Audit Logs in Virtual Data Rooms

The audit log is the most under-appreciated part of a virtual data room. It is what defends the disclosure record after closing, what evidences GDPR access controls to a supervisory authority, and what produces the SYSC 8 / DORA / FINMA evidence regulators expect.

A modern European VDR audit log should be append-only (tamper-evident), should capture document-level and page-level events, and should be exportable in machine-readable form for archiving alongside the closing binder.

Published: May 2026. Updated: 18 June 2026.


Events the Log Should Capture

  • User added / removed / role changed.
  • Login / logout, MFA challenge, IP address, geolocation.
  • Document upload / replacement / deletion.
  • Document view (with page-level granularity), download, print attempt.
  • Q&A activity: questions asked, answers, recipients.
  • Permission change: folder, document, group.
  • Watermark / view-only enforcement events.
  • Failed access attempts.

Tamper-Evident Construction

A defensible audit log uses cryptographic hashing: each log entry is hashed with the previous entry's hash, forming a chain. Periodic anchoring of the hash chain to an external time-stamping service (eIDAS qualified time-stamps) raises evidentiary value. Most European VDR providers do at least the first; the leading ones do both.


Retention Policy

Audit logs should be retained at least through the contractual claim period in the SPA (typically 2-7 years), the regulatory inspection period (5-10 years), and any GDPR statute-of-limitations period. Retention beyond the strictly necessary should be aligned with the data-minimization principle.


Frequently Asked Questions

Are VDR audit logs admissible in European courts?

Generally yes when produced by an accredited provider with documented controls. Tamper-evident construction (hash chaining + qualified time-stamps) materially strengthens admissibility.

How long should I keep audit logs?

At minimum the SPA claim period plus any regulatory retention. Five to seven years is typical for European M&A; longer for regulated-industry transactions.