What Documents Go in a Data Room? (9-Folder Framework) in 2026

Last updated: May 2026

I run Peony, a data room platform, and over the last few years I have helped set up thousands of these — for M&A sales, fundraising rounds, VC fund LP diligence, oil-and-gas farm-outs, and real estate acquisitions. The most common question I get from first-time founders, sponsors, and even some experienced advisors is the wrong question. The wrong question is "what documents go in a data room?" The right question is "what documents go in my data room — and which checklist actually applies to me?"

The two are not the same. A seed-stage startup raising $2M from a syndicate of angels needs roughly 30 documents. A mid-market M&A sale at $200M needs 174 documents across 10 categories per Bloomberg Law's standard request list. A GP raising a $500M fund from institutional LPs needs 60-90 documents organized to the ILPA DDQ. An oil-and-gas operator running a farm-out at FEED needs about 42 documents anchored to PSC, JOA, and AFE artifacts. These are five different rooms. The generic answer "you need a data room with corporate, financial, and legal documents" is technically true and operationally useless.

This post is the decision-frame answer. You get (1) the 9-Folder Ladder Framework mapping every deal type, (2) the Document Mass Curve showing how doc count compounds by stage, (3) doc-by-doc engagement order from Peony's page-level analytics across 4,300+ customers, (4) a Deal-Type Document Delta matrix, (5) an Anti-Pattern Matrix of the five organization mistakes that delay closings, and (6) the routing layer — for each deal type, a short summary plus a link to the deep canonical checklist.

This is a routing pillar, not a 174-document listicle. If you want the listicle, the Due Diligence Data Room Checklist is where to go. If you want to know which checklist applies to you, stay here.

Quick answer: A data room contains the documents a buyer, investor, or partner needs to evaluate your company before closing a deal. Every data room — for M&A, fundraising, VC fund, real estate, or oil and gas — maps to the same 9-Folder Ladder Framework: (1) Company Overview, (2) Corporate & Governance, (3) Financial, (4) Legal & Contracts, (5) IP & Technology, (6) Team & HR, (7) Tax & Regulatory, (8) Commercial / Customer, (9) Deal-Specific Overlay. The document count ranges from ~30 (seed startup) to ~200+ (mid-market M&A) to 300+ (cross-border mega-deal). The 9 folders stay constant; what changes is what fills each folder.

TL;DR for the cluster — One universal 9-folder schema covers every deal type. 70% of the documents are the same across M&A, fundraising, VC fund, real estate, and oil-and-gas rooms (corporate + financial + legal foundation). The remaining 30% is the deal-specific overlay (Folder 9) that makes a Series A room different from an oil-and-gas farm-out. Picking the wrong checklist for your deal type adds 3-4 weeks to your timeline. Pick the right one here and route DOWN to the deep checklist that fits.

What documents go in a data room?

A data room contains the documents a buyer, investor, lender, regulator, or partner needs to verify before closing a transaction with you. That definition sounds simple, and the 9-folder ladder it produces is also simple — but the implication that follows is the source of every mistake I see.

The implication is this: the documents a buyer needs to verify are not the same as the documents your team uses to operate. A data room is not "everything we have." It is the curated, organized, controlled-disclosure subset of your operating documents that an outside party needs to evaluate a specific deal in front of them. Sellers who skip this curation step — the founder who hands over a Google Drive folder containing 4,000 files including their personal tax returns and a draft pitch deck from 2023 — fail buyers' diligence not because they are unprepared, but because they confused operating documents with deal documents.

The 9 folders I will walk through next solve that confusion. Every document either belongs in one of the 9 folders (and is a deal document) or it does not (and stays in your operating drive). The framework was built across 4,300+ customer deal rooms on Peony and matches how our AI auto-indexing categorizes uploads automatically — but the structure works whether you use Peony, Firmex, Datasite, or a manual folder tree.

The point of the 9-folder ladder is disciplined exclusion as much as disciplined inclusion. Most data room failures I see are not "the seller forgot a document." They are "the seller put 400 documents in the room and the buyer cannot find the 12 that matter." The 9-folder ladder fixes that.

