When you close a deal and the buyer asks for proof that no document has been altered after due diligence, you have two options:
find the file exchange emailsshow a certified export with SHA-256 hash.
The second option is the one that protects you in court.
What SHA-256 is and why it is not just a technical detail
SHA-256 is a cryptographic algorithm from the SHA-2 family, developed by the NSA and standardized by NIST. It produces a unique “digital fingerprint,” called a hash, of 256 bits for any file or set of files.
Relevant properties for an M&A lawyer
Deterministic: the same file always produces the same hash.
Irreversible: the content cannot be reconstructed from the hash.
Sensitive to any change: changing even a single character in a contract produces a completely different hash.
Collision-resistant: it is computationally infeasible to find two different files with the same SHA-256 hash.
If the SHA-256 hash of the file delivered to the buyer matches the one recorded at the time of upload in the data room, you have mathematical proof that the document has not changed.
What a legal-grade certified export contains
A certified export produced by a VDR is not a simple ZIP file. It should include:
SHA-256 hash for each file
Upload timestamp
Access logs
Permission change logs
Digital signature of the package
This package is what a court-appointed technical expert or a judge can independently verify, without depending on the platform that produced it.