Virtual Data Room Security: The Ultimate Guide

Using virtual data rooms (VDR) is a matter of operational agility for a business. They allow working with international partners, simplify paperwork, and provide the necessary mobility for users. However, in the modern digital world, that’s not enough.

First and foremost, a VDR has to be secure. To process tons of sensitive, confidential, or even classified information, VDRs should be protected from data leaks and hacking attacks. But how can you tell if the VDR you’re about to use is secure? Well, there are several factors that can demonstrate if it’s protected, and we’ve gathered them here.

What makes a virtual data room secure?

A safe data room creates a secure environment for processing files. It allows authorized access only, has anti-fraud and anti-hacking mechanisms to prevent the data from third-party access. 

VDRs guarantee this thanks to:

  1. Compliance with legal/industry requirements and standards attested by the audit certificate
  2. Infrastructure security and availability features
  3. Robust access security features
  4. Integral document security features

Here’s what each of these criteria means in detail.

Physical security features

Though virtual, VDRs also need to comply with a set of physical regulations to be secure. Taking care of on-site security is as important as deploying mechanisms to ensure online data security. These include:

  • Physical data protection. All data centers and power vaults are guarded and monitored 24/7 to ensure uninterrupted workflow.
  • Reliable infrastructure components. Quality hardware allows for 99.95% uptime in a fail-safe environment.
  • Real-time data backup. An effective backup option creates a copy of any uploaded document through an encrypted VPN tunnel.
  • Disaster recovery. Saving copies in remote data centers makes documents all but disaster-proof. 
  • Multi-layered data encryption. Using high-grade encryption while transferring (TLS protocol) and storing (256-bit AES keys) enhances the intactness of data. 
  • Several server locations. Having data centers at various locations increases their disaster resilience.

Access security features

Since most VDRs are used for transmitting sensitive personal, financial, or classified information, they should grant access to a limited number of users to prevent breaches and leaks. These are the features used in reliable data rooms most commonly.

  • Selective permission settings. Depending on the user’s role in the process, the data room administrator can select the parts of documents visible to a particular user/group.
  • Custom document permissions. The administrator defines the users who can access it and the changes they can make. 
  • Single sign-in. Users access their accounts with the same sign-in credentials, even if they participate in various projects. 
  • Two-step verification. A password and a single-use code are required for logging in.
  • Time and IP address restriction. To prevent breaches, the VDR can restrict certain IP addresses and limit access time.
  • Usage logging and reporting. Internal audits and by-seconds session records keep track of any changes made by the users.
  • User security impersonation. Being the designated user allows the administrator to ensure access is available only to the necessary extent. 

Document security features

Documents that end up in electronic data rooms aren’t meant to be seen by everyone. The following settings are VDR must-haves. 

  • Various document access rights. The user’s role will define the actions they can perform with certain documents (download as a PDF file or encrypted copy, have editing rights, or restricted view, etc.)
  • Dynamic watermarking. Designed to trace data leaks, this feature encrypts access session information, including the user’s IP address with access time and date. 
  • Fence view. Barred screen view protects from side viewers, unauthorized scanning, and photography.
  • Secure spreadsheet viewer. This enables a safe view of the data in Excel sheets and allows for customized access settings. 
  • No footprints. While viewing any document, it should be impossible to copy or for it to end up in a device browsing history or memory. 
  • Remote wipe. In case of device theft, the administrator should be able to remove files from the device to protect confidentiality.
  • Remote shred. This function retains full control over the document even after the user has downloaded it. 

The features mentioned above ensure the VDR’s safety when using it for processing sensitive or classified information. But even with them in place, there are several things to consider before choosing a VDR provider. 

International certificates and standards for VDR software

Independent certification, compliance with an industry’s best practices, and legal requirements are essential for the safety and security of your stored files. So, when choosing a VDR, look for the one that has the following certificates.

Basic certificates

AICPA – SOC 1/SSAE 16/ISAE 3402 (former SAS 70)

Developed by the American Institute of the Certified Professional Accountants (AICPA), the System and Organization Controls (SOC 1) certification assesses two major issues:

  • How well the control mechanisms perform during financial reporting
  • If their design and activities correspond to the control objectives

The SOC 1 certification combines all the performance, design, and security requirements of the previously used SSAE 16 and ISAE 3402.

AICPA – SOC 2 Type II (former SAS 70 Type II)

AICPA’s SOC 2 Type II certification program assesses the operational effectiveness of the vendor’s data management systems. This effectiveness is evaluated based on several core principles:

  • Security. It refers to the mechanisms that prevent unauthorized access, including access controls, network and web application firewalls, two-factor authentication, and intrusion detection.
  • Availability. It assesses if the system and its features are accessible to the users as defined in the service legal agreement. These include network availability and performance, site failover, and security incident handling.
  • Processing integrity. It observes whether the right data is delivered to the intended user in full volume at the right time or not.
  • Confidentiality. It refers to the tools that restrict documents from other users. These include encryption, network and application firewalls, and access control.
  • Privacy. It evaluates if the system processes the information according to the AICPA policies and the organization’s privacy policies.

HIPAA

If a data room is used by a healthcare organization for processing protected health information (PHI) or personal identifiable information (PII), its providers become business associates, according to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This certification evaluates the administrative, technical, and physical aspects of data handling.

Data room providers should report full compliance with the norms and policies mentioned in the following HIPAA’s rules:

  • Privacy
  • Security
  • Breach notification
  • Enforcement
  • Patient safety, etc. 