The 9 folders are universal because every deal needs (a) someone to identify the company (Folders 1-2), (b) someone to verify the money (Folder 3), (c) someone to verify the obligations and assets (Folders 4-5), (d) someone to verify the people (Folder 6), (e) someone to verify the regulatory posture (Folder 7), (f) someone to verify the revenue (Folder 8), and (g) someone to verify the deal-specific facts that distinguish this deal type from every other (Folder 9). Strip any of these and the deal stalls. Add anything outside them and the buyer wastes time. We use the universal 9 — not the 8 Ellty uses or the 10 Bloomberg uses — because the deal-specific overlay (Folder 9) is precisely what makes this framework portable across M&A, fundraising, VC fund, real estate, and oil-and-gas rooms without conflating them into one bloated checklist.

How does the 9-folder ladder framework work?

Each folder has a job. Each folder is asked about by a specific reader in your deal. Each folder has a depth that scales with stage. Let me walk you through what goes in each.

Folder 01 — Company Overview. The "land here first" folder. One-pager, pitch deck (current version, not last quarter's), and a 1-2 paragraph business model summary written in plain English. Buyers and investors open this folder before any other; if it is empty or stale, they decide the rest of the room is too. For an M&A deal this folder is often called the "Confidential Information Memorandum" (CIM) folder. For a VC fundraising it is the deck + product demo. For a VC fund it is the pitch deck for LPs.

Folder 02 — Corporate & Governance. Articles of incorporation, bylaws, all board consents and minutes since formation, the full cap table (post-money, including options pool and convertibles), the subsidiary org chart, the stock ledger, and good-standing certificates for every state of operation. This is the "who exactly is this entity" folder. Buyer counsel reads it first. A founder showing up without a clean cap table is the single most common dealkiller in early-stage diligence.

Folder 03 — Financial. The folder buyers and investors spend the most time in. Three years of GAAP financials (income statement, balance sheet, cash flow), 36 months of monthly trial balance, the operating financial model with assumptions visible, AR aging and AR-by-customer, working capital schedule, and (for M&A) the Quality of Earnings report. Peony's page-level analytics consistently show this folder gets 15-18 minutes of engagement per investor session — more than any other folder.

Folder 04 — Legal & Contracts. All material contracts (customer master agreements, vendor agreements over a threshold, real estate leases), all contracts with change-of-control or assignment provisions flagged, full litigation history, insurance binders and policies, and (for M&A) the disclosure schedules. The change-of-control flagging is the part most sellers skip — and it is the part buyers' deal counsel checks first.

Folder 05 — IP & Technology. Patents, trademarks, copyright registrations, trade-secret summaries (redacted), source code escrow records, open-source license audit, founder and contractor IP assignment agreements, and any software architecture diagrams (for tech-heavy deals). Missing founder IP assignments — meaning the founder built the early product and never formally assigned the IP to the company — is the second most common dealkiller after cap table chaos. Both are corrected before the room opens.

Folder 06 — Team & HR. Org chart, all employment agreements (signed PDFs), comp plans for executives and engineering leads, equity grant agreements, 401(k) plan documents, employee handbook, and key-person life insurance policies if any. Employee-level salary data sits in stage-3 (last-bidder-only) disclosure, not stage 1.

Folder 07 — Tax & Regulatory. Three to five years of federal and state tax returns, sales tax nexus analysis (the most-forgotten tax document in SaaS deals — Wayfair fallout still bites), transfer pricing documentation if cross-border, regulatory licenses (FCC, FDA, state professional licenses, MTLs for fintechs), FCPA / OFAC policy posture, and export control classifications. In 2026 this folder now also includes AI governance documentation per Morgan Lewis's March 2026 analysis: model cards, training data lineage, and risk assessment artifacts have shifted from "competitive advantage" to "governance imperative" in DD.

Folder 08 — Commercial / Customer Data. Top-customer concentration analysis, retention cohorts, net revenue retention build (for SaaS), pipeline snapshot, top 10 active contracts (with renewal dates flagged), and any channel partner agreements. Customer NDAs sometimes require redaction here — the top-customer list itself can be stage-3.

Folder 09 — Deal-Specific Overlay. The folder that makes the 9-folder ladder portable across deal types. This is where the documents that distinguish your deal from the universal baseline live. For oil-and-gas: reserves reports (SPE-PRMS), PSC, JOA, AFEs, AIEN forms. For a VC fund: ILPA DDQ, Form ADV Parts 1 and 2A, side letter MFN summary, LP advisory committee charter. For real estate: ALTA survey, Phase I ESA, rent roll, tenant estoppels, climate risk and insurance binders. For independent sponsors: SBIC documents, capital partner credentialing memos, sponsor track record. For IPO: S-1 backup, comfort letters, MD&A drafts. The 9th folder is what most generic "data room documents" checklists conflate into the universal categories — and the conflation is why those checklists feel disorganized.

