Help center Data & GDPR

Security and traceability in a data room

How the data room protects your material: invite-only by default, named access via email and one-time code, watermark, download control, a full activity log and NDA acceptance as documentation.

Updated 16 June 2026

A data room gathers confidential material for a deal — and every new participant is one more place the documents can end up. Data rooms is built so the seller side always knows who has access, what they have viewed and what they have downloaded. This article brings together the security layers in the room and where you control them.

Note

The data room is an add-on module. The security settings below are set on the individual room and can be tightened per participant or per share link.

1Invite-only by default

New rooms are set to restricted access from the start — only selected team members, admins and invited guests can see the room. You find the control on the Sharing and participants tab under the Restricted access setting with the text "Only selected team members, admins and invited guests can see the room." and the badge Restricted.

If you instead want to open the room widely, you can turn on Share with the whole workspace — but that is a deliberate choice, not the starting point.

2Named access via email and one-time code

No anonymous links. When a guest opens a share link, they must verify their email with a 6-digit one-time code (OTP) before any content is shown.

1Guest opens share link2Enters email3Receives 6-digit code by email4Verify and open

On the access page the hint reads "We'll send you a one-time code so we know who is viewing the documents." The code expires after 10 minutes, and repeated wrong attempts return "Too many attempts". The result: all activity in the room is tied to a named email.

Tip

When you create a share link, you can set role, expiry (7/30/90 days), download and NDA requirement per link. The choices are saved on the guest at first visit and can later be changed per participant under Sharing.

3Watermark on viewing

The Watermark on viewing setting is on by default. Guests' document views are stamped with their email, so a screenshot can always be traced back to the person. The setting sits under SettingsSecurity.

4Download control at three levels

You decide whether the material can leave the room at all — and can control it ever more finely:

Level Where Effect
Whole room SettingsContent & downloads, the Allow downloads setting Off = participants can only view in the app, not download
Per participant Sharing and participants, the participant's menu Downloads: off Block downloads for one person
Per share link When the link is created, "Downloads for link guests" On/off for everyone arriving via the link

If you turn off Bulk download (zip), guests cannot download everything at once either. Download-blocked documents are automatically left out of a bulk export.

5A full activity log

The Activity tab shows who viewed and downloaded what — in three views: Timeline, By participant and By document.

Guest views: per room
Downloads: per room
Most viewed file: with view count
Latest guest activity: timestamped

By participant and by document you see "{docs} documents · {views} views · {downloads} downloads" plus Sections viewed, so you can tell which tabs a guest has visited. You can filter on Guests, Files and Sharing, and pull the whole log out with Export log (CSV) (columns: Time, User, Action, Document, Details).

6NDA acceptance as documentation

If the room requires terms acceptance, the guest meets an NDA gate before the content: the title "Accept terms to access", a checkbox "I have read and accept the terms" and Accept and continue. The acceptance is recorded with timestamp and email in the activity log.

For stronger proof, you can turn on Require digital signature (off by default). Acceptance then requires an email code plus the participant's full name as a signature, and the event is logged. At closing, all NDA acceptances are gathered automatically into a CSV (Email, Signed name, Time) in the closing package.

Important

Even during GDPR clean-up of an archived room, the activity log is kept as documentation while the documents are permanently deleted.

Næste skridt