The difference between a clean setup and a chaotic one is not technology. It is the order of operations. Bankers who set up dozens of these know the order. Bankers who haven't done it many times either learn the hard way on their first deal or copy what the last firm they worked at did.
This piece walks through the actual steps. The folder structure, the permission tiers, the workflow from kickoff call to closing day, the compliance requirements that catch bankers off guard. Written from the perspective of setting up rooms for boutique investment banks. The mechanics are the same for any sell side process; the volume and pace differ at boutique IB scale.
Phase 1: Pre-room (week 1)
Before you create the room, you need three things from the seller.
1. The data dump. Get the seller's existing financial, operational, legal, and HR documents in one centralized location (Dropbox, Google Drive, Box, anything). This is the source material that will eventually live in the data room. The dump is rarely complete; expect 60 to 70% of what you'll eventually need on day one.
2. The diligence trigger list. Buyers in your sector ask for the same documents in the same order on every deal. The trigger list is what you will eventually pre-populate the room with so when buyers ask, the answer is "it's already in there." Source the trigger list from a previous deal in the sector or from a standard template.
3. The permission tiers. Decide who sees what, and when. Three standard tiers in LMM:
- Pre-LOI (Phase 1): Teaser, anonymized financials, anonymized customer concentration. Anyone who signed an NDA can see this.
- Post-LOI (Phase 2): Full historical financials, identified customer concentration, contracts, key supplier agreements, full HR data structure (anonymized salaries). Only the buyer with signed LOI sees this.
- Closing diligence (Phase 3): Sensitive employee comp data, sensitive customer contract terms, related party transactions. Only the buyer's deal team and outside counsel.
Permission tier discipline is the difference between protecting the seller's downside and accidentally exposing sensitive data to a buyer who walks away.
Phase 2: Room creation (week 2)
Now you create the room. The order of operations matters.
Step 1: Folder structure first, files second. Set up the empty folder structure before uploading anything. The folder structure determines how you and the buyer navigate the room. A messy structure built around the order documents arrived in is harder to fix than a structure built upfront.
A standard top level for sell side LMM:
- 1.Corporate (org structure, equity holders, board minutes, governance)
- 2.Financial (audited financials, monthly mgmt reports, AR aging, AP aging)
- 3.Legal (contracts, litigation, regulatory)
- 4.Customers (top 20 by revenue, contracts, concentration, retention)
- 5.Suppliers (top 20 by spend, contracts, concentration, terms)
- 6.HR (org chart, comp structure, benefits, employee handbook)
- 7.Operations (KPIs, capacity, processes, key vendors)
- 8.IP (patents, trademarks, trade secrets, IT systems)
- 9.Real Estate (leases, owned property, environmental)
- 10.Tax (federal, state, sales, property)
- 11.Compliance (industry specific, sector specific)
- 12.Insurance (D&O, liability, cyber)
Each top level has 4 to 8 sub folders. The Folder Structure Template has the full breakdown.
Step 2: Upload in order. Upload financials first, contracts second, HR last. The buyer's diligence team will start with financials in the first 48 hours of LOI exclusivity. If financials aren't ready when they log in, the seller looks unprepared and the deal pace slows.
Step 3: Brand the room. Add the seller's logo, deal name, and a clean welcome page. The buyer's first impression of the room shapes their first impression of the seller. Default unbranded rooms read as cheap.
Step 4: Test buyer experience. Before inviting any external user, log in as a sample buyer and click through the room. Find the document a buyer would ask for in their first call (typically the trailing 12 months P&L) and time how long it takes to find. If it's longer than 30 seconds, restructure.
Phase 3: Pre-LOI invite (weeks 3 to 6)
Now you invite buyers in for Phase 1 access.
Email invitations: Most VDR platforms let you send invitations with a custom welcome message. Don't use the default. Write a 3 to 5 sentence message that names the deal (or the deal code if confidential), tells the buyer what they'll find in Phase 1, sets expectations for Phase 2 access (signed LOI required), and includes the deal contact email for questions.
User onboarding: Buyers new to your VDR platform will spend 5 to 15 minutes orienting. Anticipate this. Build a 1 page welcome doc as the first thing they see in the room. Map the folder structure, point to the most important documents, set expectations for response times.
Audit log review: Most VDR platforms log every page view, download, and search. Review the audit log weekly. Buyers who spend 40+ minutes in the room are serious. Buyers who log in for 2 minutes and bounce are checking a box. Use the audit log to focus your follow-up calls.
