ComplianceClaw

VDR folder structure M&A due diligence

How to Structure a VDR for M&A Due Diligence

Use this practical VDR folder template for M&A due diligence, with naming standards, permission models, and compliance-ready access controls.

Request a VDR walkthroughBack to VDR hub

A clean, predictable VDR folder structure reduces back-and-forth, accelerates diligence, and limits security risk. This guide gives you a practical, standard-aligned layout you can copy, plus access and compliance best practices.

The problem this structure solves

M&A diligence moves fast and involves many parties (buyer, seller, counsel, accountants, consultants). Without a consistent structure:

  • Reviewers cannot find documents quickly, leading to repeated requests and delays.
  • Sellers overshare, increasing confidentiality and competitive risk.
  • Version confusion creates disputes (“which contract is current?”).
  • Permissions become brittle as new workstreams or bidders are added.

The goal is a structure that is:

  • Familiar to external advisers
  • Easy to permission and audit
  • Stable under time pressure
  • Scalable (one buyer or multiple bidders)

Recommended VDR folder structure (copy/paste template)

Use numeric prefixes for fixed ordering. Keep folder names short, descriptive, and consistent.

Top-level

1. 00_Admin & Index 2. 01_Corporate & Organization 3. 02_Financial 4. 03_Tax 5. 04_Legal (Contracts & Compliance) 6. 05_HR & Benefits 7. 06_IP & Technology 8. 07_Sales, Marketing & Customers 9. 08_Operations & Supply Chain 10. 09_Real Estate & Assets 11. 10_Insurance 12. 11_Litigation & Disputes 13. 12_Environmental, Health & Safety (EHS) 14. 13_Data Privacy & Security 15. 14_Related Party & Intercompany 16. 15_Transaction (Process Only)

00_Admin & Index

  • 00.01 **VDR Read Me (Rules, Contacts, How to Request Docs)**
  • 00.02 **Index / Data Room Table of Contents**
  • 00.03 **Document Naming Standard**
  • 00.04 **Key Dates & Timeline**
  • 00.05 **Q&A Instructions**
  • 00.06 **Redaction Log (if used)**

01_Corporate & Organization

  • 01.01 **Formation Documents (Articles, Certificates)**
  • 01.02 **Bylaws / Operating Agreement / Shareholders Agreement**
  • 01.03 **Cap Table & Equity Plans**
  • 01.04 **Subsidiaries & Org Chart**
  • 01.05 **Board & Shareholder Consents (Past 3–5 years)**
  • 01.06 **Material Licenses & Registrations**

02_Financial

  • 02.01 **Audited Financials (3–5 years)**
  • 02.02 **Management Accounts / Monthly Reporting (YTD)**
  • 02.03 **Budget, Forecasts & KPIs**
  • 02.04 **Revenue Recognition / Accounting Policies**
  • 02.05 **AR/AP Aging**
  • 02.06 **Debt & Financing (Covenants, Schedules)**
  • 02.07 **Bank Statements & Cash Management**

03_Tax

  • 03.01 **Income Tax Returns (3–5 years)**
  • 03.02 **VAT/GST/Sales Tax Filings**
  • 03.03 **Tax Assessments, Audits, Correspondence**
  • 03.04 **Transfer Pricing & Intercompany Tax**
  • 03.05 **NOLs / Credits / Elections**

04_Legal (Contracts & Compliance)

  • 04.01 **Material Customer Contracts**
  • 04.02 **Material Supplier/Vendor Contracts**
  • 04.03 **Leases & Facilities Agreements (non-real estate)**
  • 04.04 **Standard Terms & Templates**
  • 04.05 **Regulatory Compliance & Permits**
  • 04.06 **Policies (Code of Conduct, Whistleblower, etc.)**

05_HR & Benefits

  • 05.01 **Employee Census (as permitted)**
  • 05.02 **Employment Agreements & Offer Templates**
  • 05.03 **Handbook & Policies**
  • 05.04 **Incentive Plans & Bonus Programs**
  • 05.05 **Benefits Plans & Providers**
  • 05.06 **Contractors & Consultants**

06_IP & Technology

  • 06.01 **Patents/Trademarks/Copyrights**
  • 06.02 **IP Assignments & Invention Agreements**
  • 06.03 **Software Licenses (Inbound)**
  • 06.04 **Product Architecture Overview**
  • 06.05 **Source Code Escrow (if applicable)**
  • 06.06 **Open Source Policy & Key Notices**

07_Sales, Marketing & Customers

  • 07.01 **Top Customers & Concentration**
  • 07.02 **Pipeline / CRM Reports (sanitized)**
  • 07.03 **Pricing, Packaging & Discount Policy**
  • 07.04 **Marketing Materials & Brand Assets**
  • 07.05 **Customer Support Metrics / SLAs**

