Reg D Data Room: How 506(b) vs 506(c) Changes Your Setup

Last updated: June 2026

Quick answer: The Reg D exemption you pick rewires your data room. Under Rule 506(b) you cannot advertise and can only sell to pre-existing relationships, so your room's access scoping is compliance-load-bearing — over-exposing materials (a public link, a forwardable share) can be argued as general solicitation and break the exemption — and because 506(b) allows up to 35 non-accredited but sophisticated purchasers who require near-registered-offering disclosure, you need at least two permission tiers. Under Rule 506(c) you may advertise freely, but every purchaser must be accredited and you must take "reasonable steps to verify" (self-certification is not enough), so your room becomes a secure verification-evidence vault for sensitive PII — and the March 12, 2025 SEC no-action letter added a high-minimum-investment + written-representation path that changes what you collect. File Form D on EDGAR within 15 days of first sale either way. The cluster principle: a PPM discloses; the data room proves.

I run Peony, a data room platform used by thousands of issuers, fund managers, and their counsel to run private capital raises. Over the past two years I've watched a specific mistake repeat: a founder or GP picks a Reg D exemption based purely on whether they want to advertise — and then builds the data room as if the exemption choice doesn't touch it. It does. The exemption you claim under Regulation D quietly dictates how your room must be permissioned, who can be let in, what evidence you have to collect, and how exposed your materials can be before you've created a securities problem.

This is a general-issuer guide — for any company, real-asset sponsor, or fund running a Reg D raise. If you are specifically an independent sponsor raising deal-by-deal from capital partners, the 506(b)/506(c) mechanics are the same but the workflow around them is different; our Independent Sponsor Guide covers that persona end to end (including the same March 2025 verification change in its regulatory section). Here I stay on the general issuer and, more importantly, on the data-room implications of the choice — the part most explainers skip.

A quick but necessary disclaimer: this is educational, not legal advice. Reg D is technical and state law adds wrinkles. Confirm everything below with your securities counsel.

This post is a spoke in our private-placement cluster. For the full room build, see Private Placement Data Room (the hub) and How to Set Up a Private Placement Data Room; for the offering document itself, see Private Placement Memorandum.

---

What is the difference between Reg D 506(b) and 506(c) for a general issuer?

Regulation D is a set of safe harbors under Section 4(a)(2) of the Securities Act — the statutory exemption for transactions "not involving any public offering." Claiming Rule 506(b) or 506(c) lets you raise an unlimited amount of capital privately without registering the securities with the SEC. The two rules differ on one axis with cascading consequences: advertising versus verification.

A note on who counts as accredited: for individuals, that generally means income over $200,000 (or $300,000 jointly) in each of the last two years with a reasonable expectation of the same this year, or net worth over $1 million excluding the primary residence, or holding an active Series 7, 65, or 82 license. Entities have their own tests.

The practical read: 506(b) is the lighter operational path for issuers who already have an investor network, which is why the SEC's data shows it dominates — roughly $259B raised under 506(b) versus about $16B under 506(c) in the SEC's July 2022–June 2023 reporting window, about 16 to 1. 506(c) is the path for issuers who want to market publicly and are willing to take on verification. Now to the part that actually changes your room.

Why does the 506(b) general-solicitation ban change how you set up your data room?

This is the non-obvious one, and it's where issuers get hurt. Under 506(b), the ban on general solicitation isn't just about not buying ads — how you expose your offering materials is itself part of staying inside the exemption.

Here's the trap. 506(b) requires that you offer only to people with whom you (or your placement agent) have a pre-existing, substantive relationship. If your data room sits behind a publicly guessable or indexed link, or you send one "forward this to anyone interested" link, or your deck ends up somewhere strangers can find it, the SEC (or a plaintiff) can argue you offered securities to the general public — which is exactly what 506(b) forbids. Lose that argument and you can lose the exemption for the whole offering. The over-exposure, not the content, is the violation.

So in a 506(b) raise, access scoping is compliance-load-bearing, not a convenience. Concretely:

• Gate the room behind an NDA with built-in e-signature so nobody sees materials before signing and identifying themselves.
• Issue per-recipient links, not one public link — personalised links tie each invitation to a known, pre-existing relationship.
• Kill forwarding and casual sharing — link expiry, password protection, and disabled downloads keep materials from leaking to people you never invited.
• Keep an access log — a page-level analytics and audit trail record of who you invited, when, and what they saw is your evidence that distribution stayed inside your relationship network.
• Revoke instantly if a link escapes its intended recipient (revoke access).

