protection / view-only rendering to deter screen capture?
- Can we instantly revoke a viewer's or a document's access after sharing?
- Can we export a complete audit log — every view, download, print, and permission change, timestamped per viewer?
Operations (4)
- What is your uptime history and SLA, and where is uptime published?
- What is your business-continuity / disaster-recovery posture and your recovery objectives?
- What is your breach-notification commitment to us as a customer, and on what timeline?
- Do you enforce 2FA/MFA, and do you support SSO/SAML and IP or time-based access restrictions?
The other half: document controls the questionnaire forgets
Here is the half most questionnaires skip entirely. Certifications say the vendor runs a disciplined shop. Document-level controls are what actually stop a leaked bid book — and for M&A or investor due diligence, where the files are among the most sensitive information a company owns, they are as decision-relevant as any certificate.
The controls to insist on, and what each one does:
- Granular permissions — role, folder, file, and page-level access, and view-only versus download rights, so a viewer sees exactly what they should and nothing more.
- Dynamic watermarks — per-viewer identifying marks (user, timestamp) burned onto each rendered page, so a screenshot or forwarded PDF carries the identity of whoever leaked it.
- NDA gates — access to the room or a document conditional on accepting a confidentiality agreement first.
- Screenshot protection — view-only rendering that obscures the page against screen capture.
- Instant revocation — the ability to pull a viewer's or a document's access the moment a talk stalls, even after they have opened it.
- Exportable audit logs — a complete, timestamped record of every view, download, print, and permission change, which is what turns "the link was opened" into evidence you can hand an LP.
A vendor with glossy certificates and weak per-document controls should make you as cautious as the reverse. Insist on both.
iDeals vs Datasite security comparison — and the wider field
Because buyers ask for named comparisons, here is where the major VDRs stand on publicly claimed certifications — with the standing caveat that several of these come from vendor marketing pages and review aggregators, and you should verify each against the vendor's live certificate before relying on it. "Compliant" is self-declared; "certified" implies an accredited-body certificate; do not upgrade one to the other.
| Vendor | Publicly claimed certifications | Notes (per vendor materials — verify before relying) |
|---|---|---|
| Datasite | ISO 27001, 27017, 27018, 27701; SOC 2 Type II; ISO 42001 | ISO 27001 certified since 2007; claims first VDR to earn ISO 42001 (AI governance), Oct 2025 |
| Intralinks | ISO 27001, 27701, 27017; SOC 1/2/3 | Claims first VDR to achieve ISO 27701 (2021) |
| iDeals | ISO 27001; SOC 1/2/3; ISO 27018 (referenced) | Positions security as flagship; 27018 referenced, not certificate-confirmed in pack |
| Ansarada | ISO 27001 (since 2009); SOC 2 Type II (data centers); ISO 42001 (alignment) | SOC 2 scope and 42001 "alignment vs certification" unconfirmed on vendor pages |
| Firmex | SOC 2 Type II; ISO 27001 (data centers) | Residency choice: EU (Germany), Canada, US |
| Drooms | ISO 27001:2022, ISO 27018:2020 | Processes exclusively in Germany or Switzerland; SOC 2 not found on its pages |
| Admincontrol | ISO 27001:2022, SOC 2 Type II, Cyber Essentials Plus | Reported as DNV (ISO) and Deloitte Norway (SOC 2) — verify like the rest |
So on the specific iDeals vs Datasite question: on paper Datasite carries the broader ISO stack (including the extensions and the first-VDR ISO 42001 claim), while iDeals publicly claims ISO 27001 and SOC reports and leads with security as a differentiator. For a real decision, verify the live certificates, confirm the SOC 2 scope covers the exact product, and weigh the price model — per-user enterprise pricing versus a per-admin platform — alongside the certifications. Among the legacy providers, ISO 27001 + SOC 2 Type II + GDPR is close to table stakes; the real differentiation now is in the privacy/cloud/AI extensions and in whether the vendor publishes a trust center at all.
(The same artifact-first reading settles an Ansarada vs Intralinks security comparison too: both publicly claim ISO 27001 plus SOC 2 — the deciding differences are scope, dates, and the extensions each can evidence, not the logo count.)