Phase 4: LOI and Phase 2 access (weeks 7 to 14)
Once the seller signs an LOI with a buyer, that buyer gets Phase 2 access.
Permission switch: This is where most VDR platforms get clunky. You need to upgrade one buyer's access without exposing the same documents to all the other buyers who don't have an LOI. Permission switching by user group is critical.
New document upload velocity: Buyer's diligence team will request documents you didn't include in the original room. Customer references, specific contract amendments, employee comp by tier. The seller has to source these and the banker has to upload them within 24 to 48 hours of request. Otherwise the buyer's QofE schedule slips and the deal pace slows.
Q&A management: Most VDR platforms have a Q&A feature where the buyer asks a question, the banker tags it for the seller, the seller answers, and the response gets logged. Use it. Without Q&A management, every question becomes an email thread that nobody can find later.
Phase 5: Closing diligence and post close (weeks 15 to 26)
The final phase of due diligence focuses on sensitive material that comes out only when the deal is essentially done.
Phase 3 access: Sensitive employee comp data, sensitive customer contract terms, related party transactions. Only the buyer's deal team and outside counsel get to see this.
Lender consents: If the deal involves senior or mezz debt, the lender will need access to specific documents. Most banks now require a separate workspace for lender review.
Closing checklist: As the deal closes, every document in the room needs to be inventoried for archive. Most LMM deals trigger SEC 17a-4 compliance requirements (6 year preservation) and FINRA 4511 record-keeping requirements. Choose a VDR that handles this archival without a manual export.
Post close access: After close, the buyer typically wants 30 to 90 days of continued read-only access for integration and post close adjustments. The seller's data should be archived separately for the seller's compliance preservation period.
Compliance considerations
A few compliance points that catch bankers off guard.
SEC 17a-4 (broker-dealer record preservation): Requires retention of communications and transaction-related records for 6 years. If your firm is a registered broker-dealer (most boutique IBs are), the data room records of the deal must be preserved.
FINRA Rule 4511: Similar record-keeping requirements for FINRA member firms.
GDPR (if EU buyers): If any buyer or seller has EU presence, GDPR applies. Personal data in the data room (employee names, contact info, comp) requires lawful basis for processing.
State data privacy laws: California (CCPA), Virginia (VCDPA), and several other states have data privacy laws that may apply depending on the seller's customer or employee base.
Industry specific: Healthcare deals trigger HIPAA. Financial services deals trigger Reg S-P. Defense or government contractor deals trigger ITAR. Each has specific data room access requirements.
Most reputable VDR platforms handle compliance automatically. Verify before signing that the platform you choose covers SEC 17a-4 and FINRA 4511 at minimum.
Common mistakes (the 5 we see most)
- Folder structure built around document arrival order. Documents arrive randomly. Folder structure should be built around buyer diligence order, not seller convenience.
- All buyers at Phase 2 access. Once you give a buyer Phase 2 access, the temptation is to open it for everyone. Resist. Phase 2 access for non-LOI buyers exposes the seller's downside without commercial benefit.
- Slow Q&A response. Buyer asks a question. Banker tags seller. Seller takes 5 days to respond. Buyer's QofE provider is sitting idle. Timeline slips. Set expectations with the seller upfront: 24 hour Q&A response is standard.
- No audit log review. The audit log tells you which buyers are serious and which are checking a box. Bankers who don't review the audit log run more buyer calls than necessary.
- Per page billing surprises. Every document re-upload, every download by every user, every bandwidth burst racks up incremental cost. By close, the data room invoice is 2 to 10x the original quote. Choose a flat rate VDR for boutique IB scale to avoid this.
Timeline summary
Sell side data room: kickoff to close
A typical sell side deal data room timeline from kickoff to close:
- Weeks 1 to 2: Pre-room and room creation
- Weeks 3 to 6: Pre-LOI buyer access
- Weeks 7 to 14: LOI exclusivity and Phase 2 access
- Weeks 15 to 22: Closing diligence
- Weeks 23 to 26: Close and post close
Total: 26 weeks. The 26 week timeline is roughly the median for $5M to $50M deals in 2026.
Data Room Folder Structure Template
Skip the "what folders should we have" debate. The LockRoom folder structure template maps to the standard buyer diligence request list. 13 folders, 63 subfolders, free, no email gate.