How to Structure Your Data Room for Investor & Lender Due Diligence

A good data room doesn’t close a deal by itself.A bad one can absolutely kill it.

Most founders build decks. Very few build underwritable data rooms – a single, coherent place where investors, lenders, auditors and lawyers can see how your story, numbers, and filings actually line up.

This guide walks you through:

• The principles of a good DD data room

• A recommended folder structure for Indian startups

• What to put where (MCA, GST, FC-GPR, DPDP, etc.)

• Access, naming, versioning and common mistakes

It’s written from the perspective of someone who’s been on the side that says “No” when the file isn’t convincing.

1. What a data room is actually for

In DD, a data room (virtual data room, VDR, or even a well-governed Drive folder) is a secure, structured document hub where third parties can review your company’s legal, financial and operational information. Ideals Virtual Data Room+2FirmRoom+2

Done well, it should:

• Give investors/lenders a 360° view without chaos

• Reduce “pls share XYZ” back-and-forth

• Show you’re serious about governance and risk

• Leave an audit trail of who saw what, when (if you use a proper VDR) Ideals Virtual Data Room+2Ideals Virtual Data Room+2

2. Core principles before you open a single folder

2.1 One source of truth

Decide: “This is the DD data room. If it’s not here, it doesn’t exist.”

No parallel WhatsApp PDFs, no mystery Excel on someone’s desktop.

2.2 Simple, logical hierarchy

Investors shouldn’t need a treasure map. Industry practice is to structure data rooms into clear top-level folders (Company, Legal, Financials, Product, People, etc.) with clean subfolders. Visible.vc+2Papermark+2

2.3 Clean names, not chaos

• Good: 2024-25_Audited_Financials_Standalone.pdf

• Bad: Final_final_new_FS_really_final2(1).xls

2.4 Access control

• Need-to-know: separate internal prep folder vs external investor view

• View-only where possible; download only when needed

• Revoke access after the process ends Carta+3Ideals Virtual Data Room+3Ideals Virtual Data Room+3

2.5 Up-to-date beats perfect

You don’t need a Hollywood-grade data room on Day 1.You do need documents that are:

• Current

• Consistent

• Not contradicting each other

3. Tools: Drive vs VDR

You can absolutely start with Google Drive / OneDrive / Dropbox.

A dedicated VDR tool adds extra things like better audit logs, granular permissions, watermarks and integrated Q&A, which become useful in bigger rounds or lender DD. Ideals Virtual Data Room+2Ideals Virtual Data Room+2

For early-stage Indian founders:

• Pre-seed/Seed: Drive/OneDrive + discipline is fine

• Larger rounds / debt / PE: consider a proper VDR

Whatever you use, the structure below still applies.

4. Recommended folder structure for Indian startup DD

Create one main folder:

Inside that, build something like this (you can tweak names, but keep the logic).

0. README & Index

0.1 / README

• One-page how to read this data room

• Short company overview

• Contact person for follow-up

0.2 / Index

• A simple table (PDF/Sheet) mapping:

  • Folder → Subfolder → Key docs

  • Status (Uploaded / Coming / Not Applicable)

This acts like a table of contents and is considered good practice in many DD/VDR checklists. FirmRoom+2Papermark+2

1. Corporate & MCA / RoC

• Certificate of Incorporation

• PAN, TAN, GST registration certificates

• MoA & AoA (and any amendments)

• INC-20A filing and acknowledgement

• Latest AOC-4, MGT-7/MGT-7A

• DIR-12, PAS-3, SH-7 and other key MCA forms

• Registered office proof / lease

• Any name change or authorised capital change docs

2. Shareholding & Cap Table

• Latest cap table (fully diluted) – both PDF and Excel

• Summary of all past rounds: pre-money, post-money, instruments, key terms

• Shareholders’ Agreement(s), SSA(s)

• ESOP policy, scheme documents and grant letters

• Share certificates / demat confirmations

• Board/Shareholder resolutions relating to past issues

3. Financials

• Audited financial statements – last 3 years (if applicable)

• Provisional/YTD financials (management accounts)

• Monthly revenue and expense breakdown (last 12–24 months)

• Bank statements (last 6–12 months, key accounts)

• Management MIS packs (if you already prepare them)

4. Tax & GST

• Income Tax Returns (company) – last 3 assessment years

• Tax audit reports (if applicable)

• GST returns – GSTR-1 and GSTR-3B for last 12–24 months

• 26AS for the company

• TDS returns and challans (esp. on salaries and contractors)

• Any major tax notices and your responses/settlements

Investors and lenders will compare GST, ITR and bank statements to spot mismatches. dealroom.net+2Visible.vc+2

5. Regulatory & Compliance

This is where your DPDP, FEMA and other sector-specific comp stuff lives.

For a typical Indian tech startup:

• DPDP / privacy:

  • Privacy policy

  • Terms of use

  • Cookie/consent policy

  • Data processing addendum with key vendors (if any)

• FDI / FEMA:

  • FIRMS Entity Master details

  • FC-GPR filings and acknowledgements

  • FIRC copies, bank KYC letters

  • Any compounding / rectification orders https://www.ahlawatassociates.com+3TaxGuru+3Reserve Bank of India+3

• Any other licences:

  • Shops & Establishment registration

  • MSME registration

  • Sector licences (NBFC, health, education etc.)