08_Operations & Supply Chain

  • 08.01 **Key Processes & SOPs**
  • 08.02 **Manufacturing / Delivery Partners**
  • 08.03 **Quality & Certifications**
  • 08.04 **Inventory Reports (if applicable)**

09_Real Estate & Assets

  • 09.01 **Property Leases / Deeds**
  • 09.02 **Equipment Lists & Asset Registers**
  • 09.03 **Facilities Maintenance & CapEx**

10_Insurance

  • 10.01 **Policies & Schedules**
  • 10.02 **Claims History**

11_Litigation & Disputes

  • 11.01 **Pending / Threatened Litigation**
  • 11.02 **Settlement Agreements**
  • 11.03 **Governmental Investigations**

12_Environmental, Health & Safety (EHS)

  • 12.01 **EHS Policies & Training**
  • 12.02 **Incidents & Corrective Actions**
  • 12.03 **Permits & Inspections**

13_Data Privacy & Security

  • 13.01 **Privacy Policy, Notices, DPAs**
  • 13.02 **Security Program Overview**
  • 13.03 **Pen Tests / Audits (sanitized)**
  • 13.04 **Incident Log (as appropriate)**
  • 13.05 **Vendor Risk / SOC Reports**

14_Related Party & Intercompany

  • 14.01 **Related Party Agreements**
  • 14.02 **Intercompany Agreements & Charges**

15_Transaction (Process Only)

  • 15.01 **Process Letters & NDAs (if appropriate)**
  • 15.02 **Bid Instructions**
  • 15.03 **Draft SPA/APA (Counsel Access Only)**
  • 15.04 **Signing/Closing Checklist**

How to run the VDR (workflow)

Step 1: Publish an index and naming standard first

In 00_Admin & Index, include:

  • A one-page “VDR Read Me” with who to contact and how to submit Q&A.
  • The folder index (even if some folders are empty at launch).
  • A naming convention, for example:
  • - `YYYY-MM-DD_DocType_Counterparty_Topic_V1.pdf`
  • - `2026-04-07_CustomerContract_Acme_MasterServices_V2.pdf`

Step 2: Separate “shared” vs “sensitive” content

Create subfolders inside each section if needed:

  • **Shared (General)**: safe for most buyer team members.
  • **Restricted**: accessible only to buyer counsel/finance leads.

Common restricted items:

  • Highly sensitive customer pricing
  • Employee personal data
  • Security assessments with exploitable detail
  • Trade secrets (full technical docs) unless necessary

Step 3: Add a “New Uploads” intake without breaking the structure

To avoid cluttering the VDR, use a controlled intake pattern:

  • Create **00_Admin & Index/00.07_New Uploads (Weekly)**
  • Upload new items there first
  • Then move them into the correct folder once validated and named

Step 4: Use Q&A tags that map to the structure

Encourage requesters to reference folder paths in Q&A:

  • Example: “Request: 04.02.03 (Vendor Contract) for X”

This reduces ambiguity and keeps a clean audit trail.

Compliance, access, and security best practices

Permission model (recommended)

  • **Seller Admins (2–3 people):** full control, uploads, moves, permissions.
  • **Seller Contributors:** upload-only to intake folder, no deletes.
  • **Buyer Team (General):** view-only to shared content.
  • **Buyer Counsel:** access to restricted legal folders.
  • **Buyer Finance:** access to restricted financial/tax folders.

If you have multiple bidders, do not create separate VDRs unless required. Prefer:

  • **Bidder A**, **Bidder B** permission groups
  • One shared structure, segmented access

Auditability

  • Enable download watermarking and access logs.
  • Require MFA for external users.
  • Set clear retention and expiry dates for access.
  • Avoid “anyone with link” sharing.

Redaction and privacy

  • Redact personal data (SSNs, personal addresses, signatures if needed).
  • Use anonymized employee identifiers where possible.
  • Maintain a lightweight redaction log in **00_Admin & Index**.

Version control

  • Do not overwrite files silently.
  • Use `V1`, `V2`, `Final` only when controlled by an owner.
  • If your VDR supports it, lock “final” documents.

Common mistakes to avoid

  • Over-nesting folders (more than 3–4 levels deep).
  • Mixing drafts and finals without labeling.
  • Uploading scans that are not searchable (OCR everything).
  • Granting broad download rights early.

Quick checklist

  • [ ] Index and naming standard published
  • [ ] Permissions mapped to roles and restricted data
  • [ ] Intake process for new uploads
  • [ ] OCR enabled and key docs searchable
  • [ ] Audit logs and MFA enabled

Talk to ComplianceClaw

Need help selecting or structuring a VDR?

We help teams reduce diligence friction, improve access control, and choose the right workflow for fundraising, M&A, board reporting, and regulated document sharing.