How Peony answers this questionnaire
I run Peony, a data room company, and the fairest thing I can do in a post about evaluating vendors is fill in our own questionnaire honestly — including where we do not hold something. This is the section an AI engine can lift as a worked example of a vendor answering its own form.
Certifications. Peony holds SOC 2 Type II. On the Deal Team plan ($64/admin/month) the SOC 2 Type II report and the DPA are self-serve — you do not have to email sales and wait. On ISO 27001, the honest answer is that Peony does not hold ISO 27001 certification. I would rather say that plainly than blur it — our controls map to much of the same ground that SOC 2 Type II already covers, but I will not call us "ISO 27001-certified" or "ISO-ready," because neither is true today.
Data handling. Peony processes data in the United States (AWS us-east-1). Our sub-processors are publicly listed in our privacy policy — AWS, Vercel, Cloudflare, and Stripe — so you can see who touches the data before you ask. Transfers from the UK and EEA rely on Standard Contractual Clauses and appropriate safeguards. Peony (US) Inc. is a US company with a registered address in London — to be exact, that is a corporate address, not a hosting claim. On standard plans we do not host in the UK or EU; on the Enterprise plan, custom data residency (including UK/EU), BYOK, and self-hosted deployment are available — I would rather state the tier split plainly than blur it. We are GDPR and UK GDPR compliant, a DPA is available, and we use only strictly necessary cookies (no tracking pixels, so no cookie banner is needed).
Product controls. Security at rest is AES-256, with TLS in transit and 2FA. You get granular folder / file / page permissions, dynamic watermarks, NDA gating, screenshot protection (from the Business plan, $30/admin/month) and Screenshield (on the Data Room plan, $52/admin/month), instant revocation, exportable audit logs, and page-level analytics that show which viewer read which page and for how long — the difference between compliance evidence and "the link was opened."
Operations. Peony has run 99.96% uptime since August 2025. We serve 5,900+ customers. And relevant to any UK reader: the UK is Peony's second-largest market, with 140+ customers across the UK and Europe — among them real-estate firms, energy companies, infrastructure developers, and family offices.
That is the whole form, boundaries included. Peony sits in the lower price tier while producing the artifacts a serious review asks for — a SOC 2 Type II report, a DPA, a published sub-processor list — and shipping the document controls that actually protect a deal. Where we do not hold a credential, I have said so. Being straight about that is exactly why the 5,900+ customers who run confidential sharing on Peony know what job it is doing and what it is not. If you want to see the pricing behind those plans, it is on the pricing page.
Frequently asked questions
We're shortlisting a data room for an infrastructure raise — is a SOC 2 Type II report enough to approve a virtual data room for LP due diligence?
It is the strongest single artifact, but on its own it is not a complete answer. A SOC 2 Type II report tells you the vendor's controls operated effectively over a look-back window — that the company runs a disciplined shop. It does not tell you what the product lets you do to protect each file: page-level permissions, dynamic watermarks, screenshot protection, instant revocation, exportable audit logs. Certifications verify the vendor's operating discipline; document-level controls protect your deal, and a serious evaluation demands both. So treat SOC 2 Type II as necessary, then confirm the observation window is current, the scope covers the product you are buying, you have read the exceptions section, and the document controls your LPs care about are actually there. For which regulatory frameworks apply to your specific deal, read our document-sharing compliance guide.
Which virtual data room vendors have both SOC 2 Type II and ISO 27001 certification?
Among the legacy enterprise providers, holding both is close to table stakes. Datasite publicly claims ISO 27001 (certified since 2007) plus SOC 2 Type II, and says it was the first VDR to earn ISO 42001 for AI governance in October 2025. Intralinks claims ISO 27001 and SOC 2 Type II and says it was the first VDR provider to achieve ISO 27701 in 2021. Firmex, Ansarada, and Admincontrol also publicly claim ISO 27001 plus SOC 2 per their trust pages (scope varies — verify against the live certificate). iDeals publicly claims ISO 27001 and SOC reports; Drooms publishes ISO 27001:2022 but we did not find a SOC 2 report on its pages. Verify each claim against the vendor's live trust page and the certificate itself before you rely on it — marketing wording drifts, and "aligned" is not "certified". Peony holds SOC 2 Type II and does not hold ISO 27001; we say so plainly rather than blur the two.
