
Data Room for IPO 2026: S-1 Checklist, Setup, and How to Choose a VDR
How to set up an IPO data room in 2026. S-1 and prospectus readiness, underwriter workflows, essential VDR features, and why 60,000+ dealmakers run IPO diligence on Papermark.
An IPO data room checklist is the master document list your company, counsel, auditors, and underwriters use to prove the business is ready to go public. It covers corporate governance, three years of audited financials, material contracts, IP, HR and compensation, litigation, regulatory filings, and underwriter diligence materials, organized in a numbered folder structure that scales from pre-IPO readiness (100-500 documents) to IPO execution (2,000-5,000+). This guide gives you the full checklist, a month-by-month preparation timeline, the eight VDR features IPO teams require, and how to run the whole workflow on Papermark, the platform 60,000+ dealmakers use for their highest-stakes transactions.
For the broader IPO workflow (SEC review cycles, provider comparison, setup steps), see the companion guide: data room for IPO in 2026.
Use this table as your readiness baseline. Every row maps to a numbered folder in the structure below. Priority reflects what underwriter counsel asks for first during diligence.
| # | Category | Core documents | Priority | Phase |
|---|---|---|---|---|
| 1 | Corporate governance | Certificate of incorporation, bylaws, board and committee minutes (3-5 years), cap table, stock plans | High | Pre-IPO + execution |
| 2 | Audited financials | 3 years audited statements, interim quarters, revenue by segment, tax returns, working capital | High | Pre-IPO + execution |
| 3 | Material contracts | Top 10-20 customer contracts, key vendor and supplier agreements, debt and credit facilities | High | Execution |
| 4 | Intellectual property | Patent and trademark registrations, license agreements, trade secret policies, OSS inventory | High | Pre-IPO + execution |
| 5 | HR and compensation | Executive employment agreements, equity grants, 409A valuations, org chart, retention agreements | High | Execution |
| 6 | Legal and litigation | Active and settled litigation, regulatory correspondence, compliance policies | High | Pre-IPO + execution |
| 7 | Regulatory and risk | SEC filings (if any), industry-specific filings, risk factor drafts, SOX internal controls | High | Execution |
| 8 | Underwriter materials | Underwriting agreement drafts, diligence memos, comfort letter support, legal opinions | Medium | Execution |
| 9 | Marketing and investor | Teaser, CIM, roadshow deck, investor presentation, IR policies | Medium | Execution |
| 10 | Strategic and operational | Business plan, KPI dashboards, competitive analysis, product roadmap (internal) | Medium | Pre-IPO |
Corporate governance is the first folder underwriter counsel opens. It proves the company has been run like a public company before it actually is one.
What to include:
How to prepare: Start collecting board minutes 12-18 months before filing. Missing or unsigned minutes are one of the most common diligence delays. Scan everything to searchable PDF. Redact executive session discussions that are not relevant to the offering. In Papermark, upload to folder 1.0 Corporate Governance and restrict access so only company management, company counsel, and the board group can view committee minutes.
IPO-specific note: Underwriters will compare your cap table against the S-1 share count disclosure. Any discrepancy between the data room cap table and the registration statement triggers a comment letter.
Three years of audited financials (US GAAP or IFRS) are non-negotiable for a US IPO. EU prospectuses require the same under IFRS.
What to include:
How to prepare: Coordinate with your audit firm early. The data room should mirror the audit workpapers structure so auditors can cross-reference without duplicate uploads. Use consistent naming: YYYY-MM-DD_AuditReport_FY2024.pdf. Keep draft and final versions in separate subfolders to avoid counsel reviewing superseded numbers.

