Investor permissioning, roles, and lifecycle
Access in Waafir resolves two questions independently: who a person is and what they may do in a specific data room. A person's role lives at the organisation level and rarely changes; their permission lives at the data room level and controls how much of a deal to expose. This page covers the two ways an investor enters, the role and permission model, and the lifecycle from invitation to revocation.
Access mechanisms
There are two distinct access mechanisms. Identify which one applies first.
Registered investor. The investor signs in with their own account (via
Auth0) and is recorded against your organisation with the investor role.
Use this for an investor expected to return across a raise: they have a
durable identity, and you can change what they see over time without
re-inviting them.
Guest investor. The investor opens a share link, accepts the NDA and terms, and is issued a short-lived guest session (a signed token, valid for seven days by default) without creating an account. Use this for a wider top-of-funnel send where account friction would cost responses.
Both paths converge at runtime. When the investor opens a file, Waafir resolves their effective permission from the data room's access record. The mechanism differs; the check does not.
Organisation roles
Every member of an organisation has exactly one role, assigned per organisation. The role sets the baseline reach before any per-data-room tuning.
| Role | Who it is | Data room baseline |
|---|---|---|
owner | The organisation's creator. Full control. | Implicit manager on every data room in the org — no access record needed |
admin | Manages settings, users, and billing. | Implicit manager on every data room in the org — no access record needed |
member | A deal-team member. | Implicit access to every data room in the organisation — no per-data-room access record needed. The role tier sets what they can do, not which data rooms they reach. |
investor | An external party granted access to specific data rooms. | Must have an explicit access record for each data room they are allowed into |
Note the asymmetry: owners, admins, and members all bypass the per-data-room access table entirely — they implicitly reach every data room in their own organisation. Only investors are per-data-room: their reach is exactly the set of data rooms they hold an explicit grant for, and nothing else.
Data room permissions
Within a data room, an investor's grant carries one of four permission tiers. This controls how much of a deal an investor sees.
| Permission | View | Download | Upload | Manage |
|---|---|---|---|---|
viewer | Yes | No | No | No |
downloader | Yes | Yes | No | No |
contributor | Yes | Yes | Yes | No |
manager | Yes | Yes | Yes | Yes |
Most investors sit at viewer or downloader: they read the deal, not change it. Contributor covers the rarer case where an investor must upload — a signed term sheet or a counter-proposal. Manager is normally a deal-team tier, not an investor one.
A fine-grained override layer also exists: individual files or folders can carry their own permission that takes precedence over the data-room-level grant. Use it for exceptions ("this one investor can also see the cap table"), not as the primary mechanism. The data-room tier should carry the weight of access decisions.
What an investor never sees
Some surfaces are deal-team-only by design — a guarantee, not an implementation detail. A registered or guest investor never sees engagement analytics, audit logs, the identities of other investors, or the deal team's internal activity. The engagement analytics page details the analytics side of this boundary.
Share links and NDA gating
A share link is the entry point for guest investors. When you create one, choose its mode:
- Open — anyone with the link enters their email, accepts the NDA and terms, and is in. Best for a broad send prioritising reach.
- Restricted — only emails on the link's allow-list can enter; everyone else is turned away. Best when you know exactly who should have access.
In both modes the investor accepts the NDA and terms before any document is visible. Acceptance is recorded as a consent record — email, timestamp, IP, and user-agent — an auditable trail that the person agreed to the terms before seeing anything. Only then is the guest session issued.
The guest session does not carry the permission tier. The tier is evaluated live on every file request from the data room's access record. This is what makes a permission change or revocation take effect immediately, without waiting for a session to expire.
The investor lifecycle
A registered investor moves through a predictable arc. Each step maps to a concrete operation.
- Invite. The deal team invites the investor
(
POST /api/investors/invite), which sends a sign-in link. - NDA and terms. The investor accepts the NDA and terms before any document is reachable. Consent is recorded.
- Optional KYC / KYB. Where the deal requires it, the investor completes identity or business verification before access is fully active. The KYC and KYB page covers this flow in depth; that section ships in a sibling docs batch and the link resolves once it does.
- Active. The investor reads the data room at the granted permission tier.
- Role or permission change. The deal team adjusts what the investor
can do (
PATCH /api/investors/[id]/role) — for example, moving an investor from viewer to downloader past first screen. The change is live on the next file request. - Extension. An access grant nearing expiry can be extended
(
POST /api/investors/[id]/extend) without re-inviting. - Revocation. The deal team revokes access
(
DELETE /api/investors/[id]/access). Revocation is durable: a revoked investor cannot regain entry by re-clicking a share link, regardless of the link's mode. Only explicit reinstatement by the deal team restores access, by design.
Access requests and reinstatement
If someone reaches a restricted share link without being on the allow-list, they can request access. The request lands with the deal team, who can approve it — moving the person to a pending invite — or reject it. Approval also restores any file-level permissions the person previously held, so an approved re-entry resumes where they left off.
This covers a common case: an investor forwards the deal to a colleague, the colleague hits the link, and the deal team decides on the spot whether to grant access — without pre-enumerating every possible email.
Dynamic Watermarking
Every download is stamped with the viewer's identity in a way that fits the file format — strong burn-in for PDFs and images, PDF conversion for Word and PowerPoint, and a forensic identifier inside spreadsheets so a leaked copy still points back to who had it.
Investor engagement analytics
How the deal team sees which investors are reviewing the data room, how deeply, and which documents they are reading most. A core data-room capability that surfaces investor behaviour so the deal team can prioritise follow-up. Analytics are deal-team only — investors never see them.