Most Structured Digital Database (SDD) failures aren’t caused by teams that didn’t try. They’re caused by workflow design failures: unclear triggers, incomplete identity fields, and no one accountable for making entries on time. When your VDR is processing access requests from multiple parties across dozens of UPSI-tagged documents, the logging gap grows daily.
The fix is to treat every VDR access event involving UPSI as a structured “sharing event” with a defined pipeline. This article gives you that pipeline, a simple responsibility model, and a guide to fixing the most common failure modes.
VDRs are high-volume environments. During due diligence, dozens of users may access UPSI-tagged documents in a single day. Each of those interactions is a potential sharing event for SDD purposes, but deal teams rarely treat them that way in real time.
The gap is operational, not intentional:
SEBI’s SDD expectations for completeness, immutable timestamps, and quarterly certification are clear. If your workflow doesn’t produce entries close to real time, you accumulate certification risk with every unlogged access event.
The trigger isn’t “formal disclosure.” It’s when UPSI is shared or accessed. This includes view, open, and download events in a VDR.
Use this decision rule:
If yes to all three, create an SDD entry.
In practice, viewing a document in a VDR is enough to constitute access to UPSI. You don’t need a formal transmission event.
Your default target for timeliness should be same-day or within 24 hours. Late entries are allowed but must include the actual sharing timestamp (not the logging date) and a documented reason for the delay. Making late entries without noting the reason creates more audit risk than the delay itself.
VDR logs give you timestamps and user activity, but they don’t automatically provide everything an SDD entry needs. You have to map VDR data to SDD fields.
Capture these minimum fields for each entry:
Person-wise logging is essential. If five users access the same document, you need five distinct SDD entries. A single group entry will not hold up in an audit.
Never overwrite an entry. If you need to make a correction, append a new entry with the reason and a reference to the original record.
A VDR with comprehensive audit trails and granular access controls makes this mapping much easier. For example, DCirrus VDR tracks every user action with timestamps and records who accessed what under which permissions. This gives you a reliable evidence base to use when writing SDD entries. It doesn’t create the entries for you, but it removes the guesswork from the “who accessed what, when” question.
This is the core pipeline. Run it on every active deal room.
Step 1: Tag UPSI at the document and folder level
Step 2: Configure which access events to capture
Step 3: Validate user identity before access is granted
Step 4: Create a person-wise sharing event record
Step 5: Apply maker-checker controls
Step 6: Handle multi-party and cascaded sharing
Step 7: Reconcile monthly for quarterly certification readiness
Compliance can’t log every access event. You need a clear ownership map.
A simple operating cadence:
One governance principle is key: design access on a need-to-know basis. Fewer people with access to UPSI means fewer access events to log, which reduces the risk of both leaks and compliance gaps.
Expect mistakes. A defensible SDD record is separated from a problematic one by having a documented fix for each failure.
DCirrus VDR’s DRM controls, granular permissions, and dynamic watermarking help reduce the chance of a VDR access event becoming an uncontrolled redistribution. These controls embed user information, IP addresses, and timestamps on documents. While this doesn’t guarantee zero leaks or replace SDD maintenance, it narrows the gap between “UPSI was accessed” and “we know where it went.”
Build a monthly reconciliation routine so certification isn’t a fire drill.
Each month, produce a reconciliation pack that includes:
Use random sampling (even a small, consistent sample) to demonstrate control effectiveness to auditors. A 100% reconciliation claim is harder to defend than a documented sampling methodology with clear exception handling.
DCirrus exportable reports give you a structured starting point for this process. The audit trails provide the per-user, per-document data you need for sampling. You will still need to match those records to your SDD manually, as there is no built-in SEBI certification output, but the underlying evidence is already organized and exportable.
SDD failures are almost always workflow failures. The workflow described here makes compliance repeatable. Tag UPSI, define triggers, validate identity, write person-wise entries, use maker-checker controls, handle cascaded sharing, and reconcile monthly.
If you do one thing first, define your UPSI tagging and the “access event → person-wise entry within 24 hours” rule. Pilot it for two weeks on one deal room. Use the data on your gap rate and time-to-entry to tune your process before the next certification cycle.
Do we need an SDD entry for internal access within the same organization? Yes, if the person accessing UPSI was not previously aware of it. The “already-in-the-know” exception only applies to those already holding the information. Sharing that extends UPSI to a new person inside your organization still requires an entry.
If five investors access the same UPSI document, is it one entry or five? Five entries, one per person. SDD requires person-wise records for individual accountability and traceability. Each entry must have that person’s identity, their access timestamp, and the UPSI reference.
What if UPSI is shared in parts across multiple documents? Each sharing event is a separate trigger. If UPSI is fragmented across communications, document each instance individually. The cumulative picture matters for audit purposes.
How should we handle onward sharing by external advisors? Each leg of onward sharing requires its own SDD entry. For sharing you can’t directly see, rely on written confirmation from the fiduciary or counterparty. Log the confirmation method, the date, and the individuals covered.
Can the SDD be hosted on the cloud? Yes. SEBI’s Structured Digital Database requirements focus on completeness, access control, and immutability, not hosting location. Cloud hosting is fine, provided the controls meet the standard.
Are spreadsheets acceptable for SDD maintenance? They are common but risky. The main concern is the immutability requirement, as spreadsheets can be edited without a trace. If you use Excel, you need extra controls like version locking, access restrictions, and a documented audit trail for changes.
What’s a practical “late entry” note that won’t create more risk? Keep it factual and brief. State the actual date and time of the sharing event, note the date the entry was created, and give a short reason for the delay (e.g., “Entry created on [date]; sharing occurred on [date]. Delay due to [reason].”). Honesty about the timeline is key. Auditors are more concerned with accuracy than speed if the delay is acknowledged.