Peony's AI auto-indexing classifies uploaded documents into these 9 folders in under 3 minutes. We built the taxonomy specifically because the alternative — buyers opening an unorganized Google Drive and abandoning it — was the failure mode our customers were running into. For more on folder hierarchy decisions, see our Data Room Folder Structure Guide.

How does the document set evolve by stage?

The 9 folders stay constant. What does not stay constant is the document count inside them. I call this the Document Mass Curve.

A seed-stage startup raising $1-3M has roughly 30-40 documents in the room. A pitch deck, a one-pager, founders' IP assignments, the cap table, 12 months of bank statements, a basic financial model, the certificate of incorporation, and a handful of customer agreements if any. The Legal & Contracts folder might have four documents. The Commercial folder might have two. The Tax folder is usually three returns and a sales-tax-not-yet-required memo.

A Series A round runs 50-70 documents. The additions over seed are cohort retention data, a credible net revenue retention build, SOC 2 progress (Type I or Type II in progress), the top 5 customer master agreements, and the first formal board minutes. Folders 3 (Financial) and 8 (Commercial) gain the most density.

A Series B is 80-120 documents. Additions: cohort attribution modeling, security pentest results, audited financials (often the first audit), a real cap table with multiple convertibles and SAFEs reconciled, and 10-15 material contracts. Folder 6 (HR) now has comp band data and a real org chart.

A small-cap M&A sale ($5-50M enterprise value) runs 100-150 documents. The Bloomberg Law standard adds change-of-control flagging across all material contracts, the working capital schedule, a Quality of Earnings report from a buy-side or sell-side accounting firm, full IP portfolio audit, and the disclosure schedules. Per the SRS Acquiom 2025 Deal Terms Study covering 2,200+ deals at $505B in aggregate value, more than 75% of these deals include a special-purpose escrow for the purchase price adjustment — and the back-up documentation for the working capital target is now mandatory in the room from day one.

A mid-market M&A sale ($50-500M) runs 174+ documents — the Bloomberg Law baseline. Schedules expand. The disclosure schedule alone runs 20-40 pages. RWI back-up is now standard. Per the Fasken analysis of SRS Acquiom's 2026 study, sellers are giving cybersecurity reps materially less often year-over-year, which means buyers are pushing more cyber DD into the room itself — adding SOC 2 Type II, penetration test results, and incident-response policy documents to the standard set. The 2026 SOC 2 Trust Services Criteria updates (Konfirmity 2026 update) added AI controls and revised points of focus, which is now showing up as additional documentation in the cyber section.

A mega-deal or cross-border M&A runs 300+ documents. Antitrust filings (HSR, CMA, EU merger control), foreign investment review (CFIUS, FIRB, EU FDI), the EU AI Act high-risk requirements effective August 2026 (Korix AI Compliance Checklist 2026) add model cards, training data lineage, and risk assessments to the IP & Technology folder. The BIOSECURE Act, signed into law December 18 2025 as part of the FY2026 NDAA (Sidley Austin, December 2025; Baker McKenzie, January 2026), adds supplier disclosure, Section 1260H designation tracking, and multiomic data practices to bio M&A diligence — a new doc category that did not exist 18 months ago.

The takeaway: the 9 folders are universal but folder mass scales aggressively with stage. Routing yourself to the right deep checklist before you start building the room saves three to four weeks of misalignment. The next section is the routing layer.

What is the document checklist by use case?

This is the routing H2. Each deal type below gets a 150-200 word summary plus a link DOWN to the canonical deep checklist Peony has already published. If you have read this far and you know your deal type, jump to the right sub-section and click through.

M&A due diligence data room (sell-side, buy-side)

The M&A baseline is Bloomberg Law's 174-document standard across 10 categories. In practice a mid-market sale fills 5,000 to 50,000+ pages across those 174 document types. The 2026 changes worth flagging: the SRS Acquiom 2025 Deal Terms Study (2,200+ deals at $505B) shows more than 75% of deals now include a special-purpose escrow for purchase price adjustments — meaning the working capital target methodology and its back-up belong in the room from day one. Average due diligence time is now 203 days per the Bayes Business School study, up 64% from a decade earlier. RWI's reshaping of rep survival periods, materiality scrapes, and indemnification mechanics (SRS Acquiom RWI findings) changes which documents matter and when. What distinguishes an M&A room from a fundraising room is the disclosure schedule, the RWI back-up, the QofE, and change-of-control flagging across material contracts.

