hiveround
sign in
learn / due diligence10 min · updated 6 May 2026

How to Set Up a Data Room for Investor Diligence (Founder's Checklist)

A complete data room checklist for seed and Series A diligence — what to include, how to organise it, what to leave out, and the small touches that signal a prepared founder.

#data-room#diligence#fundraising#checklist

A data room is the structured collection of documents you share with investors during due diligence. Done well, it accelerates your round and signals competence. Done poorly, it stalls the deal for weeks while investors hunt for things and you scramble to assemble them.

This article is a complete checklist for what to include, how to organise it, and the small touches that separate a prepared founder from an unprepared one.

When to build it

Before you open the round. Not when investors ask for it.

A founder who can hand over a clean data room within an hour of the partner saying "we'd like to dig in" is dramatically ahead of a founder who needs three days to assemble one. Speed compounds.

The cost of building it pre-round is one weekend. The cost of doing it under pressure is two stressful weeks of half-finished documents and missed details that come out badly in diligence.

Where to host it

Common options:

  • Notion or Coda — flexible, easy to navigate, supports access controls.
  • Google Drive — fine for early-stage, low overhead.
  • DocSend — good for tracking who's read what.
  • Carta data rooms — integrated with cap table tooling.
  • Dedicated tools (Datasite, Intralinks) — overkill for seed; standard at growth stage.

For seed and Series A, Notion or Google Drive works well. Don't over-engineer. The content matters more than the tool.

The structure

Organise into clear top-level sections:

  1. Company overview — pitch.md, deck, founder bios, mission.
  2. Financials — P&L, cash flow, balance sheet, financial model.
  3. Customers — customer list, contracts, retention, NPS.
  4. Product & technology — architecture, repo access (if requested), roadmap.
  5. Cap table & legal — current cap table, all SAFEs, IP assignments, articles.
  6. Team — current org, hiring plan, key employee agreements.
  7. Sales & marketing — pipeline, GTM motion, CAC by channel.
  8. Compliance & risk — security posture, regulatory, insurance.

Each section is a folder with documents inside. A simple README at the top of each folder explains what's in it.

What goes in each section

1. Company overview

  • Pitch.md (canonical narrative)
  • Pitch deck (current version)
  • One-page company overview
  • Founder bios
  • Press, customer testimonials, third-party validation

2. Financials

  • Last 12–24 months P&L (monthly)
  • Last 12 months cash flow
  • Current balance sheet
  • 3-year financial model with assumptions
  • Burn rate and runway calculation
  • Revenue recognition policy
  • Key financial metrics summary (ARR, growth rate, gross margin, etc.)

3. Customers

  • Customer list with: name, ARR, start date, churn status, contract length
  • Top 10 customer overview (use case, ACV, expansion potential)
  • Cohort retention chart (monthly cohorts, retained over time)
  • NPS or other satisfaction metrics
  • Customer reference list with permissions
  • Contracts (or template + redlines for variations)

4. Product & technology

  • Product overview / one-pager
  • Architecture diagram
  • Tech stack
  • Roadmap (next 6, 12, 18 months)
  • Engineering team structure
  • AI/model architecture if relevant
  • Security and compliance overview
  • Code repository access (if specifically requested by investor)

5. Cap table & legal

  • Current cap table (Carta export or equivalent)
  • All SAFEs and convertible notes signed
  • All option grants
  • Founder employment agreements
  • Founder IP assignments
  • Contractor IP assignments (every contractor — every one)
  • Articles of incorporation, bylaws
  • Board minutes (relevant ones)
  • Trademarks, patents, IP filings

6. Team

  • Current org chart
  • Key employee agreements (CTO, head of GTM, etc.)
  • Hiring plan with named roles for next 12 months
  • Compensation philosophy and current pay bands
  • Equity grant log

7. Sales & marketing

  • GTM strategy overview
  • Sales cycle data
  • CAC by channel
  • Pipeline snapshot
  • Customer acquisition channels and current performance
  • Sales playbook / collateral examples

8. Compliance & risk

  • Security posture (SOC 2, ISO 27001 status if relevant)
  • Privacy policy, terms of service
  • Regulatory compliance (HIPAA, GDPR, etc. if relevant)
  • Insurance certificates
  • Outstanding legal matters or risks

What NOT to include

A common mistake: putting everything in the data room.

Don't include:

  • Personal information about employees (beyond what's relevant to investors).
  • Detailed customer lists with personal data.
  • Sensitive customer contracts that require NDA before disclosure.
  • Internal Slack messages, emails, meeting notes.
  • Full source code (unless specifically requested and gated).
  • Anything you wouldn't want to leak.

The data room is for investors evaluating the company. It is not your full company archive.

Access control

Tier access by stage of conversation:

  • Stage 1 (early diligence): company overview, basic financials, deck.
  • Stage 2 (deeper interest): detailed financials, customer list, product details.
  • Stage 3 (post-term-sheet): all legal documents, sensitive contracts.

Don't share everything with everyone immediately. Layered access protects you and signals that the data room is structured.

The README

Every great data room has a top-level README. Two pages, structured:

# [Company] Data Room

Last updated: [date]

## What's in here

[Brief description of each section]

## Key metrics summary

[3-line summary of the most important numbers]

## Known risks and how we think about them

[Honest acknowledgment of 2–3 things the partner should know]

## Contact

[Founder name, email, calendar link]

The "known risks" paragraph is the move that separates great founders from average ones. Surfacing what could be discovered later — instead of hiding it — builds enormous trust.

Common mistakes

Missing IP assignments. A contractor who wrote material code without a signed assignment will hold up your close. Get every assignment signed before the round. No exceptions.

Cap table that doesn't reconcile. SAFEs unaccounted for. Option grants missing. Founders' shares listed wrong. Make sure your cap table matches reality before showing it to investors.

Outdated financials. A P&L from three months ago. Update at minimum monthly during the round.

Inconsistent metrics. ARR on the deck doesn't match the data room. Investors check.

No customer references list. Investors will ask. Have 5–10 customers willing to take diligence calls, with permissions and contact info ready.

Disorganised folders. A data room that's a dumping ground signals a chaotic operator. A well-organised one signals clear thinking.

A signal of competence

The quality of your data room is read as a signal of how you run the company. A well-prepared one tells investors: this founder thinks ahead, organises information, and operates with discipline. A scrambled one tells them the opposite.

The investors you want will notice both. Build the data room before you need it. The compounding effect over a fundraise — and across founder career — is real.

We have a fuller piece on what investors actually check: what VCs actually check in due diligence.

written by hiveround editorial · drafted with ai, edited for founders

← more in due diligencedrop your pitch.md