You have opened a shared Dropbox folder to manage the deal documents. The buyer has uploaded their questions into a subfolder, your lawyer is working on a version of the contract and you are not sure whether it is the latest one, and someone has shared the link with an email address you do not recognize.
This is the moment when Dropbox stops being a work tool and becomes a legal risk.
The question is not whether Dropbox is a good product. The question is whether it is the right tool for M&A due diligence.
The answer is no, for technical, legal, and operational reasons that this guide documents with verified data.
What distinguishes a Virtual Data Room from Dropbox: the direct comparison
The difference lies in the architecture: Dropbox is ideal for file sharing, while a Virtual Data Room (VDR) is built for the governance of a document process in a high legal-risk context.
Below is an explanatory table designed to help you better understand the main differences.
Feature | Dropbox | Virtual Data Room (VDR) |
|---|---|---|
Legally defensible audit trail | âś— Not available | âś“ Certified legal-grade export |
Granular permissions by document | âś— Folder-level only | âś“ By document, user, and role |
Dynamic watermarking name + IP | âś— Not available | âś“ On every document viewed |
Integrated NDA tracking | âś— Not available | âś“ Access conditional on NDA signature |
Automatic document versioning | Partial basic history | âś“ M&A-grade versioning with alerts |
Automatic access expiration | âś— Not available | âś“ Expiration date for each individual user |
Screenshot protection | âś— Not available | âś“ Integrated fence view |
Documented GDPR compliance art. 32 | âś— Not certified for M&A | âś“ ISO 27001 + SOC2 + EU GDPR |
Integrated Q&A module | âś— Not available | âś“ Managed threads for buyers |
Publicly verifiable pricing | âś“ Yes | Depends on the provider |
The audit trail problem: the question you do not want to hear
In due diligence, there is always a decisive moment: signing, closing, and, sometimes, a post-closing dispute.
Then comes the question every M&A lawyer dreads: “Who accessed that document, and when?”
With Dropbox, the answer is incomplete. The platform records some basic activities, but it does not produce a legal-grade audit trail:
it does not certify the opening timestamp of each individual file;
it does not record the number of views;
it does not distinguish between viewing and downloading;
it cannot be exported in a format that can be attached to a contractual document.
A VDR generates a complete and certified log: who opened what, when, for how many minutes, and from which IP address. That log can be exported as a PDF and attached to the closing documents. Dropbox does not do this.
Granular permissions: who sees what, and why it matters
In a typical due diligence process, there are at least five categories of users with different access needs:
the buyer and their team of advisors, with access to documents but no editing rights;
the seller’s lawyer, with full access and commenting rights;
the target company’s management, with access limited to their own functional area;
external consultants such as the accountant and notary, with temporary access to specific folders;
observers such as the financial advisor and bank, with read-only access, with or without download rights.
Dropbox manages permissions at folder level: you share the folder, and whoever receives it has access to the entire folder. To differentiate access, you have to create separate folders, manually manage who has access to what, and hope that no one shares the wrong link.
A VDR manages permissions at individual document level, for each individual user, with programmable expiration.
The seller’s HR manager only sees the HR folder. The technical consultant only sees the patents. The buyer sees what you have decided to show them, and only until you decide otherwise.
But what does the regulation require for a due diligence process?
GDPR and due diligence: what the regulation requires
Regulation EU 2016/679, the GDPR, establishes specific obligations for the processing of personal data. In M&A due diligence, the documents exchanged almost always contain personal data: employee contracts, HR data, information on clients and suppliers.
Article 32 GDPR requires the controller to adopt “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk.
Dropbox is not ISO 27001 certified for M&A contexts, does not guarantee that data is hosted on EU servers, and does not produce the documentation required to demonstrate compliance under Article 28 GDPR, the data processing agreement.
Dropbox is an excellent tool for what it was designed for: file sharing between people who trust each other, without legal traceability requirements.
M&A due diligence is a process in which confidential documents are shared with third-party counterparties, where access must be tracked and certified, where the GDPR imposes specific measures, and where a missing audit trail can become a legal issue after closing.
Using Dropbox for due diligence is not an economical choice: it is a choice that transfers the risk from the cost of the tool to the cost of a post-closing dispute.
A VDR like SimpleVDR starts at 99 euros per month. The cost of a breached confidentiality agreement is of a different order of magnitude.