On Peony all of that is native, and the audit trail is the part counsel cares about: if anyone later questions whether your 506(b) offering was improperly solicited, you can show that access was scoped to named, pre-existing relationships from day one. (Confirm your distribution plan with counsel — they may want a documented relationship-vetting step before invitations go out.)

How do you handle non-accredited but sophisticated purchasers in a 506(b) data room?

506(b) is the only Rule 506 path that lets in non-accredited investors — up to 35 of them — and that permission comes with a string that reshapes your room.

Each non-accredited purchaser must be sophisticated: capable of evaluating the merits and risks of the investment, alone or with a purchaser representative. And here's the consequence most issuers miss — if even one non-accredited investor participates, the issuer must furnish substantial disclosure approaching a registered offering (audited financials and detailed offering information), not the lighter package accredited investors will accept. Accredited-only 506(b) deals don't trigger that floor.

That means your data room needs at least two permission tiers:

1. Accredited-investor view — the standard offering set (PPM, subscription documents, financials, cap table, key contracts).
2. Non-accredited-sophisticated view — everything above plus the heightened, registered-offering-level disclosure set.

On Peony you build this with granular per-file and per-folder permissions and saved permission groups, so the right tier automatically sees the right documents — and, just as important, you can prove per investor exactly what disclosure was made available to whom. That per-investor record is the defensible artifact if anyone later asks whether a non-accredited purchaser got the disclosure they were owed.

One honest planning note: many issuers simply restrict a 506(b) round to accredited investors only precisely to avoid the heightened-disclosure obligation. That's a legitimate choice — make it deliberately with counsel rather than discovering the disclosure floor after you've already let a non-accredited investor in.

What does the 506(c) verification-evidence vault need to hold?

Switch to 506(c) and the room's job changes entirely. You may now advertise — but every purchaser must be accredited, and you must take "reasonable steps to verify" it. The SEC has been explicit: a checked box on a questionnaire (self-certification) does not satisfy 506(c). That single requirement turns your data room into a secure verification-evidence vault.

The principal verification methods are documentary:

• Income test: the investor's tax forms (e.g., IRS forms reporting income) for the two most recent years, plus a written representation that they reasonably expect to meet the threshold in the current year.
• Net-worth test: bank and brokerage statements plus a credit report, dated within the prior three months, supporting net worth over $1M excluding the primary residence.
• Third-party confirmation: a written letter from a registered broker-dealer, SEC-registered investment adviser, licensed attorney, or CPA confirming accredited status, typically dated within the prior three months.

Every one of those is sensitive personal financial information. Handling it over email is a liability you don't want. The room becomes the controlled intake and evidence log: each investor's documents land in a per-investor folder only you and that investor can see, wrapped in access controls, with every open recorded. On Peony that means dynamic watermarks and screenshot protection (Data Room tier) on anything displayed, per-investor isolation so no one sees another's financials, and a complete audit trail.

The boundary to be precise about: Peony stores, isolates, and logs this evidence and gates access to it — it does not itself verify accreditation. The verification determination is the issuer's (or its verification provider's, broker-dealer's, or counsel's). The room makes that determination defensible by preserving exactly what was collected and controlled; it doesn't make the call for you. More on that boundary below.

What did the March 2025 SEC no-action letter change for 506(c) verification?

This is the freshest development, and it's under-covered. On March 12, 2025, the SEC issued a no-action letter (sought by Latham & Watkins) that added a high-minimum-investment path to "reasonable steps to verify" under 506(c).

In substance: if an investor commits at least a high minimum dollar amount and provides written representations that (a) they are accredited and (b) their investment is not financed by a third party for the purpose of making this investment, the issuer may treat that combination as a reasonable step to verify — without collecting the full folder of tax returns, brokerage statements, and third-party letters. The logic is risk-based: an investor able and willing to write a very large check, who represents in writing that they're accredited and self-funded, presents a low risk of actually being non-accredited.

For your data room, this changes what you collect, not whether you verify. For qualifying large-check investors, you can capture a signed written representation (e-signed inside the room) instead of a stack of sensitive financial PII — which both shrinks your intake burden and reduces the amount of sensitive data you're on the hook to secure. It does not eliminate verification, and it changes nothing for 506(b).

Two cautions, because counsel will read this: it's a no-action position, not a rule change, and the specific dollar threshold and exact representation language are details to lock down with your securities counsel before you rely on this path.

When do you file Form D, and what does the data room have to do with it?

