{"id":1514,"date":"2026-07-09T06:53:29","date_gmt":"2026-07-09T06:53:29","guid":{"rendered":"https:\/\/www.dcirrus.com\/blog\/?p=1514"},"modified":"2026-07-09T06:53:31","modified_gmt":"2026-07-09T06:53:31","slug":"sdd-compliance-vdr-access-workflow","status":"publish","type":"post","link":"https:\/\/www.dcirrus.com\/blog\/2026\/07\/sdd-compliance-vdr-access-workflow\/","title":{"rendered":"A Workflow for SEBI SDD Compliance: How to Connect VDR Access Events to the Structured Digital Database"},"content":{"rendered":"\n<p>Most&nbsp;<strong>Structured Digital Database (SDD)<\/strong>&nbsp;failures aren&#8217;t caused by teams that didn&#8217;t try. They&#8217;re caused by workflow design failures: unclear triggers, incomplete identity fields, and no one accountable for making entries on time. When your&nbsp;<a href=\"https:\/\/www.dcirrus.com\/blog\/2026\/05\/sebi-vdr-checklist-ipo\">VDR<\/a>&nbsp;is processing access requests from multiple parties across dozens of&nbsp;<strong>UPSI<\/strong>-tagged documents, the logging gap grows daily.<\/p>\n\n\n\n<p class=\"py-4\">The fix is to treat every VDR access event involving&nbsp;<strong>UPSI<\/strong>&nbsp;as a structured &#8220;sharing event&#8221; with a defined pipeline. This article gives you that pipeline, a simple responsibility model, and a guide to fixing the most common failure modes.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why do VDR access events create SDD risk in the first place?<\/h2>\n\n\n\n<p class=\"py-4\">VDRs are high-volume environments. During due diligence, dozens of users may access&nbsp;<strong>UPSI<\/strong>-tagged documents in a single day. Each of those interactions is a potential sharing event for&nbsp;<strong>SDD<\/strong>&nbsp;purposes, but deal teams rarely treat them that way in real time.<\/p>\n\n\n\n<p>The gap is operational, not intentional:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deal teams move fast, while\u00a0<strong>SDD<\/strong>\u00a0logging happens at the end of the week or later.<\/li>\n\n\n\n<li>Multiple users accessing the same document creates multiple entries that must be person-wise and time-stamped.<\/li>\n\n\n\n<li><strong>UPSI<\/strong>\u00a0is spread across folders, so not every access event is an obvious\u00a0<strong>UPSI<\/strong>\u00a0moment.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\">SEBI&#8217;s&nbsp;<strong>SDD<\/strong>&nbsp;expectations for completeness, immutable timestamps, and quarterly certification are clear. If your workflow doesn&#8217;t produce entries close to real time, you accumulate certification risk with every unlogged access event.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What&#8217;s the correct trigger: when does a VDR event become an SDD entry?<\/h2>\n\n\n\n<p class=\"py-4\">The trigger isn&#8217;t &#8220;formal disclosure.&#8221; It&#8217;s&nbsp;<strong>when UPSI is shared or accessed<\/strong>. This includes view, open, and download events in a VDR.<\/p>\n\n\n\n<p>Use this decision rule:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Is the document or folder tagged as\u00a0<strong>UPSI<\/strong>\u00a0(or known to contain it)?<\/li>\n\n\n\n<li>Is the user outside the core &#8220;already-in-the-know&#8221; group?<\/li>\n\n\n\n<li>Did they create a new access event (view, open, download)?<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>If yes to all three, create an SDD entry.<\/strong><\/p>\n\n\n\n<p>In practice, viewing a document in a VDR is enough to constitute access to&nbsp;<strong>UPSI<\/strong>. You don&#8217;t need a formal transmission event.<\/p>\n\n\n\n<p class=\"py-4\">Your default target for timeliness should be same-day or within 24 hours. Late entries are allowed but must include the actual sharing timestamp (not the logging date) and a documented reason for the delay. Making late entries without noting the reason creates more audit risk than the delay itself.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What fields must you capture from VDR logs to make an SDD entry audit-ready?<\/h2>\n\n\n\n<p class=\"py-4\">VDR logs give you timestamps and user activity, but they don&#8217;t automatically provide everything an&nbsp;<strong>SDD<\/strong>&nbsp;entry needs. You have to map VDR data to SDD fields.<\/p>\n\n\n\n<p>Capture these minimum fields for each entry:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Person identity<\/strong>: Full name plus PAN (or a documented alternative if PAN is unavailable), linked to the VDR user account.<\/li>\n\n\n\n<li><strong>Date and time of access<\/strong>: The immutable timestamp from the VDR log, not one entered manually.<\/li>\n\n\n\n<li><strong>UPSI reference<\/strong>: Document name or ID, plus the category of\u00a0<strong>UPSI<\/strong>\u00a0involved (e.g., financials, draft offer document, deal terms).<\/li>\n\n\n\n<li><strong>Source and recipient context<\/strong>: Who granted access and who accessed it.