Adya Logo

Menu

Close

Back to Projects

Virtual Data Room (VDR) Infrastructure

How I got a $50k/year enterprise feature set for $900/year — and why building a VDR from scratch is a terrible idea.

By Adi Gupta · Thu Dec 18 2025

ArchitectureVDRBox PlatformEnterpriseDeal Room

How I Got Enterprise-Grade VDR Infrastructure for $75/Month

I needed to build a Deal Room — the kind of secure file vault where M&A lawyers, investors, and founders share sensitive documents. The kind that Fortune 500 companies pay six figures a year for. The kind that Box, Datasite, and Intralinks have collectively spent billions building.

My budget? Under $100 a month.

This is the architecture decision record for how I solved that — and every trap I almost fell into along the way.

The Complexity Gap (Or: Why You Shouldn't Build This)

Here's the thing about Virtual Data Rooms that most engineers don't appreciate until they're three months deep: it's not one hard problem. It's ten distinct engineering challenges, each of which has consumed entire companies.

Don't believe me? Look at who's in this space:

CompanyRevenuePeople Working on This
Box Inc.$1.1B2,800+
Datasite$355M+200+ devs
Intralinks$385M230+ engineers
PapermarkOpen SourceAn entire company just for the viewing layer

The best way to understand the value of infrastructure is to look at who's been unable to shortcut it.

So what are these ten challenges? Here's the list I stared at for a week before accepting reality:

  1. Secure high-fidelity universal rendering — PDFs, DOCX, PPTX, XLSX, CAD files — all rendered in-browser without ever exposing the raw file. That's not an <iframe> and a prayer.
  2. The Microsoft Tax — If you want Office documents to work, you're implementing WOPI. Microsoft's protocol. It's as fun as it sounds.
  3. Dynamic revocation — Shared a file with someone? Now you need to un-share it. Instantly. After they've already opened it.
  4. Many-to-many permissioning — Zanzibar-style access control. Users, groups, folders, files, nested inheritance. This alone is a senior engineer's quarter.
  5. Immutable audit logging — Every view, download, and permission change. Tamper-proof. Chronological. Lawyers will read these logs.
  6. Malware scanning — Every uploaded file, every time. No exceptions.
  7. Save As prevention — Disabling the browser's download, print, and screenshot mechanisms. Yes, this is a cat-and-mouse game. Yes, you still have to play it.
  8. Mobile responsiveness — Full viewing fidelity on tablets and phones. Not "we'll get to it later" — compliance requires it.
  9. Encryption key rotation — Rotating keys periodically without downtime or data loss. Sounds simple. Isn't.
  10. Ongoing maintenance tax — Browser updates break things. Format specs change. Security patches are urgent. Compliance audits are annual.
Verdict: 3–6+ months for a senior team. Buy this infrastructure.

I'm not too proud to admit when buying beats building. This is one of those times.

Executive Summary

After evaluating the landscape, here's where I landed:

Box Platform, Business Plus tier. "Service Account" architecture. ~$75/month.

What that gets you:

  • SOC 2, ISO 27001, HIPAA compliance — inherited, not built
  • 200+ file format rendering in-browser
  • Fully white-labeled React components
  • Unlimited external users — no per-seat pricing trap

What I discarded — and why — is honestly the more interesting part of this story.

The Landscape (A.K.A. The Traps)

The Reseller Trap (DocSend / Dropbox)

DocSend looks great in a demo. Polished UI, solid viewer, nice analytics. Then you try to build on top of it.

There is no API. None. Zero. You cannot programmatically create rooms, manage permissions, or automate anything. It's a product for end users, not a platform for builders.

And the pricing? $65/user/month. At scale — with hundreds or thousands of external users — that's $65k+/month. For a wrapper around Dropbox's viewer.

Hard pass.

The Open Source Trap (Papermark)

Papermark is genuinely impressive open-source work. But three things killed it for my use case:

  • AGPL-3.0 — The viral clause means any derivative work must also be open-sourced. If you're building a commercial SaaS and integrating Papermark deeply, you're either open-sourcing your product or hiring a lawyer. Neither is appealing.
  • Download-first viewer — Files are downloaded to the browser before rendering. This fundamentally defeats the purpose of a secure data room. The file is on the client. Game over.
  • Email verification loops — Access control relies on email verification, which creates friction and makes embedded white-label experiences basically impossible.

"Open source" does not mean "free to use however you want." Read the license. Then read it again.

The Google Trap (Google Drive API)

Google Drive has a robust API and solid viewer — I'll give it that. But:

  • Requires Google accounts for every viewer. Try telling an M&A lawyer they need a Gmail address to review deal documents.
  • Impossible to white-label. Google's UI is Google's UI. You can embed it, but everyone knows it's Google.
  • 750 GB/day upload cap — fine for personal use, not for bulk document ingestion in a deal context.

The Google Trap is seductive because the API is good and the docs are excellent. But the constraints are architectural, not fixable.

The Box Platform Architecture

Here's what actually works — and why it works.

The "App User" Model

Box Platform uses something called App Users — headless, programmatic identities that exist only via API. They're not real Box accounts. They don't have inboxes. They don't need passwords.

Every user in our system maps to a Box App User. One service account owns everything. The end user never knows Box exists. This is the key architectural insight — Box becomes invisible infrastructure, not a visible dependency.