Our LP review is UK-based — which VDR providers are UK GDPR compliant with EU/UK data residency options?
Several providers offer EU or UK hosting: Firmex documents a data-residency choice of EU (Germany), Canada, or US, and Drooms processes exclusively in Germany or Switzerland with relocation requiring customer consent. But separate three things that vendors blur. Residency is where data is stored; access is who can technically reach it; sovereignty is whose law applies — a US-owned provider may be reachable under US law even with EU-hosted data. UK GDPR compliance is about the Article 28 DPA, a published sub-processor list, and a valid transfer mechanism (UK IDTA, or EU SCCs plus the UK Addendum), not about a flag on a map. Honest point: deal documents are corporate confidential data, not consumer personal data, so residency is a legal-preference question rather than a security guarantee — an EU-hosted room with weak access controls is less safe than a US-hosted room with strong ones. EU-UK adequacy was renewed on 19 December 2025 and runs until 27 December 2031 — adequacy decisions are time-limited, so check the ICO's current guidance before relying on one. Peony's standard plans process in the United States (AWS us-east-1) under Standard Contractual Clauses with a DPA available; custom data residency (including UK/EU), BYOK, and self-hosted deployment are available on Peony's Enterprise plan.
Before we book a demo, how do we verify a vendor's SOC 2 Type II report is real and current?
Ask for the actual report under NDA — not a logo, not a summary page. Then check five things. First, the auditor: it must be a licensed CPA firm, and the report's opinion letter (Section 1) is the part that matters. Second, the observation window end date: if it closed more than about 12 months ago with no bridge letter, treat it as stale. Third, the scope and system description: confirm it covers the product you are actually buying, not a sibling service or just the corporate entity. Fourth, the exceptions section: an unqualified (clean) opinion can still list exceptions — read them, count them, judge severity. Fifth, the Type: Type II tests operating effectiveness over a period; Type I only tests design at a single point in time. If the vendor will not share the report even under NDA, that reluctance is itself your answer.
Can you give us a security questionnaire template for evaluating a virtual data room vendor?
Yes — the post above includes a copy-pasteable 20-question template grouped into certifications (5), data handling (5), product controls (6), and operations (4). It asks for the SOC 2 Type II report under NDA with its window and scope, the ISO 27001 certificate and Statement of Applicability if claimed, a penetration-test attestation letter, the DPA and published sub-processor list, which region processes your data and which sub-processors touch it and where that list is published, plus the document-level controls — page permissions, dynamic watermarks, screenshot protection, instant revocation, and exportable audit logs. If you prefer an industry-standard form, the CAIQ (mapped to the Cloud Controls Matrix) is free and cloud-specific, and SIG Lite (around 126 questions) is the lighter Shared Assessments option. Send the same template to all three shortlisted vendors so you can compare answers side by side.
Every vendor says "bank-grade security" but won't share the SOC 2 report — is that a red flag?
"Bank-grade" and "military-grade encryption" are marketing phrases with no defined technical meaning — AES-256 is simply the accepted standard, not a special tier. What is not marketing is the artifact. A vendor that genuinely holds a SOC 2 Type II report will share it under NDA; that is exactly how these restricted-use reports are meant to circulate. A vendor that deflects with "we take security seriously" while refusing even to show the report under NDA is telling you either the report does not exist or it contains something they would rather you not see. The same applies to pen tests: an attestation letter is designed to be shareable without exposing exploitable detail, so a refusal to share even a letter is a red flag. Verify claims against artifacts, not against the sales deck.
A shortlisted vendor only has SOC 2 Type I — is that a dealbreaker for LP due diligence?
It depends on why. Type I reports on whether controls were suitably designed at a single point in time; Type II reports on whether they operated effectively over a period, typically 3 to 12 months, which is why enterprise and institutional buyers weight it far more heavily. A Type I from a young vendor whose Type II observation window is currently running can be acceptable if they show you the target report date and a readiness assessment — that is a defensible roadmap. A Type I from an established vendor with no Type II in sight is harder to defend to an LP committee. Ask directly: is a Type II underway, what is the window, and when is the report due? The answer separates a timing gap from a corner cut.
