Audit Logs in Virtual Data Rooms
The audit log is the most under-appreciated part of a virtual data room. It is what defends the disclosure record after closing, what evidences GDPR access controls to a supervisory authority, and what produces the SYSC 8 / DORA / FINMA evidence regulators expect.
A modern European VDR audit log should be append-only (tamper-evident), should capture document-level and page-level events, and should be exportable in machine-readable form for archiving alongside the closing binder.
Published: May 2026. Updated: 18 June 2026.
Events the Log Should Capture
- User added / removed / role changed.
- Login / logout, MFA challenge, IP address, geolocation.
- Document upload / replacement / deletion.
- Document view (with page-level granularity), download, print attempt.
- Q&A activity: questions asked, answers, recipients.
- Permission change: folder, document, group.
- Watermark / view-only enforcement events.
- Failed access attempts.
Tamper-Evident Construction
A defensible audit log uses cryptographic hashing: each log entry is hashed with the previous entry's hash, forming a chain. Periodic anchoring of the hash chain to an external time-stamping service (eIDAS qualified time-stamps) raises evidentiary value. Most European VDR providers do at least the first; the leading ones do both.
Retention Policy
Audit logs should be retained at least through the contractual claim period in the SPA (typically 2-7 years), the regulatory inspection period (5-10 years), and any GDPR statute-of-limitations period. Retention beyond the strictly necessary should be aligned with the data-minimization principle.
Frequently Asked Questions
Are VDR audit logs admissible in European courts?
Generally yes when produced by an accredited provider with documented controls. Tamper-evident construction (hash chaining + qualified time-stamps) materially strengthens admissibility.
How long should I keep audit logs?
At minimum the SPA claim period plus any regulatory retention. Five to seven years is typical for European M&A; longer for regulated-industry transactions.