→ See the Due Diligence Data Room Checklist (174 Documents) for the complete list, or Best M&A Data Rooms for platform-level comparison.

VC fund data room (GP raising from LPs)

A VC fund data room is built for institutional LP diligence — pension funds, endowments, family offices, fund-of-funds. The standard is 60-90 documents across 12-14 ILPA-aligned folders. The anchor artifact is the ILPA Due Diligence Questionnaire, and the supporting documents include Form ADV Parts 1 and 2A, side letter MFN summaries, LP advisory committee charter, valuation methodology memo, ESG policy, and prior fund performance attribution. ILPA's own data shows 73% of institutional LPs start their evaluation by reviewing the data room before any direct conversation with the GP. The Form ADV Part 2A — the plain-English brochure — is the most-read document in the fund room, not the LPA itself. The deal-specific overlay (Folder 9) here is the entire ILPA artifact set; the rest of the 9-folder ladder (corporate, financial, team) carries the GP entity and its principals.

→ See the VC Fund Data Room Checklist (LP DDQ) for the ILPA-aligned breakdown, or Early-Stage European VC Funds for the geography-specific overlay.

Startup fundraising data room (founder raising from VCs)

A startup fundraising room runs 50-70 documents across 8 categories — lighter than the M&A baseline because the institutional friction is lower and the evaluation is forward-looking, not historical-verification. The dominant documents in the room are the cap table (including SAFE schedule and option pool), the financial model with monthly projections, founder and contractor IP assignments, the top customer contracts if any, and the pitch deck itself. CB Insights' analysis of why startups fail ranks "ran out of cash" as the top reason — and 68% of failed early-stage rounds cite incomplete data room documentation as a contributing factor in slowed close cycles. Series A versus seed adds cohort retention, NRR, and SOC 2 progress; Series B adds audited financials and a security pentest. The founder-most-likely-failure-mode I see is putting personal financial information (founder tax returns) in the room — those belong in an e-sign flow with the lead investor, not the data room.

→ See the Startup Data Room Checklist (60-document standard) for the seed-through-Series-A list, or How to Convert a Pitch Deck to a Data Room for the migration path.

Real estate due diligence (acquisition, portfolio)

A real estate data room runs 80+ documents across 7 categories. The deal-specific overlay (Folder 9) is the largest of any deal type — it includes the ALTA survey, Phase I Environmental Site Assessment (and Phase II if any findings), rent roll, tenant estoppels, lease abstracts, title commitment, property tax records, and (since 2020) climate risk and insurance documentation. Florida and California insurance premiums on commercial real estate have risen 200-400% since 2020, which means the insurance binder section now requires multi-carrier quotes and a forward-looking premium projection — a documentation category that did not exist in 2019. The Phase I ESA is often the gating document: a finding here can block the deal or trigger a Phase II, and buyer counsel reads it before anything else. Climate risk overlays (transition risk, physical risk, FEMA flood zone) are increasingly mandatory at institutional scale.

→ See the Real Estate Due Diligence Checklist for the property-specific list.

Oil and gas / energy data room (upstream, midstream, LNG)

An oil-and-gas data room runs 42 documents across 12 canonical folders, anchored to the SPE-PRMS reserves classification, NI 51-101 (in Canada) or SEC Industry Guide 7 (in the US), and the joint operating agreements: PSC (Production Sharing Contract), JOA (Joint Operating Agreement), AFEs (Authorization for Expenditure), and AIEN forms. The file mass scales from about 5GB at FEED to 80-200GB at FID — most of it 2D/3D seismic data, log files, and core analysis. Access tiering matters here more than any other deal type: the 4-tier farm-out access model (Tier 1 teaser, Tier 2 CA-gated technical, Tier 3 priced bidders, Tier 4 winner-only datasets) is how operators control disclosure on deals worth $50M-$2B. Generic data rooms cannot do this; the deal-specific overlay (Folder 9) plus tiered access (Peony's NDA gates) is the operational stack.