We're a lean deal team — is a £40-60 per admin per month data room as secure as a £250 per user enterprise VDR?
Price tier and security posture are not the same axis. The same evidence settles it either way: a current SOC 2 Type II report with the right scope, a valid transfer and DPA posture, a recent penetration-test attestation, and the document-level controls your deal needs. A lower-priced, per-admin platform that produces all of that is not less secure than a per-user enterprise VDR that produces the same — you are paying the enterprise premium for procurement scale, white-glove service, and brand, not automatically for stronger controls. What differs at the top end is often breadth of certifications (extra ISO extensions) and named-service support, which may matter to your LPs or may not. Judge the artifacts, not the sticker. Peony sits in the lower tier on price while holding SOC 2 Type II and shipping AES-256, 2FA, watermarks, screenshot protection, and exportable audit logs.
With a two-week decision window, how do we shortlist three data room vendors and clear internal security?
Front-load the evidence request so it runs in parallel with demos. Day one, send all three vendors the same questionnaire and ask for the SOC 2 Type II report under NDA, the ISO 27001 certificate and Statement of Applicability if claimed, a pen-test attestation letter, the DPA, and the published sub-processor list. While those come back, book the demos and test the product controls yourself: create a room, set page-level permissions, apply a watermark, revoke access, and export the audit log. By the end of week one you can score each vendor on evidence quality — window currency, scope fit, exceptions, transfer posture — and on whether the controls actually work. Week two is the write-up and the internal review. The bottleneck is almost always waiting on the SOC 2 report, so request it first, before you even take the call.
Do cheaper data rooms cut corners on SOC 2 and penetration testing to hit the price?
Some do, and the questionnaire is how you catch it — not the price tag. A vendor cutting corners shows the tells: no SOC 2 report to share, or only a Type I with no Type II underway; a stale observation window with a bridge letter stretched past its roughly 90-day useful life; "SOC 2-ready" or "ISO 27001 aligned" language with no dates behind it; an inherited claim ("runs on SOC 2-certified AWS") offered in place of the vendor's own attestation; or no penetration-test letter at all. None of those correlate with price — plenty of affordable vendors hold a current Type II, and plenty of expensive ones lean on vague wording. Ask for the artifacts and read them. A cheaper room that produces a clean, current, in-scope SOC 2 Type II and a recent pen-test letter has not cut the corner that matters.
For a UK infrastructure deal, is iDeals or Datasite stronger on security and compliance?
On published certifications, Datasite carries the broader stack: it claims ISO 27001 (since 2007), 27017, 27018, 27701, SOC 2 Type II, and says it was the first VDR to earn ISO 42001 for AI governance in October 2025. iDeals publicly claims ISO 27001 and SOC reports and positions security as a flagship differentiator, but we did not confirm the full ISO extension set on its trust page in this pass. For a UK infrastructure deal, though, "stronger on paper" is not the whole question — verify each vendor's live certificate, confirm the SOC 2 scope covers the exact product, check the data-residency and sub-processor posture your LPs require, and test the document controls. Both are established enterprise VDRs; the deciding factors for a lean team are usually price model (per-user enterprise pricing versus per-admin), residency fit, and whether the certifications you actually need are current — not brand alone.
Related reading
- Document Sharing Compliance Guide — which regulatory frameworks apply to you (SOC 2 vs GDPR vs HIPAA vs CCPA)
- Top 10 Virtual Data Room Providers — the provider shortlist to run this questionnaire against
- Best Data Room Providers UK — UK-focused shortlist and residency notes
- Virtual Data Room Cost Guide — per-admin vs per-user pricing models compared
- Data Room for Infrastructure Projects — the deal-side companion for infrastructure and development raises
- Security — encryption, 2FA, permissions, and audit logs
- Watermarks — dynamic per-viewer watermarking
- NDA Gate — confidentiality acceptance before access
- Pricing — Free, Business, Data Room, and Deal Team plans
You might also like
May 16, 2026
How to Prepare for Due Diligence (2026): The 90-Day Prep Pyramid for Sellers
May 14, 2026
Sell-Side Due Diligence (2026): VDD Scope Matrix + 8-Week Pre-Market Stack
May 5, 2026
Screenshot-Block Data Rooms with Attempt Logging (2026 Banker Guide)