Under both 506(b) and 506(c), you must file a Form D with the SEC on EDGAR within 15 days after the first sale of securities in the offering. Form D is a short notice filing — issuer identity, the exemption claimed, offering size, and similar facts — not a disclosure document like a PPM.

Your data room doesn't file Form D for you, but it supports the filing two ways. First, a well-organised room with subscription documents and a timestamped audit trail gives you a clean record of when the first sale actually occurred — the event that starts the 15-day clock. Second, capturing subscription agreement e-signatures inside the room (Peony e-signatures) timestamps execution, so you're not reconstructing dates from email threads months later. Diarize the deadline with counsel: a late or missed Form D can jeopardise your ability to rely on the exemption in some states, even where the federal exemption itself survives.

Which exemption should you choose, and how does it change your room?

Decision shortcut for a general issuer:

• Choose 506(b) if you already have a network of investors you have pre-existing relationships with and you don't need to market publicly. Your room must then be tightly access-scoped (NDA gate, per-recipient links, no public/forwardable links, full audit trail) and run at least two permission tiers if you'll admit any non-accredited sophisticated purchasers.
• Choose 506(c) if you want to advertise the raise (website, demo day, broad outreach) and can take on verification. Your room must then function as a verification-evidence vault: per-investor folders, watermarking and screenshot protection on sensitive PII, and a clean evidence log — with the March 2025 written-representation path as a lighter option for large-check investors.

The through-line is the cluster's organizing idea: a PPM discloses; the data room proves. The private placement memorandum makes your disclosures; the room is the system of record that proves access stayed scoped (506(b)) or that verification evidence was collected and controlled (506(c)). Build the room to match the exemption, not the other way around.

How does Peony support a Reg D private placement without verifying accreditation itself?

Be wary of any platform that claims it "verifies accredited investors" — under 506(c) that determination is a legal call, usually made with a verification provider, broker-dealer, RIA, attorney, or CPA. Peony does not verify accreditation. What it does is run the entire room around your offering:

• Access gate: NDA gating with built-in e-signature, optional pre-qualification questionnaire, and email identity verification before anyone sees materials — the scoping that 506(b) needs.
• Permission tiers: granular per-file permissions and saved groups for the accredited / non-accredited-sophisticated split, plus per-investor folder isolation for verification PII.
• Evidence + protection: dynamic watermarks and screenshot protection (Data Room tier) on sensitive documents, with a per-investor, who-saw-what-version audit trail.
• Execution: subscription agreement and NDA e-signatures captured and timestamped inside the room.
• Control: link expiry, password protection, and single-viewer instant revoke.

Pricing: Peony Business at $30/admin/month covers NDA gating, e-signatures, analytics, link expiry, password protection, and instant link-level revoke — enough for a tightly scoped 506(b) raise to accredited investors. Peony Data Room at $52/admin/month adds dynamic watermarks, screenshot protection, granular per-file permissions, and single-viewer instant revoke — the controls you want when a 506(c) room is holding tax returns and brokerage statements. Either way, the accreditation determination stays with you and your counsel; the room makes it defensible.

The bottom line

The Reg D exemption you choose is a data-room decision as much as a legal one:

1. 506(b) — no advertising, pre-existing relationships only, up to 35 non-accredited sophisticated purchasers. The room must be access-scoped (compliance-load-bearing) and run ≥2 permission tiers.
2. 506(c) — advertise freely, all accredited, "reasonable steps to verify" (self-cert not enough). The room becomes a verification-evidence vault for sensitive PII — with the March 2025 high-minimum + written-representation path as a lighter option.
3. Both — Form D on EDGAR within 15 days of first sale.

Build the room to fit the exemption, gate and log everything, and remember the platform secures and proves — it doesn't verify. A PPM discloses; the data room proves.

See Peony for fundraising → · Start a data room →

---

Related resources

• Private Placement Data Room — the cluster hub; the full room build for a Reg D raise
• How to Set Up a Private Placement Data Room — sibling; step-by-step build mechanics
• Private Placement Memorandum (PPM) — sibling; the offering document the room sits behind
• Independent Sponsor Guide — the 506(b)/506(c) cut for the deal-by-deal sponsor persona
• Data Room for Investors — what investors expect when they open your room
• VC Fund Data Room Checklist — the fund-formation parallel for LP raises
• Startup NDA Guide — NDA best practices for gating confidential offering materials
• Seed Funding Guide — fundraising mechanics for first-time raisers
• What Is a Virtual Data Room? — comprehensive VDR explainer
• Peony for Fundraising
• Peony Pricing