→ See the Oil and Gas Data Room Checklist for the upstream stack, or Best Data Room for Oil & Gas Companies for platform comparison.

Independent sponsor / capital partner data room

An independent sponsor (IS) data room is unusual — capital partners evaluate both the deal and the sponsor at the same time. The structure is 42 documents across 3 categories: sponsor credibility (track record, references, prior deal docs), deal foundation (standard M&A diligence subset on the target), and structure and economics (proposed equity check, GP/LP economics, carry waterfall, working capital reserve, control rights). About 12 of those 42 documents are absent from standard M&A checklists — and missing them is the single most common reason capital partners pass on an IS deal at the indication-of-interest stage. The deal-specific overlay (Folder 9) here is the sponsor track record file plus the proposed deal economics memo. SBIC-funded deals add a separate SBIC documentation set including SBA Form 2181 financial information.

→ See the Independent Sponsor Data Room Checklist for the 3-stage breakdown.

IPO / S-1 data room

We do not yet have a deep IPO checklist on Peony, but the structure is well-defined: 3 years of audited financials, comfort letters from the auditor, S-1 backup including all underlying source documents for every numeric and narrative claim in the prospectus, MD&A drafts, lawyer-tracked disclosures, peer comp analysis, the FAST Act confidential submission package, and (since the SEC's 2024 AI disclosure guidance) AI use disclosures and model card documentation for any AI products. For now, the M&A DD checklist is the closest baseline, plus the S-1-specific overlay above.

What documents change by deal type?

This is the Deal-Type Document Delta frame. About 70% of the documents in any data room are the same across deal types — the universal foundation. The remaining 30% is what makes the rooms different.

The universal 70% lives in Folders 1-8: Company Overview, Corporate & Governance, Financial, Legal & Contracts, IP & Technology, Team & HR, Tax & Regulatory, Commercial / Customer. Every deal type needs these. Every deal type asks the same questions of them — who is this entity, how do the numbers work, what are the obligations and assets, who are the people, what is the regulatory posture, what is the revenue picture.

The deal-specific 30% lives in Folder 9 and in which folders dominate in mass. Here is the matrix:

The pattern reveals itself: each deal type has two or three dominant folders and one deal-specific overlay. Confusing this dominance pattern is the structural reason public checklists like Ellty's stitch together seven deal types into one bloated post that fails any single deal. Each deal type needs its own room with its own dominance pattern and its own Folder 9. The 9-folder ladder is the universal structure; the dominance pattern is what makes one room different from another.

The implication for organization: when you set up the room, populate the dominant folders first (financial + commercial for fundraising; legal + financial for M&A; legal + tax for real estate). Buyers and investors land in those folders first. The other folders need to be complete, but they will not get read with the same depth.

What investors actually read first (Peony page-level analytics)?

This is the What Investors Actually Read First frame, built from Peony's page-level analytics across 4,300+ customer rooms. Every page open is logged, every dwell duration is measured, every return visit is counted. The aggregate pattern across thousands of investor sessions is consistent enough to plan against.

The order, by average time-on-document per investor session in fundraising rooms:

1. Financial model — 15-18 minutes average. The single highest-engagement document in any fundraising room. Investors open the model, scroll the assumptions tab, then jump to the cohort sheet, then jump back to the summary P&L. They build their own version in parallel. If the model is hidden three folders deep, they will not find it on first open and you will lose the early-stage engagement signal.
2. Cap table — 8-12 minutes average. The second-most-read document. Investors check pre-money, post-money, option pool, all convertibles and SAFEs reconciled. A cap table inconsistency (where the SAFE schedule does not reconcile to the post-money) ends conversations.
3. SAFE / convertible schedule — 4-6 minutes. The reconciliation document. Goes hand-in-hand with the cap table.
4. Top customer contracts — 3-5 minutes per contract. Investors read the top 3-5 contracts in full. They check renewal dates, termination provisions, MFN clauses, exclusivity.
5. IP assignments — 1-2 minutes. Investors look for the founder IP assignment in particular. A missing founder IP assignment is a five-second "no."

Everything else gets skimmed. The pitch deck is read selectively. The team page typically gets 2-30 seconds. The legal folder gets opened to confirm contents and then closed.

The implication is direct: front-load the financial model and cap table in Folder 1 or Folder 3, with clear naming. Do not bury them. Do not ship them as 14-tab Excel files without a "READ THIS FIRST" tab. Investors are scanning for the signal you want them to see; make it findable in the first 30 seconds.

