As people become more aware of the many benefits provided by virtual data rooms, more and more providers are rushing to offer their product to the marketplace. Some of these are innovative, secure, high-quality services. Some are, shall we say, a touch lower on the quality spectrum, not offering the necessary level of security and service required to handle important information.

Amateur performance in your staff is unacceptable and can lead to lost profits and costly missteps. Amateur performance in your virtual data room can unleash a pandora’s box of potential disaster, including causing major transactions to fail, losing important data or having said data stolen by competitors or criminals, and, in the worst case scenario, inflict a fatal blow on an entire firm.

So how does one go about separating the experts from the amateurs when searching for a data room provider?

A standard you can trust

A quality data room provider will contract regular audits to ensure the reliability and security of its systems. The SSAE 16 standard (which replaced the SAS 70) is known as the industry-wide auditing standard for service companies. To be in compliance with this high standard, a company must undergo detailed and exhaustive audits that ensure every aspect of the provider’s operations – from employee background checks to network security – is up to current specifications.

The SSAE 16 standard also includes provisions for examining any other service providers the data room provider may subcontract with. This is an important development over the previous SAS 70 standard, as it ensures that shoddy standards on the part of a subcontractor (i.e. service providers for the VDR provider’s equipment) won’t introduce vulnerability to data security.

When considering the vast potential for disaster posed by vulnerabilities in your VDR provider, it is easy to get overwhelmed with security details. However, thanks to the SSAE 16 standard, you can be confident in the reliability and security of a VDR provider without having to go to the time and expense of vetting every detail of the provider firm.

A word of caution

It is important to note that SSAE 16 is not a “certification”, so beware providers who claim to be “SSAE 16 Certified”. SSAE 16 is simply a standard that a company’s systems either are, or are not, in compliance with, as reported by a reputable auditing firm.

There are also a few areas where it would benefit you to seek answers for yourself, in the areas of employee confidentiality training and secure processes. Unfortunately, even providers that are in compliance with SSAE 16 can fall prey to social hacking techniques if their staff isn’t properly trained or their day-to-day processes aren’t secure.

  • Ask what type of training their employees undergo regarding data privacy and security. A quality data room provider will have no trouble giving you a detailed answer. If they hedge or are overly vague, that could possibly be a red flag for a provider with substandard security.
  • Ask about the security of their process. A security-minded provider will perform regular internal audits, as well as contracting with outside firms to ensure full diligence. Again, this should be something the provider can answer readily and informatively. They don’t have to disclose proprietary security practices to give a reasonable overview of their approach.  

Limiting your search to providers in compliance with SSAE 16, and then asking a few questions on your own will result in choosing a provider that will keep your highly-valuable data the appropriate level of security.