Posted by Annette TrippWho is looking out for the company?You have decided to sell the company. You have engaged the investment banker and have started soliciting expressions of interest. The investment banker is ready to set up the virtual data room (VDR)—an efficient method of distributing information about the company.Who will host the VDR? If the investment banker hosts the VDR itself, does its engagement letter cover liabilities and allocation of risk for data breaches, destruction and other relevant items? If the investment banker uses a third party to host the VDR, who are the contracting parties—the company and the VDR vendor or the investment company and the VDR vendor?It is not uncommon for the investment banker to contract with a vendor and pass through the costs to the company as a deal expense — but in that case, who is watching out for the interests of the company? Does the VDR agreement provide for all the protections that the company would need? Has the company been provided with information about security practices and procedures of the vendor? Does the company know and understand the limitations of liability that are contained in the VDR agreement?These are all questions that can be answered if the company enters into the VDR agreement directly. In that case the company is able to confirm for itself that its concerns are covered or if the company will need to take steps independently to enhance security and to take data breach preparations (including withholding ultra-sensitive information from the data room or taking steps to anonymize it). If, for whatever reason, the direct contract option is not available, the company should nonetheless be involved in reviewing and negotiating the terms and conditions of the VDR contract so that its interests are addressed.