This is also what our AI auto-indexing and surface-order recommendations are optimized for. When Peony classifies your uploads into the 9-folder ladder, it also surfaces the documents most likely to be opened first — the financial model gets a "recommended at top" treatment even if you uploaded it last. For more on what investors are looking for in the room itself, see Data Room for Investors.

What should NOT go in a data room?

Direct answer: the documents your buyer or investor does not need to see, OR cannot legally see, OR should not see at this stage of disclosure.

The specific anti-list:

• Personal financial information of investors, lenders, or counterparties. This includes K-1s, individual tax returns, personal balance sheets. These belong in an e-sign workflow (Adobe Sign, DocuSign) tied to the investment subscription, not in the open data room. Mixing them creates a privacy mess and contaminates the room's audit trail.
• Working drafts of board minutes or agreements. Ship only clean, executed final versions. The version-chaos folder (final_v3_FINAL_USE_THIS.pdf) damages credibility. If a draft is the only thing you have, mark it "Draft — for indicative review only" in a header and timestamp it.
• Confidential employee comp / individual salary data. Move to stage 3 (last-bidder-only) disclosure. Aggregate comp band data can go in stage 2; individual line items wait until exclusivity.
• Personal email threads between founders, partners, or counsel. These are operating documents, not deal documents. Mixing them into the room turns the room into discoverable material in a future dispute. Keep them in your operating drive.
• HR investigation files and litigation hold materials. Litigation hold is a separate evidence preservation system with its own retention requirements. Mixing these into the room creates legal hold contamination and discovery problems.
• Pre-LOI buyer NDAs from competitors. If a competitor signed an NDA earlier in the process, do not let the active bidder see who signed. This belongs in your CRM or in a separate access-controlled folder.
• API keys, credentials, or production access tokens. Ever. Even in stage 3. Even with the winner. Production credentials transfer at close via secret rotation, not in the data room.
• Trade secrets you would not patent. If something is a true trade secret (the Coca-Cola recipe class of confidential), it does not go in the room as a document. A redacted summary memo and a description of access controls go in. The actual artifact stays behind a separate clean-team confidentiality wall.

For each item the rule is: ask "does the buyer need this document, or do they need the information in this document?" If they need the document itself, it goes in the room. If they need the information, give them the information through a different channel (memo, e-sign, clean team review). For more on staging disclosure correctly, see How to Set Up a Data Room.

What are the most common organization mistakes?

This is the Anti-Pattern Matrix — five structural organization mistakes (not document-content mistakes) that delay closings. The deep DD post already covers document-content mistakes (missing IP assignments, sales tax nexus oversights). The five below are about how the room is structured, not what is inside it.

Mistake 1: One mega-folder called "All Documents" (or worse, no folders at all). A flat dump of 200+ files in one root folder is unnavigable. Buyer counsel cannot find what they were sent to verify, asks the seller to "send the cap table separately," and the room loses its purpose. Fix: enforce the 9-folder ladder from day one. Even if a folder has only one document, the folder structure tells the buyer what is in the room and what is not. Peony's AI auto-indexing builds the 9-folder structure automatically from your uploads.

Mistake 2: Version chaos (final_v3_FINAL_USE_THIS.pdf). Multiple versions of the same document with no clear authority kills credibility on first open. The buyer's counsel reads "FINAL_USE_THIS_v4" and asks which one is actually final. Fix: ISO date naming (2026-05-financial-model.xlsx) and a strict "replace, do not append" workflow. When you update a document, you replace it. The audit log retains version history; the visible filename does not show it.

Mistake 3: Single access tier for all viewers. Everyone — Tier 1 unqualified prospect, Tier 2 NDA-signed bidder, Tier 3 final negotiating party — sees the same room. This is a leak waiting to happen and a competitive intelligence gift to the wrong bidder. Fix: 3-stage disclosure with hard gating. Phase 1: company overview, high-level financials, corporate structure (qualified parties). Phase 2: full financials, material contracts, customer data, IP documentation (post-NDA shortlist). Phase 3: employee-level data, sensitive comp, disclosure schedules (final bidder only). Peony's NDA gates, dynamic watermarking, and per-folder permissions enforce this natively.