Underwriter counsel reviews your largest revenue relationships contract by contract. Missing signatures or outdated versions are immediate red flags.
What to include:
How to prepare: Build a contract summary schedule first (counterparty, date, term, revenue impact, change-of-control provision). Then upload full PDFs behind the summary. Redact pricing where contracts allow, but never redact change-of-control clauses. Assign a contracts owner on your team who validates completeness before any external reviewer gets access.
IP diligence confirms you own what the S-1 claims you own. Tech and biotech IPOs face the deepest scrutiny here.
What to include:
How to prepare: Run an IP audit 12 months before filing. Every founder, employee, and contractor should have signed IP assignment agreements on file. The open-source inventory matters for software companies: underwriters will ask about GPL contamination and copyleft obligations. Upload the inventory as a living document and update it as new dependencies are added during the S-1 drafting period.
Executive compensation disclosure is heavily scrutinized in S-1 Item 11. The data room must support every number in the filing.
What to include:
How to prepare: Work with compensation counsel to ensure the data room matches S-1 disclosure tables exactly. 409A reports should be current (within 12 months). For EU IPOs, note that executive compensation disclosure rules differ from US S-1 Item 11, but the underlying documents are the same.
Litigation overhang kills IPO timelines. Underwriters need to see everything, settled and active.
What to include:
How to prepare: Resolve or settle immaterial litigation before filing if possible. For active cases, include a litigation summary memo with estimated exposure and insurance coverage. Never upload privileged attorney-client communications without counsel review. Create a separate subfolder for regulatory correspondence and restrict it to legal counsel and company management.
This folder supports the risk factors section of the S-1 or prospectus and proves SOX readiness.
What to include:
How to prepare: Start drafting risk factors 6 months before filing. Each risk factor should trace to a supporting document in the data room. SOX readiness is a multi-year project: the data room should show the trajectory (control design, testing results, remediation plans), not just a final memo.
This folder is populated during IPO execution, not pre-IPO readiness. It holds the work product of the banking syndicate.
What to include:
How to prepare: Scope this folder per bank. Each bookrunner's counsel should see their own diligence memos and work product, not a competing bank's. In Papermark, create viewer groups per underwriter and assign folder-level permissions accordingly.
Roadshow materials live here. They are the most widely shared documents in the data room and need the strongest access controls.
What to include:
How to prepare: Keep roadshow decks separate from the full diligence library. Many companies use a scoped link that exposes only this folder to late-stage institutional investors. Enable dynamic watermarking on every page of the roadshow deck before sharing.
This folder supports internal readiness and management presentations to the board. It is typically restricted to company management and the board during pre-IPO readiness.
What to include:
How to prepare: Label every document "internal use only" in the filename. Restrict this folder to company management and board groups. Some documents here will inform S-1 drafting but should not be shared directly with underwriters without counsel review.
Number folders for consistent sort order and unambiguous Q&A referencing. Underwriter counsel will cite documents as "Section 3.2, Customer Contract #7."
For a general data room folder template that applies across deal types, see the data room folder structure guide.
Months -18 to -12 (pre-IPO readiness begins):
Months -12 to -6:
Months -6 to -4:
Months -4 to 0 (IPO execution):
IPO diligence is not a job for Google Drive. Eight features separate a purpose-built virtual data room from generic cloud storage, and each one maps to a specific IPO workflow requirement.
Every document viewed in an IPO data room should carry a per-session watermark with the viewer's email, IP address, and timestamp. Material non-public information (MNPI) disclosure rules make this non-negotiable. Papermark stamps each page automatically on view.

Configure watermark settings per data room link. For roadshow decks shared with institutional investors, enable watermarking on every page before sending the scoped link. See dynamic watermarking for setup details.
IPO diligence involves 20-80 reviewers across competing banks, company counsel, underwriter counsel, and auditors. Each group needs different folder access, and underwriter counsel from Bank A should not see Bank B's diligence memos.

In Papermark, create viewer groups per workstream and assign folder-level view or download permissions. Company management gets full access. Each underwriter's counsel gets scoped access to relevant folders plus their own subfolder in section 8.0. Auditors get folders 2.0 and 7.0 only.
Every external reviewer should accept an NDA before accessing MNPI. Papermark supports one-click NDA acceptance and full electronic signatures on the same link that gates the data room.

Attach one NDA to the entire data room link so all 30 underwriter reviewers agree through the same flow. Every acceptance is logged next to document access in the audit trail. Read the full workflow in NDA compliance in virtual data rooms.
IPO diligence generates hundreds of questions tied to specific documents. A threaded Q&A module keeps questions organized, assigns response owners, and prevents one bank's questions from leaking to another.
Route Q&A by folder category: financial questions go to the CFO team, legal questions to company counsel, contract questions to the contracts owner. In Papermark, enable Q&A on the data room and scope visibility per viewer group.
Analytics tell you which documents each workstream is actually reading, where diligence is stalling, and which sections will drive the next SEC comment letter. This is operational intelligence, not vanity metrics.

Check analytics weekly during IPO execution. If underwriter counsel has not opened folder 6.0 (litigation) after two weeks, that is a signal to proactively address litigation disclosure in the S-1 draft.
The audit log is the evidentiary backbone of IPO compliance. It records every document upload, every viewer access, every permission change, and every NDA acceptance with timestamps. Export the full log before pricing and archive it as part of the offering record.
Underwriter counsel and company counsel both rely on this trail during SEC review and in the event of post-IPO litigation.
Underwriters and institutional investors should see your company's data room, not a vendor's logo. Custom domains and full white-labelling signal operational maturity.

