Immutable Archive — Retention Policy
Retention period, write-lock behaviour, compliance standards satisfied, and GDPR considerations for the VaultAudit immutable archive.
Every document processed by the Vault Platform with the Immutable Audit feature enabled is packaged into a tamper-evident .vpdf archive bundle and written to an Azure Blob Storage container configured with a time-based immutability (WORM) policy.
Retention Period
7 years from the date of creation (default; configurable at deployment time via the AuditRetentionDays infrastructure parameter).
During the retention period, the archived bundle is write-locked at the storage layer. It cannot be modified, overwritten, or deleted by any user, application, or administrator — including the storage account owner. This protection is enforced by Azure Blob Storage's locked immutability policy and is independent of application-level access controls.
After the retention period expires, the write-lock is lifted. The archive remains in storage and is accessible for continued reference. It is not automatically deleted. Any deletion of expired archives must be performed explicitly by an authorised administrator in accordance with your organisation's data retention and disposal procedures.
What the Archive Contains
The .vpdf bundle includes:
| Component | Description |
|---|---|
| Rendered PDF output | The final document as delivered to recipients |
| Source payload | The structured data used to generate the document |
| Document template | The template version resolved at generation time |
| Redaction policy | Any applied redaction manifest (if VaultRedact was used) |
| Generation manifest | Component hashes sufficient to independently verify and reproduce the original document at any future point in time |
This set of components is sufficient to independently verify and reproduce the original document at any future point in time.
Applicable Compliance Standards
A 7-year retention period satisfies the minimum record-keeping requirements of:
| Standard | Scope |
|---|---|
| SOX § 802 | Financial records and audit workpapers |
| IRS Rev. Proc. 98-25 | Electronic records required for tax purposes |
| EU Directive 2013/34/EU | Financial statements and related records |
| State e-invoice mandates | Most US state-level electronic invoice retention requirements |
Sector-specific regulations
Customers operating under sector-specific regulations — HIPAA, FINRA, FedRAMP, or similar — should verify that a 7-year retention period meets their specific obligations. If a longer period is required, contact your VaultPDF administrator to redeploy with an extended AuditRetentionDays value.
GDPR Considerations
Immutability is a data protection guarantee, not a disposal mechanism
The immutability policy prevents modification and deletion during the retention window — it is not a tool for disposing of data on schedule.
Customers with GDPR Article 17 (right to erasure) obligations should review whether their financial audit records are exempt under Article 17(3)(b) (retention necessary for compliance with a legal obligation or the performance of a task carried out in the public interest) before applying deletion requests to archived documents.
Where an erasure obligation applies to records that are within an active WORM retention window, customers should seek legal advice on the intersection of data protection law and financial record-keeping requirements applicable in their jurisdiction.
Event Reference
Complete reference for every VaultAudit Level 1 timeline event — event type, severity, product source, display title, and the Level 2 sub-event trails each carries.
Vault Platform for Dynamics 365 Business Central
Complete integration guide for Business Central consultants and developers. Install, configure, and extend VaultPDF with on-demand PDF generation, SharePoint storage, e-signature workflows, and audit trails.