Three potential leads want due diligence access. Your last raise used a proper VDR but at $400/month it feels heavy for this stage. The lead lawyer suggests "just share folders." The CTO is uncomfortable. So are you.
There's a middle ground.
Decide if you need a VDR
For seed and Series A, organised PDFs in a shared folder are usually enough. For Series B and beyond, especially with multiple competing investors, a proper VDR (Intralinks, Datasite, Onehub) is worth it. The question is access logs and granular permissions — does this raise need them?
PDF-based DD with controls
Organise documents by section: corporate, financial, IP, employees, contracts, regulatory. Use merge PDF per section. Password-protect each section. Watermark with the recipient's name using annotate PDF. Deters casual leaking and makes any leaks traceable.
Access via secure links
Share via Dropbox, Google Drive, or similar with view-only permissions. Set link expiry where the platform allows. Track who accesses what — most platforms log this. The combination of access logs plus per-recipient watermarks gives reasonable assurance.
Maintain a DD log
Track which investors received which version of each document. Log dates of access where the platform reports them. The DD log is your evidence trail if any leak is ever investigated. Even without leaks, it helps you manage who's seen the latest version.
When to upgrade
Upgrade to a proper VDR when: round size justifies the cost; competing investors increase leak risk; or specific documents (customer contracts, financial models) need granular access control. Many startups successfully close seed and Series A on organised PDFs alone.
FAQ
Are PDF passwords secure enough for DD?
For early-stage, generally yes — combined with watermarking and access logs. For high-stakes raises, a proper VDR adds granular control.
Should every document be watermarked?
Sensitive ones definitely (cap table, financials, customer contracts). Generic ones (incorporation documents) less critical.
Can I share via email instead of a portal?
For occasional documents yes. For full DD, a portal is much cleaner — version control alone is worth the friction.
What if an investor wants downloadable copies?
Watermarked PDFs satisfy this without you losing visibility entirely. Pure view-only platforms can frustrate sophisticated investors.
Secure DD doesn't require enterprise tooling at seed stage. Layer protection in Flint and the round closes.