6. Product, Tech & Security

• High-level product architecture / system diagram

• List of key platforms and integrations

• Uptime, incident logs (if material)

• Security policies (passwords, access, backups, third-party vendors)

• Any pen-test / security audit reports (if cleaned and sharable)

• For deep-tech: IP, experiments, validation data can go here or in IP folder below

7. Revenue, Customers & Metrics

• Customer list (anonymised if needed at early stage)

• Top customers with basic details (contract value, tenure, sector)

• Pipeline summary (if you share it)

• Metrics pack:

  • MRR/ARR, churn, expansion, cohorts

  • CAC, LTV, payback period

  • Unit economics by product/segment

This is where you prove that the unit economics slides in your deck tie up with actual data.

8. People & ESOP

• Org chart

• Founder and key employee employment agreements

• Standard employment contract templates

• ESOP plan, policy and outstanding grants

• Consultant/contractor agreements for key roles

• Any HR policies relevant to DD (POSH, code of conduct etc.)

9. IP & Intangibles

• Trademark registrations / applications

• Copyright/technology assignment agreements from founders and key devs

• IP assignment from agencies/contractors who worked on core IP

• Domain registration proof

• Patents / patent applications (if any)

For many Indian startups, this is where DD teams find that code and brand legally still “sit” with a freelancer or ex-founder. Clean this before they point it out.

10. Contracts

Subfolders:

• 10.1 Customers – top 10–20 contracts or standard terms

• 10.2 Vendors – key infra/SaaS/service providers

• 10.3 Leases – office, warehousing, data centre

• 10.4 Partner / channel agreements

• 10.5 NDAs / other important docs

Investors may not read every page, but they’ll sample to see how you negotiate risk (indemnity, liability caps, termination, IP ownership etc.). Visible.vc+1

11. Litigation, Notices & Risk

• List of ongoing or threatened litigation

• Copies of legal notices (tax, ROC, labour, IP, consumer, etc.)

• Your responses and current status

• Settlements / orders

Hiding this here is worse than the issue itself. The right strategy is usually:

12. Board, Governance & Policies

• Board meeting minutes (recent, redacted if needed)

• Shareholder meeting minutes

• Written resolutions

• Key internal policies (approval matrices, delegated authorities etc.)

You don’t need to upload every board minute from Day 1; start with the last year and those tied to material decisions.

13. Debt, Banking & Instruments

• Existing loan agreements, sanctioned letters, facility agreements

• Security docs (hypothecation, personal/corporate guarantees)

• EMI schedules

• Covenants and compliance certificates

• Any NBFC/HFC relationships for working capital

Debt investors will go deep here; equity investors at least want to know what’s senior to them.

14. Misc / Additional Materials

• Market research you’ve commissioned

• External expert reports

• Awards / major PR that’s actually credible

• Anything else material that doesn’t fit above

5. Staging: What to show when

You don’t need to give a stranger your entire life on Day 0.

A practical approach:

Stage 1 – Pre–term sheet “light room”

• Share only high-level folders (Company overview, deck, summary metrics).

• Keep sensitive items (customer names, full contracts, salary details) for later.

Stage 2 – Post–term sheet / serious DD

• Open up the full structure above.

• Use a proper VDR if the cheque or sensitivity is high (PE, strategic, lender).

Many startup/VC checklists now explicitly recommend a staged approach with different access levels over time. Papermark+2goingvc.com+2

6. Naming, versioning & “ban the word FINAL”

Basic hygiene that saves fights later:

• Use date + clear name + version

  • 2025-03-31_Financial_Statements_Audited_v1.pdf

  • 2025-09-01_Financial_Model_v3_GrowthCase.xlsx

• Maintain a small “Version Log” (even as a note) for your key documents (model, deck).

• Decide that only one person (e.g., you + your finance lead) can overwrite those key files.

Avoid the trap of investors, lawyers and founders all looking at different versions of the truth.

7. Q&A and investor questions

Many VDR platforms have a built-in Q&A module. Ideals Virtual Data Room+2Ideals Virtual Data Room+2

If you’re using Drive/Dropbox:

• Maintain a simple “DD Q&A Tracker” sheet:

  • Column A: Question

  • Column B: Who asked

  • Column C: Folder/file where answer is supported

  • Column D: Written answer

  • Column E: Status

This becomes part of your DD narrative and forces you to keep answers evidence-backed.

8. Common mistakes founders make

• Dumping everything at once with no structure, then getting defensive when DD teams can’t find things.

• Over-sharing sensitive info too early (full customer list before basic interest is proven).

• Not aligning deck ↔ model ↔ bank statements – three conflicting stories.

• Missing basic Indian hygiene: INC-20A, FC-GPR, GST mismatches, unsigned contracts.

• Treating the data room as a one-time event, not a living asset that you keep updated.

9. One-page checklist for your DD data room