Glossary

A secure online repository used to share confidential documents during a defined business process — typically due diligence for M&A, tax audits, regulatory submissions, or fundraising. Distinguished from generic cloud storage by per-person access controls, tamper-evident audit trails, watermarking, and the ability to revoke access without recalling files.

The investigation a buyer, investor or regulator performs before signing — verifying financials, contracts, IP, employee arrangements and compliance. In M&A the seller assembles documents into a VDR and the buy-side requests, reviews, and asks questions through a structured Q&A workflow.

A legally binding contract under which a recipient agrees not to disclose specified confidential information to third parties for an agreed period. In a data-room context the NDA is presented to each invited user before any document is viewed; acceptance is logged with timestamp, IP and the exact NDA version they accepted.

An NDA extended with a non-circumvention clause: the recipient also agrees not to bypass the disclosing party to deal directly with introduced counterparties (brokers, suppliers, customers). Common in deal-flow and introduction scenarios where the relationship itself is the asset being protected.

A chronological record of every action taken on a document or data room — who, what, when, from where. An audit trail is only useful to the extent it can be trusted: an editable log proves nothing. Modern VDRs use tamper-evident logging (see below) so the trail is admissible as evidence.

An audit log where each record cryptographically chains to the one before it (typically via a SHA-256 hash chain), so any later modification breaks the chain and is detectable. Required for evidentiary use — a regulator or court will not accept an audit log that the operator could silently rewrite.

The process of extracting machine-readable text from images and scanned PDFs. In a VDR context OCR is what makes scanned tax records, contracts and statements searchable alongside native digital documents. Modern systems use AI models (e.g. Gemini, GPT-4o) for substantially better accuracy on handwriting, tables and low-quality scans than legacy OCR engines.

Stamping each document view with the viewer's email, IP address and timestamp at render time, so any leaked copy is attributable to a specific person and session. "Dynamic" distinguishes it from a static watermark baked into the file once — dynamic watermarks personalise the watermark per viewer per session.

Technical controls that try to restrict what a recipient can do with a file after they receive it — prevent printing, copying, screen-recording or forwarding. In practice DRM is weaker than vendors claim: a determined viewer can always photograph the screen. Most VDR "no-download" modes are a deterrent (raise the friction) rather than a true restriction.

Authentication model where access is granted by sending a single-use code to the recipient's email address; possession of the email account proves identity. Eliminates the password-sharing problem common with password-protected files and lets the operator revoke access by disabling the access link, without having to chase down a leaked password.

A security model that treats every request as untrusted by default — no network is implicitly safe, every action is authorised individually, and access is the minimum necessary for the task. Applied to document sharing: every document view re-checks the user's permission and re-verifies the session, rather than granting blanket access after a single login.

The requirement that data is physically stored and processed within a specified jurisdiction. Australian businesses subject to APRA CPS 234, ASIC oversight, or government tender conditions often need data to remain on Australian infrastructure (e.g. Sydney). Residency is about where bytes live; sovereignty extends to which legal regime can compel disclosure of those bytes.

The 13 principles set by the Australian Privacy Act 1988 governing how organisations must handle personal information — collection, use, disclosure, storage, access and correction. Most relevant for document sharing: APP 11 (security of personal information) and APP 8 (cross-border disclosure).

Organisational controls that prevent confidential information from passing between groups within the same firm — for example, between an investment bank's M&A team and its trading desk. In a VDR context this typically means separate data rooms with no shared membership, plus access controls that prevent admins on one side from viewing the other.

Requiring two or more independent factors to authenticate — typically a password (something you know) plus a time-based one-time code from an app like Authenticator (something you have). Reduces account-takeover risk by ~99% versus password-only. Mandatory on ShareAndGo for admin accounts.

An Australian Taxation Office (ATO) review of a taxpayer's records to verify reported income, deductions and tax position. Typically starts with a request for documents (financials, BAS papers, bank statements, contracts) — the speed and quality of response shapes the trajectory. The ATO has stated cooperative, well-organised taxpayers receive more favourable treatment.

A structured question-and-answer process within a data room — buy-side users submit questions referencing specific documents, the seller-side answers, and every thread is logged. Critical for due diligence: it concentrates the back-and-forth in one auditable place rather than scattering it across email.

A URL emailed to an invited recipient that grants them entry to a specific data room. The link does not itself authenticate — the recipient must verify their email (one-time code) or enter a password before any documents become visible. Access links are revocable: disabling the link in the admin panel immediately invalidates all future use.

The set of actions a user can take in a data room. Typical roles: Viewer (can view + download), Viewer No-Download (can view only — files render inline, never reach the recipient's disk), Editor (can upload/move/delete), and Sub-Admin (can manage users + settings, no billing).