When It Comes to Virtual Data Rooms, SharePoint or Share Elsewhere?

Post Date: 02/01/2022
feature image

The journey to becoming a publicly listed company is complex, difficult, and requires coordination across several–often unrelated–parties. Thinking back on AvePoint’s own experience of going public earlier this year, I decided to share some of the challenges we faced and the solutions we implemented while collaborating on this highly confidential project.

The Early Days of Critical Collaboration

In 2019, when AvePoint began the process of raising funds through a Series C, we knew we’d need a dedicated space to store hyper-sensitive business and financial data. Additionally, this data needed to be shared in a way that gave internal teams different levels of access based on their needs while also shielding different teams—and potential investor groups—from each other.

From a data management standpoint, there are two main parts to a funding round:

  1. Compile the organization’s sensitive financial and operational data
  2. Share that data with potential investors and other 3rd parties for evaluation

As a Microsoft shop, it was a natural decision to use a standalone SharePoint site as a virtual data room (VDR), where we could aggregate and collaborate on this sensitive data.

Gathering the critical information that the investors needed meant coordinating across several internal departments. With multiple business leaders each working to produce their own piece of the puzzle, the process of pulling all this data together was daunting. To simplify things, we set up our general folder structure and then added teams to one or more folders, as needed, so they could upload (or work on) the materials relevant to them.

Scaling Up to Support Out SPAC

Fast forward a year—AvePoint made the decision to go public. Once again, we were faced with a huge task: creating and collaborating across a virtual mountain of sensitive information. While a lot of the documentation from our Series C would still be relevant, we knew that the scale and scope of this project would be much broader. We thought about how our collaboration practices would scale to accommodate larger volumes of data, coordinating across even more contributors, and granting access to more guest users, all while complying with stringent due diligence requirements. Once again, we chose to use SharePoint as a solution and I was tasked with managing AvePoint’s virtual data room for this project of a lifetime.

Our project ended in July 2021 when AvePoint began trading on Nasdaq. Here are some best practices and lessons learned from my experience administering and using SharePoint as a homegrown virtual data room:

Project Structure and Permissions

At first, we created three user groups which each had unique permissions: All-Access, Finance, and Generic. Even though everybody involved in this process was under NDA, there was no need for certain contributors to view sensitive data such as financial statements, HR records, salaries, etc.

From day 1 to day 300, our groups and permissions were constantly evolving. As more contributors were added, we had to create increasingly granular permission levels. By the end of the project, the number of user groups had more than doubled. SharePoint’s ability to host deeply nested folder structures was critical to managing these complex permission setups.

It’s important to note that, by default, only the IT admin has access to everything in the site collection. Although I was tasked with managing this virtual data room, I was not the official “administrator.” While this made sense from a risk mitigation standpoint, it presented challenges when managing permissions.

Let’s take a quick look at a real-life scenario. During our SPAC process, I was asked to add 20-30 attorneys from our law firm to the data room. First, I needed to figure out how to set up their permissions so our data would be protected. To optimize security, each attorney was given the minimum possible access required to complete their task. For example, only certain attorneys needed to see our IP documentation, financials, etc. Group A needed access to Folders 2, 3, and 7, while Group B needed 4, 6, plus two documents from Folder 7.

Starting to sound confusing? Trust me, it is. I actually kept a table in my OneNote to keep track of all these unique groups and their specific permissions. It looked something like this, only much more complicated:


Using SharePoint, our IT admin was able to add and revise permissions, move files around, and restructure the data room as needed. Looking back, it wouldn’t have been possible to anticipate these complexities. That said, had I known then what I know now, I would have recommended we set it up differently from the outset.

Admin Access & User Invitations

The process of adding a user to a tenant includes first creating them in your tenant as an external user, then adding them to a workspace, and finally sending them an invitation to log in.

Several issues to this process include:

  • Personalization: This email doesn’t show up as an invitation from “Kate” (me). Rather, it’s a generic email from AvePoint’s domain.
  • Delivery: As I added users, it was common for the invitation to be deleted or sent to spam. Further complicating things, once that invitation was sent in SharePoint, it could not be sent again.
  • Workflow: “Re-inviting” someone was a multistep process involving: 1) Deleting the user from the tenant; 2) Adding them back to the tenant; 3) Resending the invitation to the workspace.

