Safe alternative to Dropbox in Due Diligence

Due Diligence, Security

‘Why should I pay for VDR when I can use Dropbox?’ – our clients ask this question sometimes. Yet the answer is not that straight. Dropbox and Virtual Data Room are, after all, two completely different systems created to satisfy different business needs. So, yes, Dropbox might be better suited to meet some of them, but there are tasks I wouldn’t dare undertake using it.

Both tools are online cloud platforms that allow to create a central file repository that is available to selected users 24/7 through browsers, all around the world. What distinguishes them is the purpose for which they were created. This purpose determines the range of platform functionalities, design of features, security approach (sic!) and the range of services that are offered to customers within a given price range. Let’s take a closer look at both solutions.

What is Dropbox and when to use it?

Dropbox is a system that allows collaboration on documents, mainly internally within an organization. Team members can share and synchronize the work of the entire staff with it, which is a plus. Dropbox is a good solution for sharing current company documents such as presentations, agendas, meeting notes, sales offers, photos etc. It is also a perfect alternative to email, as far as sending large files is concerned. Dropbox safety is a compromise between usability and data protection (more on that later), so it is better to use the platform for sending insensitive files. The simplest way to put it would be:

Use cases

What is Virtual Data Room and when to use it?

In contrast, a Virtual Data Room is a system created for sharing confidential data outside the company, which will prove as a perfect alternative to Dropbox. The comprehensive approach to data protection, which goes far beyond IT solutions, differs greatly from Dropbox’s safety measures, assuring top confidentiality of exchanged information.You can read more about it in the article “Virtual Data Room – Everything you need to know”.

Use cases:

Due diligence
Mergers and acquisitions (sale of a company, assets or an organized part of an enterprise)
Issue of shares (IPO or SPO)
Sales of commercial real estate (office buildings, shopping centers, hotels)
Audit (legal, financial, pharmaceutical)
Sharing confidential documents with an advisor, lawyer, or auditor
Project implementation with an external partner
Joint Venture
Contract Management
Sales or licensing of pharmaceutical production
Credit negotiations with a bank or a bank consortium
Sales of debt portfolios

„Virtual Data Room is designed to make file sharing safe and to ensure that it is not possible to modify their content.”

„Dropbox is designed to make file sharing easy, collaborative, but not exactly safe.”

Dropbox vs Virtual Data Room – pros and cons

Although I represent a VDR provider, it is not my intention to discourage you from using Dropbox. I am convinced that this tool is able to meet the needs of many businesses and individual practices. When I worked at an advertising agency, I used Dropbox myself to transfer large graphic files. But these files were of low business relevance – speed and the ease of transfer where the most crucial in that case. And Dropbox seemed to work pretty well. However, with my current knowledge, I would never decide to use Dropbox to transfer sensitive data, let alone implementing it in such processes as company sales, Due Diligence or audit. Why?

OBSERVATION #1: Dropbox security is limited

The key functionality of data rooms is the ability to protect stored files so that the users are unable to save a document or print it. They are only allowed to view it. Moreover, users cannot select a fragment of text and copy it or take screenshots (e.g. with Print Screen). These are key security features which make it impossible to “move” information outside the data room. Dropbox does not provide such possibilities. Sure, it has a read-only option but, in fact, it is just a marketing phrase. Enabling the read-only option does block the possibility to edit the file, but it leaves the door open to downloading the document. In the end, the function does not protect sensitive information. If users can download files to their drives, it means they can use them as they want and show them to anyone. As information owners, we lose control over the downloaded file. In Due Diligence, especially if it involves selling of a company, lack of control over who has access to key information is a plain disaster. A situation like that has impact on the final valuation and if the confidential information gets to competition – it will affect business advantage of the company.

OBSERVATION #2: The key role of Support team

Have you ever tried calling Dropbox Support? I have. With no luck, unfortunately. And technical difficulties can affect anyone – you, the administrator, and the people invited to your project. Furthermore, you may not realize how restrictive companies’ policies regarding employee access to external systems are (Dropbox and Data Room are such systems), especially in the financial, energy, Telco and other industries. VDR providers know how to get along with the IT departments of these companies and can quickly overcome complications. When using Dropbox, you have to accept the risk and keep in mind that the user – a single employee or the whole company (e.g. investor’s) for that matter – might not have access to the system and the data put in it because it violates company’s policy. Most likely, no one will help you solve this issue.

OBSERVATION #3: Dropbox and VDR encryption is similar, but does not protect the same

Due to the fact that it was designed for a different reason than a data room, Dropbox does not have many features typical for such systems which make Due Diligence analysis easier. Cases in point being the inability to grant access per file (in Dropbox we can grant permissions per folder), ineffective file browser, limited reporting on what happens to the files and on users’ activity (in data room reports are one of the key functionalities of the system – the administrator can see details of even the smallest activity in the system: who uploaded documents or deleted them, who and for how long viewed which file, and there are also comparative sheets at hand that enable to evaluate the level of interest of the investors, and more). Furthermore, there is a difference between how two platforms protect the files on the level of usability. Data loaded to VDR is encrypted using EV SLL 256-bit certificate and thoroughly secured against information leaks and data interference. Dropbox’s encryption of files is as high (AES key) but it leaves many backdoors open that allow data interference. It can be saved to hard drive and reuploaded with the same name, and deleting your account does not mean instant removal of the stored data.

"I remember the situation when the Investor blamed our client for not providing specific files in VDR. This information was so important that without it the value of the Company was much underestimated. Thanks to the reports available in VDR, we discovered that the files were actually uploaded (with details such as specific time and the user who uploaded them). Other reports showed that the Investor simply did not notice them and no one opened the files. If it hadn’t been for that insight, the Investor's objections would have cost our client more than one million EUR.”
Michał Ruciński, Project Manager at FORDATA

OBSERVATION #4: Let’s take care of the user interface

Undoubtedly, Dropbox has advantages too. It has a nice and user-friendly interface. For those who are not afraid of “losing control”, synchronization is also an interesting feature. The system allows us to create a single folder on a computer where we can put files and they are automatically uploaded into Dropbox. In VDR, data upload has to be done manually but it gives a guarantee that no file will accidentally go where it shouldn’t (which can happen during synchronization). Additionally, we are certain that we have uploaded all the files that were supposed to go into data room (I know that synchronization, not only in Dropbox, does not always work 100% correct).

No matter the purpose of the system, looking at pricing policy, Dropbox has become a more costly solution if we use it for a project where 15+ user accounts are needed. In 2022, the price of Dropbox Business Advanced for 15 users amounts to EUR 225 per month, while FORDATA VDR costs EUR 199 per month. So while facing a project that involves sharing of confidential information, I don’t think using the San Francisco platform is worth the risk. The alleged Dropbox safety may simply prove too weak.

Preparing for Due Diligence?

Buy a self-service version of FORDATA VDR for EUR 199 per month and do it proficiently!

it will take less than 5 minutes

If the article was valuable to you, please share it with others, e.g. via Facebook or LinkedIn!