<\/li>\n\n\n\n<li><strong>Purpose of access<\/strong>: Due diligence, legal review, underwriting, etc.<\/li>\n\n\n\n<li><strong>NDA\/confidentiality confirmation<\/strong>: Whether the person is covered and when the agreement was executed.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>Person-wise logging is essential.<\/strong>&nbsp;If five users access the same document, you need five distinct&nbsp;<strong>SDD<\/strong>&nbsp;entries. A single group entry will not hold up in an audit.<\/p>\n\n\n\n<p><strong>Never overwrite an entry.<\/strong>&nbsp;If you need to make a correction, append a new entry with the reason and a reference to the original record.<\/p>\n\n\n\n<p class=\"py-4\">A VDR with comprehensive audit trails and granular access controls makes this mapping much easier. For example,&nbsp;<a href=\"https:\/\/www.dcirrus.com\/empowering-telecom-sector-due-diligence-with-dcirrus-next-gen-virtual-data-room\">DCirrus VDR<\/a>&nbsp;tracks every user action with timestamps and records who accessed what under which permissions. This gives you a reliable evidence base to use when writing&nbsp;<strong>SDD<\/strong>&nbsp;entries. It doesn&#8217;t create the entries for you, but it removes the guesswork from the &#8220;who accessed what, when&#8221; question.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is the 7-step workflow to connect VDR access events to SDD entries?<\/h2>\n\n\n\n<p class=\"py-4\">This is the core pipeline. Run it on every active deal room.<\/p>\n\n\n\n<p><strong>Step 1: Tag UPSI at the document and folder level<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Agree on what qualifies as\u00a0<strong>UPSI<\/strong>\u00a0for the deal before due diligence opens.<\/li>\n\n\n\n<li>Apply\u00a0<strong>UPSI<\/strong>\u00a0tags at the folder level where possible and flag individual documents where needed.<\/li>\n\n\n\n<li>Maintain a simple tag system (e.g., Financials, Deal Terms, Draft Offer Docs).<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>Step 2: Configure which access events to capture<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Focus on view, open, and download events for\u00a0<strong>UPSI<\/strong>-tagged content.<\/li>\n\n\n\n<li>Avoid logging everything. Untargeted capture creates noise and dilutes accountability.<\/li>\n\n\n\n<li>Define which folders are in scope before access begins.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>Step 3: Validate user identity before access is granted<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Map every VDR user account to a real person with a confirmed PAN or other ID.<\/li>\n\n\n\n<li>Block shared logins. Each user must be individually identifiable.<\/li>\n\n\n\n<li>Confirm NDA status at onboarding, not after access.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>Step 4: Create a person-wise sharing event record<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>One access event means one\u00a0<strong>SDD<\/strong>\u00a0line item per person, per document.<\/li>\n\n\n\n<li>Include the\u00a0<strong>UPSI<\/strong>\u00a0reference, the timestamp from the VDR log, and the purpose of access.<\/li>\n\n\n\n<li>Person-wise entries are non-negotiable. Don&#8217;t batch them by session or document.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>Step 5: Apply maker-checker controls<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The nodal officer for the relevant function creates the entry.<\/li>\n\n\n\n<li>The\u00a0<strong>compliance<\/strong>\u00a0officer reviews exceptions and flags incomplete records.<\/li>\n\n\n\n<li>Aim for same-day entry, with a 24-hour maximum turnaround.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>Step 6: Handle multi-party and cascaded sharing<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If an external advisor shares\u00a0<strong>UPSI<\/strong>\u00a0onward (A \u2192 B \u2192 C), each leg requires a separate entry.<\/li>\n\n\n\n<li>For legs you can&#8217;t directly observe, rely on confirmations from counterparties or fiduciaries.<\/li>\n\n\n\n<li>Document the confirmation method and date.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>Step 7: Reconcile monthly for quarterly certification readiness<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pull VDR access logs for all\u00a0<strong>UPSI<\/strong>-tagged content.<\/li>\n\n\n\n<li>Match each access event to an\u00a0<strong>SDD<\/strong>\u00a0entry. Log any gaps with closure dates.<\/li>\n\n\n\n<li>Review the reconciliation pack with the\u00a0<strong>compliance<\/strong>\u00a0officer before each quarter closes.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading py-4\">Who should own each step in a merchant banking deal team?<\/h2>\n\n\n\n<p><strong>Compliance<\/strong>&nbsp;can&#8217;t log every access event. You need a clear ownership map.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Compliance Officer<\/strong>: Owns the\u00a0<strong>SDD<\/strong>\u00a0SOP, oversees entries, coordinates quarterly certification, and handles escalations.