To address many of the common issues we encountered, I created an additional companion email that outlined the invitation workflow and included additional troubleshooting tips.

Since I wasn’t the SharePoint administrator, I couldn’t confirm whether or not a user had successfully accepted their invitation. Instead, I had to go through a manual, multi-step validation process that included reaching out to our IT administrator. This step added one more link to the chain, creating additional chances for mistakes to occur.

SharePoint was designed to be administered by someone in an IT role, while a virtual data room is inherently intended to be run by a business user. If your team is considering using SharePoint as a virtual data room, keep in mind that it is not purpose-built for business leaders to own and that certain key functionality might not work as expected.

If you are an IT professional and would like to learn more about SharePoint Permissions, you can download our eBook “Ultimate Guide to SharePoint Permissions”.

Collaboration Technology Issues

Many of the external teams we worked with weren’t accustomed to using collaboration technology. While most bankers and lawyers are very technical and comfortable working with large volumes of data, many organizations in those industries only began adopting Microsoft Teams during the pandemic and weren’t fully fluent just yet. The “who owns the pen” question still came up frequently and many versions of PDF decks and documents definitely appeared.

The journey to going public is fast-paced and high pressure. As our project team worked to meet important deadlines along the way, there was an extremely low tolerance for VDR-related issues such as permissioning or file-sharing mistakes. At the first sign of resistance, the immediate response was “Never mind, I’ll just send you an attachment.” Besides the obvious security risks of sending hyper-sensitive data via email, this workaround also put me in the position of receiving data by email, and then uploading it to the VDR myself—and, of course, a complete loss of versioning and “last modified.”

Temporary Access

While there was a core team that had access to the VDR throughout the entire project, there were also many contributors who only needed temporary access. For example, one consultant only had a 3-week engagement. The ability to revise or revoke access is one of the most crucial requirements of any VDR solution. SharePoint allows users to be removed at any time, however, there is no native way to expire permissions after a set timeframe. To ensure that no one was overstaying their welcome, I would have to set reminders for myself to revoke their access. In addition to adding to my own workload, this manual process once again opened the door for human error.

Hosted Within Our Own Tenant

Hosting our virtual data room within our own tenant not only gave us peace of mind from a security standpoint, but ultimately proved helpful when it came to collaborating with internal users at AvePoint. In situations where an internal user only needed to make a one-time contribution to the project, it was typically easier to have them upload the files to an internal SharePoint site, rather than adding them to the data room and setting up granular permissions. Once their data was uploaded to the internal site, I could easily move it over to the secure data room.

Project Communications

Although our project files were managed in the virtual data room, we used Teams to manage internal conversations about action items, using different workstreams for different departments. I would typically take notes in OneNote and then share with external parties via email. Unfortunately, this resulted in several sources of truth for all project-related communications.


Closing Thoughts 

My biggest takeaway when it comes to managing complex, highly sensitive projects is that you must find a way to balance (and satisfy) several critical requirements at the same time, including:

  • Data security
  • Granular permissions
  • Guest user access
  • Seamless collaboration
  • Audit trails
  • File management
  • Project communications

AvePoint’s decision to use SharePoint provided a solid foundation for file and user management and the benefit of keeping our information close to home, however, we encountered several unexpected challenges along the way. While project activity ebbed and flowed over the course of several months, I can’t overstate the amount of time and effort I spent overseeing our data room. With the benefit of hindsight, I can say that simpler permissioning and communication flows would have likely saved me 10-15 hours per week—not to mention a lot of stress!

Data security and collaboration are, of course, very important in our day-to-day workflows. However, when you’re working on a complex project like a business transaction, the stakes are even higher. Finding the right tool to right-size your approach to collaboration security will maximize efficiency, security, and perhaps most importantly, peace of mind.

Find out how AvePoint’s modern, next-gen virtual data room, Confide, streamlines and secures confidential, project-based collaboration.

Keep up with all of our VDR content by subscribing to our blog.

Kate is AvePoint's Senior Vice President of Client Services and Product Strategy, specializing in project management, IT infrastructure, wireless service applications, and Agile project management.

View all post by Kate Faaland

Subscribe to our blog