A virtual data room index is more than a numbered folder tree. In M&A due diligence, it should tell reviewers what exists, which entity and period it covers, whether it is operative, who supplied it, what remains missing, and how the file connects to a request or finding. Without that control layer, a neat data room can still be incomplete.

Indian company, securities, and cybersecurity context may shape the contents and handling plan. Useful primary starting points include the Ministry of Corporate Affairs, SEBI's legal materials, and CERT-In directions and advisories. Counsel and security specialists should identify which current requirements apply to the parties, transaction, system, and data.

What should the index record for every file?

Assign one stable record to each uploaded item. Do not rely on filenames as identifiers because filenames change and duplicates are common. The index should survive folder moves and later exports.

FieldPurposeExample control
Stable IDKeeps references intactNever reused after deletion
Request IDLinks upload to the diligence questionOne upload may answer several requests
Entity and workstreamDefines scopeUse controlled values, not free-text variants
Document familyConnects agreement, amendments, and schedulesParent-child relationship required
StatusDistinguishes draft, executed, expired, superseded, or unknownReviewer validates status
Effective and coverage datesShows the period representedKeep “unknown” distinct from blank
Source and upload dateSupports provenanceName authorised contributor or system
Confidentiality classDrives accessSpecialist approval for restricted material
Review stateShows progressNot reviewed, in review, queried, validated

Add language, format, signature state, legibility, duplicate group, and notes where useful. Keep original names and checksums if the governance plan permits them. An index is evidence only when its entries can be traced to files and controlled actions.

How should the M&A data room folder structure be designed?

Structure the room around how reviewers ask questions, while retaining a clear entity dimension. A practical top level may include corporate, ownership and securities, finance and tax, material contracts, property, employment, intellectual property, technology and data, regulatory, disputes, compliance, insurance, environment, and transaction documents.

Avoid building dozens of empty folders before the scope is known. Empty folders are ambiguous: they may mean “not applicable,” “nothing found,” “not yet uploaded,” or “withheld.” Track those states in the request register.

Within each workstream:

  • separate entity-specific records where multiple companies are in scope;
  • keep agreements with their amendments, schedules, orders, and notices;
  • distinguish current records from historical or superseded material;
  • use consistent dates and short descriptive filenames;
  • avoid unexplained personal folders such as “miscellaneous” or “new”; and
  • retain a cross-reference when one file belongs to several workstreams.

The folder tree is a navigation aid. The master index and request register should remain the authoritative view of coverage.

How do you connect the request list to uploads and answers?

Give every request a stable ID, scope, owner, priority, date, status, response note, linked files, follow-up questions, and closure approval. Do not mark a request complete merely because a file was uploaded. A reviewer must determine whether the response actually answers the question for all entities and periods in scope.

Use a simple status model:

StatusMeaningNext action
Not startedNo response suppliedContributor prepares response
PartialSome scope or evidence is missingState the exact gap
UploadedMaterial awaits reviewAssign reviewer
Query raisedReviewer needs clarification or more evidenceResponse owner addresses query
ValidatedReviewer confirms the defined request is answeredRecord validator and date
Not applicableSupported reason shows request does not applyReviewer approves rationale

When an answer changes, preserve the earlier state and identify affected findings. Silent replacement makes it difficult to know which document informed a report draft.

How should contract families and duplicates be controlled?

Contracts often arrive as disconnected PDFs. Group the master agreement with amendments, extensions, statements of work, orders, guarantees, side letters, waivers, notices, and termination correspondence. Record which item is believed to be operative and why. Similar filenames do not prove documents are identical.

The bulk contract review guide provides a population-reconciliation workflow. Compare the room with authorised procurement, sales, finance, property, and operations sources. Preserve duplicates until signatures, schedules, dates, and contents have been checked.

For every family, ask:

  1. Is the governing agreement present and executed?
  2. Are incorporated schedules and policies available?
  3. Does each amendment identify the agreement it changes?
  4. Are renewal, expiry, termination, or waiver records present?
  5. Does an order incorporate different or later terms?
  6. Is the counterparty name consistent with the entity record?
  7. Can reviewers identify the operative clause without guessing?

This family view supports reliable extraction and prevents a later amendment from being missed when the original agreement has already been reviewed.

What access controls should protect sensitive deal material?

Use least-privilege access based on role, workstream, entity, and sensitivity. Name access owners and reviewers. Plan for joiners, leavers, advisers, bidders, clean-team members, and withdrawn users. Authentication, encryption, logging, watermarking, download restrictions, and retention controls should be assessed against the deal's threat model and operational needs.

Classify material before broad access. Especially sensitive categories may include personal data, employee records, security information, privileged advice, customer-level pricing, source code, trade secrets, bids, investigations, and regulated information. Counsel should decide whether redaction, aggregation, staged disclosure, clean-team access, or another safeguard is appropriate.

Review Gotham's security overview as one input when assessing a legal technology workflow. Ask every provider for evidence rather than relying on labels. Document hosting location, subprocessors, backups, incident response, deletion, export, auditability, and administrative access.

CERT-In materials may be relevant to incident reporting, logging, or security operations in a particular context, but the applicability and current effect need specialist assessment. A data-room checklist should link to dated official material rather than paraphrasing a changing requirement as a universal rule.

How should listed-company and insider-sensitive information be handled?

Where listed entities or securities-law concerns are involved, qualified counsel should design the information flow with reference to current SEBI requirements and transaction facts. The operational plan may need controlled recipient lists, purpose limitation, confidentiality acknowledgements, access evidence, and escalation before sharing particular information.

Do not treat the virtual data room as automatic permission to disclose. For each sensitive collection, record why it is needed, who may access it, what form can be shared, who approved access, and when access ends. Keep business teams from forwarding downloaded material into uncontrolled channels.

Use periodic access reviews. Compare room permissions with the current deal-team list, investigate unexpected activity, remove stale rights, and retain evidence of decisions. The control should cover exports and local working copies, not just the hosted room.

How can review progress be measured without creating false confidence?

Report coverage by question, entity, period, and validation state. A count of uploaded files or opened documents does not establish completeness. Useful measures include requests validated, partial responses by priority, unreadable files, unresolved document families, restricted items awaiting access, and high-risk findings without supporting evidence.

Quality checks should sample both metadata and content:

  • does the indexed entity match the document?
  • is the executed status supported by signatures or other evidence?
  • do coverage dates reflect the file rather than its upload date?
  • are duplicates and superseded versions correctly linked?
  • can each material report finding resolve to the cited source?
  • are access restrictions consistent with classification?

Gotham's litigation document organisation guide describes related principles for stable identity and retrievability. Its practice workspace can help keep review tasks near matter evidence.

What should happen to the data room at signing and closing?

Define the final export and retention plan early. At the agreed milestone, preserve an authorised index, relevant access history, request status, final file set, open issues, and any permitted Q&A record. Verify that the export opens, folder and identifier relationships survive, and access is limited to approved custodians.

Transfer continuing obligations into the closing and integration workstreams. Consents, licence renewals, disputes, security commitments, employee actions, and contract notices should have named owners and source links. Do not leave operational tasks buried in an archived room.

Before closure, confirm:

  1. all critical requests have a validated response or visible exception;
  2. late uploads have been routed to affected reviewers;
  3. final findings cite preserved evidence;
  4. restricted data has an approved retention or deletion path;
  5. access has been reviewed and scheduled for removal; and
  6. the final index and export have been tested.

If your team needs a controlled intake and diligence workflow, contact Gotham. A trustworthy VDR is not the room with the most files. It is the room in which scope, provenance, access, review, and unresolved gaps remain visible from first request through handoff.