Downscoped Tokens: The Security Backbone

This is where it gets elegant. Box supports downscoped tokens — short-lived access tokens (15-minute TTL) scoped to a specific file with specific permissions.

  • Generated server-side, per request
  • Cannot be escalated or reused
  • Expire automatically

Every document view is a unique, time-limited, single-resource permission grant. That's the kind of security model compliance teams actually respect.

Box UI Elements (White-Label React Components)

Box ships a set of React components — Box UI Elements — that handle document preview, file browsing, uploads, and activity feeds. They render 200+ file formats with full fidelity.

The important part: they're fully customizable via CSS overrides. Wrap them in your own UI shell, apply your theme, and the end user sees your product — not Box.

The Pricing That Made This Decision

Here's the table that sealed it:

Enterprise (~$1,500+/mo)Business Plus (~$75/mo)
Viewer FidelityFullFull
Compliance (SOC 2, ISO 27001, HIPAA)YesYes
Unlimited External UsersYesYes
Dynamic WatermarkingYesNo
Malware ShieldYesNo
Same viewer. Same compliance. Same unlimited external users. $75/month vs. $1,500/month.

The trade-offs — dynamic watermarking and the malware scanning shield — are real, but they're enterprise features I can upgrade to later. For an MVP, this is a no-brainer.

Technical Deep Dive

File Editing: "Lock & Load"

Viewing is straightforward. Editing is where it gets interesting.

Box uses a lock-based model — think database row locking, but for documents:

  1. Lock the file via API (prevents concurrent edits)
  2. Load into the editing interface (WOPI for Office docs)
  3. Save changes back to Box
  4. Unlock to release for other users

No real-time collaboration infrastructure needed. No operational transforms. No CRDTs. Just a clean, pessimistic lock — and it works.

Deep Linking: The Scorecard

Can you link directly to page 47 of a PDF, or slide 12 of a deck? Turns out, it depends:

FormatDeep Linking
PDFSupported
PowerPointSupported
WordPartial
ExcelGap — no linking to specific sheets/cells

The Excel gap is annoying but livable. Most deal room workflows revolve around PDFs and decks anyway.

AI / RAG Integration: The Fun Part

This is where it gets exciting — and where the architecture really pays off. Box Webhooks give us an event-driven pipeline for AI indexing:

Every document that lands in a deal room is automatically:

  1. Extracted to text via Box's text representation API
  2. Chunked and embedded
  3. Indexed in a vector database

The result? Semantic search and AI-powered Q&A across an entire deal room — without ever moving raw files outside Box's secure infrastructure.

This is the kind of capability that Datasite charges enterprise pricing for. We get the building blocks for free.

CAD & Engineering Support

Almost forgot — Box has native 3D rendering for CAD files. If your deal rooms involve manufacturing, real estate development, or engineering assets, this is a massive freebie. No extra infrastructure, no third-party viewer, no additional cost.

Compliance: The Checklist

For the security-minded (and the auditors):

  • Encryption at rest: AES-256, managed by Box
  • Encryption in transit: TLS 1.2+
  • Access control: Downscoped tokens, 15-minute TTL, single-resource scope
  • Audit trail: SOC 2-compliant, immutable event logs
  • Certifications: SOC 2 Type II, ISO 27001, HIPAA, FedRAMP (Enterprise tier)

Q&A (The Questions I Got Asked)

"Is it a ToS violation to use the Business tier for thousands of external users?"

No. Box Platform's App User model is explicitly designed for this. External users are App Users managed by the service account — they don't consume seats or licenses. I confirmed this with Box's platform team.

"Where does the Deal Room business logic live?"

In our database. Box is the file storage and rendering layer — period. All deal metadata, room configuration, user roles, permissions logic, and workflow rules live in our own DB. Box is infrastructure, not a business logic layer. This is a critical architectural boundary.

"How do you actually white-label this?"

Box UI Elements (React components) + CSS overrides + our own UI shell. The end user never sees a Box logo, never visits a Box URL, never knows Box is involved. That's the whole point.

Implementation Roadmap

Phase 1 — Foundation (Week 1)

  • Box Platform app registration + service account
  • App User creation and identity mapping
  • Folder structure provisioning per deal room
  • Downscoped token generation middleware
  • Box UI Elements integration (preview, browse, upload)

Phase 2 — AI Loop (Week 2)

  • Webhook registration for file events
  • Text extraction pipeline
  • Embedding generation + vector DB ingestion
  • Semantic search endpoint

Phase 3 — Enterprise Features (As Needed)

  • Dynamic watermarking (Enterprise tier upgrade)
  • Box Shield (advanced malware scanning)
  • Custom security policies and retention rules
  • Enhanced audit reporting and export

Two weeks to a working MVP. Enterprise features available as a tier upgrade — no re-architecture required.

The Bottom Line

A $50,000/year Enterprise feature set for roughly $900/year.

I spent a week evaluating every option I could find. I fell into — and climbed out of — three separate traps. I stared at ten engineering challenges that have consumed billions in aggregate R&D spend.

And then I found a path that gives me enterprise-grade document security, universal rendering, compliance certifications, and an AI-ready integration layer — for less than the cost of a nice dinner each month.

Build the things that differentiate you. Buy the things that everyone needs but nobody should be building from scratch.

That's the decision. That's the record.