Data room playbook (Founder)

Choose a platform that offers robust security features and provides built-in security measures (e.g. encryption/access controls). There are many commercial data room platforms available from which to choose one to suit your stage of Company and budget. There are options from basic low-cost to more expensive, and even bespoke, solutions. Many firms of lawyers now provide use of a data room platform as part of their legal services on an investment round.

Only grant access to individuals who need it, such as potential investors, advisors, and the spin-out’s law firm. Control should be given at the individual user level, with different permission levels for different users. You may even find folder level access sensible. Keep your secrets safe.

Use analytics features of the data room platform to monitor who is accessing what information and when. This can help to identify any unusual activity. At the end of an investment process, keep a copy of the analytics information – it will come in handy if you ever need to defend a warranty claim (especially if you can show that the relevant investor has looked at a document that disclosed the relevant matter).

After a certain date, users should no longer be able to access the Data Room. At the very least, you should be monitoring access and extend or revoke access, where appropriate. Once a transaction is complete, withdraw all access to the Data Room other than for your internal team (if you are keeping the Data Room running).

Watermarking can deter users from sharing documents since the watermark often includes the Company name or email address of a key contact. If your system can enable read-only modes, this prevents Data Room users from downloading, printing and sharing your files. Most systems will not prevent screengrabs, so be aware of the risks of sharing your critical confidential information. Consider carefully whether it is appropriate for all documents to be downloadable or whether some should be read-only.

Ensure the Data Room does not reveal any personal details.

Ask potential investors to sign an NDA before accessing the data room. The data room is generally used at the stage when an outline deal has been agreed, although this can vary. Make sure that you can present the opportunity without sharing confidential information. Once they have conviction that the investment is a strong proposition, most investors will be willing to sign an NDA to access the data room.

All Data Rooms should have a click-through screen which sets out the Data Room rules for users. These should cover matters such as users not sharing passwords and access information with other people, users not accessing confidential data in public places and other appropriate rules for use.

The investors would want to access any relevant agreements regulating the relationship between the Company and its shareholders, including the Articles of Association, shareholders agreement, subscription agreements, capitalisation table (current and projecting, including any vesting schedules). Documents detailing share options and encumbrances over the Company’s issued or unissued share capital should also be included. It is not necessary to replicate Companies House filings in the Data Room (except for the Articles of Association) as investors will check these separately.

Potential investors will be keen to gain insight into the Company’s financial position, performance, growth potential, and liabilities or obligations.

As such, the Data Room should include the key financial statements, i.e., audited and/or unaudited income statements, balance sheets, cash flow statements, and financial projections for at least the next 3 financial years. Additional information can include published accounts (statutory) if appropriate, copies of management accounts, details of any debt securities given to or by the company since incorporation, such as mortgages, debentures and/or loan stocks. Bank statements are not required.

N.B. If you are just starting the Company, haven’t received investment or traded, you may not have information to include here yet.

This should include any material contracts or agreements binding the Company directly or indirectly. Some examples include terms and conditions of sale or purchase currently used by the Company, capital commitments for the supply of goods and services. If the Company has any unusual contracts or arrangements, make sure these are disclosed, even if they don’t specifically relate to a warranty being requested.

N.B. employment and agreements with personnel should be included in Section 9 -Employment (below)

N.B. If you are just starting the Company, haven’t received investment or traded, you may not have information to include here yet.

This is exactly what it sounds like, an opportunity to list all the assets owned by the Company (including acquisition details/any purchase price and outstanding payments) and/or details of any assets used by the Company for its core business but not owned by the Company.

N.B. If you are just starting the Company, haven’t received investment or traded, you may not have information to include here yet.

N.B. Properties will be listed in Section 10 – Real Estate (below).

Include documentation relating to insurance policies held by the Company. Coverage details, certificates, premiums, details of coverage limits, deductibles, and renewal dates are all relevant here, together with details of any claims history and any outstanding claims or disputes with insurers.

N.B. If you are just starting, you should look at getting quotes and uploading here. Also, ensure you have factored in as a cost for your business model financial forecast.

Should document the Company's Intellectual Property (IP) portfolio, covering both registered and unregistered rights. This includes copies of all IP-related documents, such as patents, trade marks, copyrights (including software), brand names, slogans, logos, and goodwill. It should also list documented know-how and trade secrets (without disclosing details of such know-how and trade secrets), and relevant patent details with summaries of their status and next steps. It is also worthwhile ensuring you have verified copies of lab notebooks for any patents, core IP of the Company, as it helps give assurance on origins and inventorship.

Freedom to Operate (FTO) search reports, an IP roadmap, and supporting scientific data should be included to substantiate the technology’s claims and plans following the raise, along with records of any disputes or legal claims. If relevant, Clinical Protocols, Ethics, Publications and Presentations.

N.B. Before uploading any research or other IP agreements your University has entered into related to the creation and development of the IP, liaise with your University Technology Transfer Office, as there may be Third Party confidentiality obligations and documentation may need to be redacted/only extracts included.

This section should include all necessary legal and regulatory approvals relevant to the transaction. This typically involves board and shareholder resolutions, along with third-party consents from lenders, key customers, suppliers, or landlords if required by existing contracts. Regulatory compliance and licences might include the National Security Investment Act, Export Control, Ethics, BSI, MHRA/FDA approvals, Clinical trial or device authorisations, etc (this is a non exhaustive list as it really depends on the business of your Company). You should cover privacy policies, GDPR consent records, international data transfer documentation, and any correspondence with regulatory authorities. If employee data is being shared, documented employee consent is essential to comply with data protection laws such as GDPR.