Mistake 4: No "what's here" README at folder root. A buyer counsel opens Folder 04 (Legal & Contracts) and sees 23 PDFs with cryptic filenames. There is no summary explaining what is in the folder, what is intentionally not in the folder, and where the key documents are. Counsel spends 20 minutes orienting before reading. Fix: a 2-paragraph README at the root of each of the 9 folders, listing what is in scope, what is out of scope (and why), and where the 3-5 most important documents are. The README adds 5 minutes of seller prep and saves 20 minutes per reader per folder.

Mistake 5: Conflating workflow documents with evidence documents. Q&A threads, request logs, redline tracking, and counsel-to-counsel correspondence get dumped into the diligence folders. These are workflow artifacts, not evidence. They contaminate the audit trail and confuse buyers who expect each folder to contain documents the company is attesting to — not negotiation byproducts. Fix: keep Q&A workflow in a separate Q&A surface (Peony has one built in; Datasite and Firmex have one too). Diligence folders contain attested evidence only.

These five mistakes are organization mistakes — they have nothing to do with whether you remembered the IP assignments or the working capital schedule. They have to do with whether the room is usable once the right documents are in it. Get the structure right and the room becomes a closing accelerator. Get the structure wrong and the room becomes a closing tax. For more, see How to Set Up a Data Room and our Data Room Folder Structure Guide.

How does Peony help organize your data room?

This is a soft pitch — not a mid-post hard sell. If you have read this far you have the framework whether or not you use Peony.

That said: I built Peony because the friction of organizing the room manually was the most-cited pain point our early users described. Here is what we ship that addresses that friction.

AI auto-indexing. Upload a folder of mixed documents and our model classifies each file into the 9-folder ladder in under 3 minutes. The taxonomy in this post is the taxonomy our model uses. It is not perfect — about 8% of files need manual reclassification — but it removes the worst of the "where does this go" friction.

Page-level analytics. Every page open, every dwell duration, every return visit logged across 4,300+ customer rooms. You see which bidder spent 14 minutes on the customer-concentration analysis and returned twice. You see who opened the room and stopped at the financial model. The analytics frame in this post (cap table + financial model dominate) is built from this data set.

Staged disclosure. Per-folder permissions, NDA gates that require signature before document access, dynamic watermarks that burn the viewer's identifier into every page, and screenshot protection that blocks and logs capture attempts. The 3-stage disclosure mistake (Anti-Pattern #3) cannot happen on Peony — the gating is enforced by the platform.

Pricing. Free tier ($0) for early-stage rooms with up to 5 visitors per deal. Business plan at $40 per admin per month adds the full analytics stack, NDA gates, screenshot protection, and dynamic watermarks. Compare to legacy enterprise VDRs (Datasite, Intralinks) at $15K-$50K+ per deal. See our Virtual Data Room Cost Guide for the full pricing matrix or visit our pricing page for the current plans.

Honest caveat. If your buyer is a sovereign LP, bulge-bracket counsel on a $5B+ deal, or a regulator with a Datasite mandate, you may not have a choice. Datasite by name is a procurement requirement in some workflows and we will not pretend otherwise. For everyone else — and that is the vast majority of M&A, fundraising, VC fund, real estate, and oil-and-gas rooms — Peony fits.

Frequently asked questions

What is a data room and what documents does it contain?

A data room is a secure online repository where companies share the documents a buyer, investor, lender, or partner needs to evaluate the company before closing a transaction. Every data room — for M&A, fundraising, VC fund, real estate, or oil and gas — maps to the same 9-folder ladder: Company Overview, Corporate & Governance, Financial, Legal & Contracts, IP & Technology, Team & HR, Tax & Regulatory, Commercial / Customer, and a Deal-Specific Overlay. What changes between deal types is what fills each folder, not the structure. The 9 folders are universal; the depth and the deal-specific overlay (Folder 9) are what make any one room different from another.

How many documents go in a data room?

The count ranges from about 30 documents (seed-stage startup) to 300+ (mega-deal cross-border M&A). Peony's internal data and Bloomberg Law's standard M&A diligence checklist put a mid-market M&A data room at 174 document types across 10 categories. A Series A round runs 50-70. A Series B runs 80-120. A VC fund raising from LPs runs 60-90. An oil-and-gas farm-out runs 42 in 12 folders. The 9 folders stay constant; depth scales with stage and deal type.

What is the difference between a data room for M&A vs fundraising?