United States International Traffic in Arms Regulations (ITAR)

According to the International Traffic in Arms Regulations (ITAR), the manufacturers, exporters, brokers of defense goods, services, or technical data must be ITAR-compliant. The United States Munition List (USML) enumerates such services and products. The same rule applies to the entities forming their supply chain.

Complying with ITAR means safeguarding all the production or data handling processes against attacks that can sabotage national security. So, if data rooms process UMSL-classified data, their providers should create mechanisms to ensure its security, confidentiality, and safety.

ISO 9001 / ISO 27001

While ISO 9001 reviews the quality of the services and products according to the company’s objectives, ISO 27001 focuses on information security while delivering these services or products. They define and evaluate:

  • Use context 
  • Interested parties
  • Authority and responsibilities
  • Competence, awareness, communication, and documented information
  • Internal audits
  • Management reviews
  • Handling nonconformity and providing corrective actions

To become ISO 27001-certified, the company must develop an informational security risk identification method and apply controls to mitigate the risks. 

Privacy Shield 

The Privacy Shield Frameworks (known as Privacy Shield) defines the policies and mechanisms of transferring personal data from the EU and Switzerland to the USA for business purposes. Those who want to join the Privacy Shield Framework need to self-certify and publicly commit to complying with the program requirements. 

Below are seven principles that evaluate the ‘adequacy’ protection level for the joining organizations:

  • Notice
  • Choice 
  • Accountability for onward transfer
  • Security
  • Data integrity and purpose limitations
  • Access
  • Recourse, enforcement, and liability

GDPR

General Data Protection Regulations (GDPR) is a major data processing regulatory document in the EU that defines the policies and requirements of how businesses should collect and handle the data of the EU citizens. For those VDRs that are designed for EU companies or that will be used by EU citizens, complying with GDPR is a must. 

The document defines the legal base for the consumers and businesses concerning their rights, obligations, and responsibility that arise when collecting or processing data in any sphere. The technology used in the process should guarantee the following principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Advanced and industry-specific certificates

DoD CSM Levels 1-5

The Department of Defense has defined impact levels for the information that may be processed in cloud environments. Each level has requirements and mechanisms for data management and defines the data that can be used for processing. 

Impact Level Comparison. Source: Department of Defense 

FIPS 140-3

The Federal Information Processing Standard (FIPS 140-3) defines the security requirements for cryptographic modules. Countries like the USA, Canada, and the EU member states mandate to incorporate only FIPS 140-3 certified modules into the business solutions that deal with payment processing.

FISMA, FedRAMP, and DoD RMF 

Each of these programs evaluates the software products to be used by government agencies:

  • The Federal Information Security Management Act (FISMA) defines the requirements and security control policies for government and private-sector organizations that provide services to governments or process government data.
  • The Federal Risk and Authorization Management Program (FedRAMP) evaluates the suitability of the cloud-based service providers to be used by government agencies.
  • Risk Management Framework for DoD Informational Technologies (former DIACAP) is a process aimed at evaluating the quality of risk management practices for the information systems used within the DoD IT environment. 

Designing a data room for a government agency requires developers to become RMF-compliant and FISMA- or FedRAMP-certified.

MTCS Level 3

Multi-Tier Cloud Security (MTCS) is an operational security management standard used in Singapore. It’s based on ISO 27001/02 Information Security Management System (ISMS) standards to ensure effective risk management and security practices for cloud computing. 

If a cloud solution is Level 3 certified, it means it’s suitable for processing high-risk information like confidential business data, financial and medical records, etc. The virtual data rooms that deal with such information should comply with the requirements developed for Level 3 cloud services when operating in Singapore. 

PCI DSS Level 1

Since VDRs are mostly subscription-based services, their providers need to make sure the payment methods safeguard the client’s financial data. The most popular industry standard for this is the Payment Card Industry Data Security Standard (PCI DSS). It defines the requirements and policies aimed at preventing fraudulent financial actions when using credit cards to pay online. 

Depending on the merchant account type, financial activities, products/services offered, it must comply with the level requirements defined by the card issuer (Visa, MasterCard, American Express, Discover). VDR providers are classified as Level 1 merchants.

Tips for choosing a secure virtual data room provider

1. Check the government’s requirements for using cloud software regarding your specific industry

Depending on why you need the VDR and your industry, the government may have specific guidelines you have to comply with. Cloud solutions and those designed for government use have the most stringent regulations. 

For instance, if you’re a healthcare organization and you need to transfer patient data according to the M&A process, you should use software that complies with HIPAA requirements and FDA regulations. If the documents you deal with are classified as protected health information and aren’t handled lawfully, you may face charges. 

2. Check if the provider is certified

Again, it will depend on your industry. It should have the basic safety certifications (GDPR, ISO 9001/ISO 27001, etc.) and also industry-specific ones, if applicable. Plus, certificates have an expiration date, so when choosing a provider, pay attention to the issue date. 

3. Choose safety functions

The set of security and accessibility options will define the final price, so it’s better to know which ones you need and which you don’t. Understanding the purpose and context of use will help to determine the necessary features and save you money. 

4. Check data breaches history

Some governments make data breaches public (like the UK does here), so it becomes easier to check whether the VDR provider you’re considering had any compromising history. If you can’t find any, pay attention to the mechanisms they use for ensuring data safety. 

5. Compare several providers

Choosing the first VDR you’ve found is risky, so it’s always better to shop around and compare a few options based on the criteria above.

6. Talk to the representatives

These people can help with any issue, so why not test all the features before committing to a subscription?

Finding a secure virtual data room is key to handling your company’s paperwork quickly, efficiently, and safely. By checking the chosen VDR providers against the criteria outlined here, you’ll weed out the ones that can compromise your business.