<\/li>\n\n\n\n<li><strong>Deal Lead<\/strong>: Ensures external parties complete NDAs and identity validation\u00a0<em>before<\/em>\u00a0VDR access is granted.<\/li>\n\n\n\n<li><strong>Nodal Officers (by function)<\/strong>: Responsible for confirming\u00a0<strong>UPSI<\/strong>\u00a0creation and sharing events in their area and ensuring entries are made on time.<\/li>\n\n\n\n<li><strong>IT\/Admin<\/strong>: Enforces user provisioning standards, conducts periodic access reviews, and prevents shared logins.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\"><strong>A simple operating cadence:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Weekly<\/strong>: Review exceptions like incomplete entries or late logs.<\/li>\n\n\n\n<li><strong>Monthly<\/strong>: Conduct spot checks and prepare the reconciliation pack.<\/li>\n\n\n\n<li><strong>Quarterly<\/strong>: Prepare for certification with a final review by the\u00a0<strong>compliance<\/strong>\u00a0officer.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\">One governance principle is key: design access on a need-to-know basis. Fewer people with access to&nbsp;<strong>UPSI<\/strong>&nbsp;means fewer access events to log, which reduces the risk of both leaks and&nbsp;<strong>compliance<\/strong>&nbsp;gaps.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What are the most common failure modes and what should you do when they happen?<\/h2>\n\n\n\n<p class=\"py-4\">Expect mistakes. A defensible&nbsp;<strong>SDD<\/strong>&nbsp;record is separated from a problematic one by having a documented fix for each failure.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Late logging<\/strong>: Record the\u00a0<em>actual<\/em>\u00a0sharing timestamp, not the logging date. Add a brief, factual reason for the delay. If it happens repeatedly, tighten your SLA.<\/li>\n\n\n\n<li><strong>Missing or incorrect PAN\/identity<\/strong>: Enforce identity validation at onboarding. Block access until minimum ID fields are confirmed. If you find an error, retroactively document the correct identifier with a reference note.<\/li>\n\n\n\n<li><strong>Overwriting or editing entries<\/strong>: Never edit an existing entry. Append a correction that references the original and explains the change.<\/li>\n\n\n\n<li><strong>Over-logging noise<\/strong>: Revisit your\u00a0<strong>UPSI<\/strong>\u00a0tagging and trigger rules. If you are creating entries for non-<strong>UPSI<\/strong>\u00a0documents, tighten your folder-level tagging.<\/li>\n\n\n\n<li><strong>Uncontrolled downloads or forwarding<\/strong>: This is where VDR access controls become a\u00a0<strong>compliance<\/strong>\u00a0input, not just a security feature.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\">DCirrus VDR&#8217;s&nbsp;<a href=\"https:\/\/www.dcirrus.com\/blog\/2025\/11\/digital-rights-management-in-virtual-data-rooms-protecting-your-most-valuable-assets\">DRM controls<\/a>, granular permissions, and dynamic watermarking help reduce the chance of a VDR access event becoming an uncontrolled redistribution. These controls embed user information, IP addresses, and timestamps on documents. While this doesn&#8217;t guarantee zero leaks or replace&nbsp;<strong>SDD<\/strong>&nbsp;maintenance, it narrows the gap between &#8220;<strong>UPSI<\/strong>&nbsp;was accessed&#8221; and &#8220;we know where it went.&#8221;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How do you prepare for quarterly certification using VDR evidence?<\/h2>\n\n\n\n<p class=\"py-4\">Build a monthly&nbsp;<a href=\"https:\/\/www.dcirrus.com\/blog\/2026\/04\/pre-submission-audit-readiness-review-a-10-point-checklist-for-access-logs-completeness-and-q-and-a-traceability\">reconciliation routine<\/a>&nbsp;so certification isn&#8217;t a fire drill.<\/p>\n\n\n\n<p>Each month, produce a reconciliation pack that includes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Top\u00a0<strong>UPSI<\/strong>-tagged folders and documents accessed.<\/li>\n\n\n\n<li>A full list of users who accessed each, with VDR-sourced timestamps.<\/li>\n\n\n\n<li>Your match rate: how many access events have a corresponding\u00a0<strong>SDD<\/strong>\u00a0entry.<\/li>\n\n\n\n<li>A gap list of unmatched events, with closure dates and documented reasons.<\/li>\n<\/ul>\n\n\n\n<p class=\"py-4\">Use random sampling (even a small, consistent sample) to demonstrate control effectiveness to auditors. A 100% reconciliation claim is harder to defend than a documented sampling methodology with clear exception handling.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.dcirrus.com\/request-a-demo\/\">DCirrus<\/a>&nbsp;exportable reports give you a structured starting point for this process. The audit trails provide the per-user, per-document data you need for sampling. You will still need to match those records to your&nbsp;<strong>SDD<\/strong>&nbsp;manually, as there is no built-in SEBI certification output, but the underlying evidence is already organized and exportable.