An M&A data room is built for a controlled-disclosure transaction with a defined closing date — it emphasizes the Legal & Contracts folder (change-of-control flags, disclosure schedules, RWI back-up) and a Quality of Earnings analysis. A fundraising data room is built for ongoing investor evaluation — it emphasizes Financial (model + cap table) and Commercial (customer cohorts, NRR). The 7 universal folders are identical; the M&A overlay adds disclosure schedules and the fundraising overlay adds cohort attribution and pipeline detail. The 9-folder ladder is the same; what changes is which folders dominate in mass and depth.

Which documents do investors read first?

Across Peony's 4,300+ customers, the doc-by-doc engagement order is consistent: financial model first (15-18 minutes average per investor session), then cap table (8-12 minutes), then SAFE / convertible schedule (4-6 minutes), then top customer contracts (3-5 minutes per contract), then IP assignments (1-2 minutes). Investors skim everything else. The pitch deck is read selectively; the team page typically gets under 30 seconds. Front-loading the financial model and cap table in the first folder open is the single highest-ROI organization decision for fundraising rooms.

What documents should I NOT put in a data room?

Three categories never belong in the room. (1) Personal information — investor financial statements, founder personal tax returns, employee individual salary lines — move to an e-sign workflow instead. (2) Working drafts — version chaos (final_v3_FINAL.pdf) kills credibility; ship only clean, signed final versions. (3) Litigation hold and HR investigation files — these belong in a separate evidence preservation system; mixing them into the room creates discoverability risk. Stage 3 disclosure (last-bidder-only) is the right home for sensitive comp data and customer churn analysis. API keys and production credentials never go in the room at any stage.

How do I organize folders in a data room?

Use the 9-folder ladder framework: Company Overview, Corporate & Governance, Financial, Legal & Contracts, IP & Technology, Team & HR, Tax & Regulatory, Commercial / Customer, and a Deal-Specific Overlay. Each folder gets a 2-paragraph README at the root explaining what is inside. Apply 3-stage disclosure: phase 1 to all qualified parties, phase 2 (full financials, material contracts) to shortlisted bidders after NDA, phase 3 (employee-level data, sensitive schedules) to the last bidder near signing. Peony's AI auto-indexing builds this 9-folder structure from your uploads in under 3 minutes; see our Data Room Folder Structure Guide for the deeper structural decisions.

What's the difference between a data room and Google Drive?

A data room is a transaction platform; Google Drive is a collaboration tool. Drive has no native NDA gate, no dynamic per-viewer watermark, no screenshot protection, no page-level engagement analytics, and no staged disclosure controls. A forwarded Drive link can expose your entire deal file with no way to revoke document-level access. Investors and buyer counsel routinely request a screenshot of your room URL to verify which platform you used — Drive in a sell-side M&A process is a credibility signal in the wrong direction. For an internal team's working drive, Drive is fine. For an external deal disclosed to multiple counterparties, it is the wrong tool.

How much does a data room cost in 2026?

Three tiers in 2026. Modern self-serve (Peony, DealRoom) — $0 to $40 per admin per month, sub-5-minute setup, page-level analytics, full security stack on the paid tier. Mid-market VDRs (Firmex, iDeals, Ansarada) — $500 to $2,500 per month per project, sell-side M&A focus. Legacy enterprise (Datasite, Intralinks) — $15K to $50K+ per deal, sales-led onboarding, used by bulge-bracket banks on $1B+ transactions. For most founders and mid-market sellers, the modern self-serve tier delivers the same security stack at a fraction of the cost. See our Virtual Data Room Cost Guide for the full pricing matrix.

Related resources

The deep canonical checklists for each deal type:

• Due Diligence Data Room Checklist (174 Documents) — Bloomberg Law standard for M&A
• VC Fund Data Room Checklist (LP DDQ) — ILPA-aligned for GP-to-LP raises
• Startup Data Room Checklist (60-document standard) — seed through Series A
• Real Estate Due Diligence Checklist — property and portfolio sales
• Oil and Gas Data Room Checklist — upstream and midstream farm-outs
• Independent Sponsor Data Room Checklist — capital partner deals

And the operational guides for setting up and pricing the room itself:

• How to Set Up a Data Room — the operational walkthrough
• Data Room Folder Structure Guide — folder-level decisions
• Data Room for Investors — what investors expect to see
• Virtual Data Room Cost Guide — pricing benchmarks across providers