Point dataroom.yourcompany.com at your Papermark data room before inviting external reviewers. First impressions matter when sovereign wealth funds and pension funds evaluate whether you are ready to be public.
SOC 2 Type II is the baseline compliance certification underwriter counsel checks for. Papermark maintains SOC 2 Type II, GDPR alignment, and HIPAA readiness. For biotech IPOs, confirm whether your VDR also supports 21 CFR Part 11 if FDA-regulated data is in the room.
YYYY-MM-DD_DocumentType_Subject.pdf). Bulk-upload preserves folder hierarchy.For step-by-step room setup, see how to build a data room in 2026. For the full IPO workflow including SEC review and provider comparison, see data room for IPO.
Start 12-18 months before filing, not 12-18 days. Missing board minutes found in month -12 can be fixed. Missing material contracts found in month -2 delay the offering.
Validate completeness before external access. Run an internal review checklist against every row in the master table above. Unsigned contracts, draft financials without watermarks, and privileged communications uploaded by mistake are the top three internal review catches.
Never share privileged communications. Attorney-client privileged documents belong in counsel's files, not the data room. When in doubt, ask company counsel before uploading.
Use group permissions, not individual invitations. IPO reviewer groups change (banks join and leave the syndicate). Group-based permissions scale; individual invitations do not.
Monitor analytics weekly during execution. Page-level analytics surface which workstreams are behind and where S-1 revisions should focus.
Export the audit log before pricing. Archive it with the offering record. You will need it for 10-K filings, follow-on offerings, and any post-IPO litigation.
Plan for post-IPO continuity. Do not delete the room after pricing. Transition it to an investor relations portal for ongoing SEC compliance and shareholder communications.
An IPO data room is the operational backbone of going public. The checklist above covers every document category underwriters, auditors, and regulators expect, organized in a structure that scales from pre-IPO readiness through SEC review and roadshow. The eight VDR features (watermarking, permissions, NDA gating, Q&A, analytics, audit log, branding, SOC 2) are not optional extras. They are what separates a diligence-ready company from one that loses weeks to document chaos.
Papermark gives IPO teams all eight on the same platform 60,000+ dealmakers already trust, from Lincoln Property ($50B AUM) to pre-IPO companies preparing their first S-1. Map your documents against this checklist, open your room, and invite counsel the same day.
The fastest way to understand what belongs in your IPO data room is to look at the companies that actually filed. Every S-1 that reached the SEC in 2024 and 2025 sat on top of a virtual data room where underwriters, auditors, and counsel pressure-tested the same categories in the checklist above. The public prospectus is only the visible tip. Underneath it, each company had to organize thousands of documents so that every risk factor, every revenue figure, and every material contract traced back to source. When you read a recent S-1, you are reading the summary of a diligence process that lived in a VDR for months.
Look at the 2024 cohort and a pattern emerges: the hardest diligence was never the boilerplate. It was the one or two things that made each business unusual. Reddit had to defend user-generated content, moderation liability, and brand-new data-licensing revenue. ServiceTitan had to explain complex preferred-stock terms alongside its vertical-SaaS metrics. Astera Labs had to prove that a handful of large customers in the AI-infrastructure supply chain were durable, not a bubble. In each case, the IPO data room carried the supporting evidence that the prospectus could only summarize in a paragraph.
That is the lesson for anyone building their own room. Your S-1 will be judged on the strength of your weakest disclosure, and your weakest disclosure is almost always the thing that makes your company interesting. Reddit, Rubrik, Astera Labs, ServiceTitan, Instacart, and Klaviyo all went public between 2023 and 2025 with very different stories, but each one needed a virtual data room disciplined enough to let underwriter counsel verify the story fast. The table below shows what each had to emphasize.
| Company | Year | Exchange & sector | Data-room focus | S-1 emphasis |
|---|---|---|---|---|
| 2024 | NYSE: RDDT — social media / online community | User-generated content records, content-moderation policies, data-licensing agreements | Risk factors around moderation liability, community backlash, and a still-unprofitable model with new AI data-licensing revenue | |
| Astera Labs | 2024 | Nasdaq: ALAB — semiconductors / AI connectivity | Customer contracts, supply-chain agreements, IP portfolio for connectivity silicon | Customer concentration and demand durability across the AI-infrastructure supply chain |
| Rubrik | 2024 | NYSE: RBRK — cybersecurity / cloud data security | Subscription and ARR schedules, security certifications, customer contracts | Subscription-revenue transition and net losses alongside recurring-revenue growth |
| ServiceTitan | 2024 | Nasdaq: TTAN — vertical SaaS for the trades | Cap table and preferred-stock terms, customer and usage metrics, financing disclosures | Complex preferred-stock and ratchet provisions disclosed alongside vertical-SaaS growth metrics |
| Instacart (Maplebear) | 2023 | Nasdaq: CART — grocery delivery / marketplace | Gig-worker classification files, retailer and advertising contracts, unit economics | Worker-classification risk, customer concentration, and growth normalization after the pandemic peak |
| Klaviyo | 2023 | NYSE: KVYO — marketing automation SaaS | Platform-partnership agreements, ARR and retention cohorts, data-processing terms | Dependence on a key platform partnership and the durability of recurring revenue |
Organizing S-1 and underwriter documents in a structured data room.
The takeaway for your own filing is direct. Map your business against the master checklist above, then ask which single category is the one underwriters will dig into hardest. If you are a consumer platform, it is content and community risk, the way it was for Reddit. If you are infrastructure, it is customer concentration, the way it was for Astera Labs. If your cap table is complicated, it is the equity and financing folder, the way it was for ServiceTitan. Build that folder first, populate it deepest, and keep it current, because that is where your IPO data room either accelerates the deal or stalls it.
None of these companies assembled that evidence in the final weeks. Each ran a diligence-ready virtual data room long before the roadshow, with the folder structure, permissions, and audit trail that let counsel work in parallel. That is exactly the workflow this checklist is built for. For the broader end-to-end process, see data room for IPO and investment banking data room, and for provider selection, best virtual data rooms in 2026.