<\/p>\n\n\n\n<h2 class=\"wp-block-heading py-4\">Summary and Next Steps<\/h2>\n\n\n\n<p><strong>SDD<\/strong>&nbsp;failures are almost always workflow failures. The workflow described here makes&nbsp;<strong>compliance<\/strong>&nbsp;repeatable. Tag&nbsp;<strong>UPSI<\/strong>, define triggers, validate identity, write person-wise entries, use maker-checker controls, handle cascaded sharing, and reconcile monthly.<\/p>\n\n\n\n<p class=\"py-4\">If you do one thing first, define your&nbsp;<strong>UPSI<\/strong>&nbsp;tagging and the &#8220;access event \u2192 person-wise entry within 24 hours&#8221; rule. Pilot it for two weeks on one deal room. Use the data on your gap rate and time-to-entry to tune your process before the next certification cycle.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ<\/h2>\n\n\n\n<p class=\"py-4\"><strong>Do we need an SDD entry for internal access within the same organization?<\/strong>&nbsp;Yes, if the person accessing&nbsp;<strong>UPSI<\/strong>&nbsp;was not previously aware of it. The &#8220;already-in-the-know&#8221; exception only applies to those already holding the information. Sharing that extends&nbsp;<strong>UPSI<\/strong>&nbsp;to a new person inside your organization still requires an entry.<\/p>\n\n\n\n<p><strong>If five investors access the same UPSI document, is it one entry or five?<\/strong>&nbsp;Five entries, one per person.&nbsp;<strong>SDD<\/strong>&nbsp;requires person-wise records for individual accountability and traceability. Each entry must have that person&#8217;s identity, their access timestamp, and the&nbsp;<strong>UPSI<\/strong>&nbsp;reference.<\/p>\n\n\n\n<p class=\"py-4\"><strong>What if UPSI is shared in parts across multiple documents?<\/strong>&nbsp;Each sharing event is a separate trigger. If&nbsp;<strong>UPSI<\/strong>&nbsp;is fragmented across communications, document each instance individually. The cumulative picture matters for audit purposes.<\/p>\n\n\n\n<p><strong>How should we handle onward sharing by external advisors?<\/strong>&nbsp;Each leg of onward sharing requires its own&nbsp;<strong>SDD<\/strong>&nbsp;entry. For sharing you can&#8217;t directly see, rely on written confirmation from the fiduciary or counterparty. Log the confirmation method, the date, and the individuals covered.<\/p>\n\n\n\n<p class=\"py-4\"><strong>Can the SDD be hosted on the cloud?<\/strong>&nbsp;Yes. SEBI&#8217;s&nbsp;<strong>Structured Digital Database<\/strong>&nbsp;requirements focus on completeness, access control, and immutability, not hosting location.&nbsp;<a href=\"https:\/\/www.dcirrus.com\/repository\">Cloud hosting<\/a>&nbsp;is fine, provided the controls meet the standard.<\/p>\n\n\n\n<p><strong>Are spreadsheets acceptable for SDD maintenance?<\/strong>&nbsp;They are common but risky. The main concern is the immutability requirement, as spreadsheets can be edited without a trace. If you use Excel, you need extra controls like version locking, access restrictions, and a documented audit trail for changes.<\/p>\n\n\n\n<p class=\"py-4\"><strong>What&#8217;s a practical &#8220;late entry&#8221; note that won&#8217;t create more risk?<\/strong>&nbsp;Keep it factual and brief. State the actual date and time of the sharing event, note the date the entry was created, and give a short reason for the delay (e.g., &#8220;Entry created on [date]; sharing occurred on [date]. Delay due to [reason].&#8221;). Honesty about the timeline is key. Auditors are more concerned with accuracy than speed if the delay is acknowledged.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Most&nbsp;Structured Digital Database (SDD)&nbsp;failures aren&#8217;t caused by teams that didn&#8217;t try. They&#8217;re caused by workflow design failures: unclear triggers, incomplete identity fields, and no one accountable for making entries on time. When your&nbsp;VDR&nbsp;is processing access requests from multiple parties across dozens of&nbsp;UPSI-tagged documents, the logging gap grows daily. The fix is to treat every VDR [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1515,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1514","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/posts\/1514","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/comments?post=1514"}],"version-history":[{"count":1,"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/posts\/1514\/revisions"}],"predecessor-version":[{"id":1517,"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/posts\/1514\/revisions\/1517"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/media\/1515"}],"wp:attachment":[{"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/media?parent=1514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/categories?post=1514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dcirrus.com\/blog\/wp-json\/wp\/v2\/tags?post=1514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}