N.B. If you are just starting the Company, haven’t received investment or traded, you may not have information to include here yet.

The section should include a summary of any ongoing or past legal disputes, including key details of the case, involved parties, and current status. It should cover any significant settlements, judgments, or rulings, along with potential liabilities or contingencies. Include relevant documents such as legal correspondence and claims. Additionally, provide information on any regulatory investigations or actions involving the Company. This ensures a clear understanding of the Company’s legal risks and potential exposures.

This should include an organisational structure (with headcount), a list of key personnel (name, role, tenure, bio, and CVs) and anonymised employee data. Copies of key documents, such as contracts and service agreements for key staff and details about any mission critical employees. Employee handbooks should be included if available.

Alike ‘assets’ but specific to properties, this section must provide material documentation of all freehold and leasehold properties owned by the Company and/ or occupied or used by the Company for its business. In the case of properties owned by the Company, the schedule can include acquisition details, purchase price and any outstanding payments, and licenses to occupy and use any properties not owned by the Company.

A copy of the health and safety policies, accident book and details of any incidents. Highlight any particular risks and their mitigation (e.g. use of radioactive materials).

List key physical assets (e.g. servers) and their status (owned/leased), as well as cloud services that are used (provider, terms). Provide details of software used (inc. licenses) and details about any bespoke software, including who provided and supports it. Details of data protection and cyber security measures should be made available, together with an audit/incident log. Identify any potential single points of failure.

Relevant materials to include will be a copy of a Risk Register discussed by the Board or a note of the Company’s key risks and approach to mitigation.

The Tax section should include recent tax returns (3-5 years), details of any tax audits or assessments, and information on carry forward tax losses or credits. It should cover transfer pricing documentation, evidence of tax compliance, and any external tax opinions or complex arrangements. Include details on employee-related taxes, indirect taxes (e.g., sales tax, VAT), and the Company’s corporate tax structure. Finally, provide contact details for external tax advisors. This ensures a clear overview of the Company’s tax position and potential risks. Also, provide any SEIS/EIS relevant information.

Treat this section as a summary of the proposition to investors. This will help streamline information gathering for top level review, with the other sections providing space for deep diligence.

1. Pitch Deck
   Copy of the recent pitch deck that the investors listened to or were sent should be dated and included here. The pitch deck should clearly highlight the commercial opportunity being presented, what the funding is for, and how the Company will be successful.
2. Business Plan
   Potentially use either a separate written business plan document or a summary of other materials that provide a documented overview of the Company business plan.
3. Business model
   How the spin-out intends to earn revenue. Include details on pricing strategy, revenue streams, cost structure, etc.
4. Market and customer analysis
   Founders should have carried out research into the market opportunity, detailed competitor and customer analysis. This is critical to understand if the Company is actually solving a problem.
5. All Board records
   Include lists of Board Directors, with Letters of Engagement and Resignations where appropriate, to provide details on the current Board of Directors makeup. CVs for Board Directors can be included if particularly relevant, eg specific sector domain. Board meeting papers and minutes labelled clearly provide a clear record of discussions. If not included elsewhere, then governance documents can be included here: certificate of incorporation, Articles of Association, Investment Agreement and Shareholder resolutions.
6. Q&A with investor (updated as required)
   Address questions raised by investors to keep the pace flowing. This should be updated as a ‘live document’ within the Data Room.
7. Team build plan
   Short bios of the founding team and key employees, listing relevant experience and skills.
8. Cap table and proposed round dynamics
   If a valuation has been agreed by a lead investor, include the proposed round. If not, use a cap table that includes all previous fundraises.
9. Go to market plan
   A summary of the business plan that explains how the Company will get the product into the market.
10. Summary of key milestones
    Having a breakdown of key milestones to be completed over the next 3-5 years will help investors to understand your funding requirements and value inflexion points.

• Role-based access: Only grant access to users based on their role (e.g., view-only for buyers, full access for advisors).
• Granular permissions: Set permissions by folder/file (view, download, edit, print).
• Two-factor authentication (2FA): Require 2FA for all users to enhance login security.
• Access expiration: Set time limits or revoke access automatically after deal milestones.

• Require all users to sign NDAs before access.
• Display NDA acknowledgement on login or entry to the Data Room.
• Monitor compliance and maintain logs of agreement acceptance.

• No downloading (optional): Limit download access to certain roles only.
• Watermarking: Use dynamic watermarks on documents with user info and timestamps.
• Version control: Keep only the latest version of documents and maintain a version history.

• Audit logs: Record all user activity (logins, views, downloads, etc.).
• Alerts: Set up alerts for unusual behaviour (e.g., mass downloads, after-hours access).
• Reporting: Regularly generate reports for internal monitoring and external compliance.

• Use a clear folder hierarchy (e.g., Legal, Financials, Operations).
• Include an index or table of contents.
• Keep naming conventions consistent and intuitive.

• Establish a Q&A workflow, with tracked responses and answer accountability.

• Use a reputable, certified data room provider (ISO 27001, SOC 2).
• Ensure data encryption in transit and at rest.
• Ensure compliance with applicable regulations (e.g., GDPR, HIPAA).

• Revoke access immediately after the deal or project closes.
• Archive the Data Room securely
• Generate and store a full access log for future audits.