Audit Logs in Virtual Data Rooms

The audit log is the most under-appreciated part of a virtual data room. It is what defends the disclosure record after closing, what evidences GDPR access controls to a supervisory authority, and what produces the SYSC 8 / DORA / FINMA evidence regulators expect.

A modern European VDR audit log should be append-only (tamper-evident), should capture document-level and page-level events, and should be exportable in machine-readable form for archiving alongside the closing binder.

Last updated: May 2026.

Events the Log Should Capture

  • User added / removed / role changed.
  • Login / logout, MFA challenge, IP address, geolocation.
  • Document upload / replacement / deletion.
  • Document view (with page-level granularity), download, print attempt.
  • Q&A activity — questions asked, answers, recipients.
  • Permission change — folder, document, group.
  • Watermark / view-only enforcement events.
  • Failed access attempts.

Tamper-Evident Construction

A defensible audit log uses cryptographic hashing — each log entry is hashed with the previous entry's hash, forming a chain. Periodic anchoring of the hash chain to an external time-stamping service (eIDAS qualified time-stamps) raises evidentiary value. Most European VDR providers do at least the first; the leading ones do both.

Retention Policy

Audit logs should be retained at least through the contractual claim period in the SPA (typically 2–7 years), the regulatory inspection period (5–10 years), and any GDPR statute-of-limitations period. Retention beyond the strictly necessary should be aligned with the data-minimization principle.

Frequently Asked Questions

Are VDR audit logs admissible in European courts?

Generally yes when produced by an accredited provider with documented controls. Tamper-evident construction (hash chaining + qualified time-stamps) materially strengthens admissibility.

How long should I keep audit logs?

At minimum the SPA claim period plus any regulatory retention. Five to seven years is typical for European M&A; longer for regulated-industry transactions.

Further Reading