Skip to main content

Compliance Documentation

When a regulator asks for evidence, or an internal audit starts, you need to find the right documents quickly and show that they haven't been tampered with. This guide walks through how to set Locker up as your compliance document store: organized for fast retrieval, protected against accidental deletion, and backed by an immutable access trail.

Coming Soon

Screenshot: locker-compliance-workspace, a Locker workspace with documents tagged by regulation and a Legal Hold badge visible on several documents

Who This Is For

Anyone responsible for storing regulatory evidence, audit materials, policies, and procedures, compliance officers, legal operations teams, and IT security leads. You'll need upload access to manage documents and organization admin access to configure retention and legal holds.

See Roles to confirm you have the right access level.

Step 1: Organize Your Compliance Documents

Upload your policies, procedures, and evidence files to Locker. The key to making them retrievable under pressure is tagging them well from the start.

For each document, add:

  • A regulation tag, e.g., gdpr, soc2, iso27001, hipaa, so you can filter to a specific framework instantly
  • A control ID in the metadata, maps directly to the audit request
  • A review date, so you know when each document needs to be refreshed
  • A document owner, the person responsible for keeping it current

See Organizing Documents for how to add tags and categories, and Metadata for the full list of available fields.

Coming Soon

Screenshot: compliance-metadata-panel, a document detail panel with regulation tag, control ID, and review date fields filled in

Step 2: Protect Documents During Investigations

When litigation or a regulatory inquiry begins, place a Legal Hold on the relevant documents. A held document cannot be archived or deleted, by any user or by any automated retention policy, until the hold is explicitly removed.

See Legal Hold for how to place a hold and manage the hold log.

Coming Soon

Screenshot: legal-hold-compliance, a document with an active Legal Hold badge in the document list

Step 3: Automate Retention

Define how long each document category must be kept. Locker archives or deletes documents automatically when their retention period expires, keeping your repository clean without manual effort and ensuring you don't retain personal data longer than permitted.

tip

For document types with legally mandated maximum retention periods, such as certain personal data records under GDPR, configure a Delete policy to ensure documents aren't kept past the limit. For most compliance records with minimum retention requirements, use Archive.

See Retention Policies for setup and worked examples.

Coming Soon

Screenshot: compliance-retention-policy-list, the Organization → Retention page showing active policies scoped by regulation type

Step 4: Respond to Audit Requests

When a regulator or auditor requests documents, use Search to pull them quickly:

  • Filter by tag to retrieve all documents for a specific regulation or control
  • Filter by metadata (e.g., control ID, review date) to narrow to a specific set
  • Search by content using Full-Text Search to find documents that mention a specific topic or requirement
  • Export the audit log from Organization → Audit Logs to show who accessed which documents and when
Coming Soon

Screenshot: compliance-search-filtered, the Search page with a regulation tag filter applied, showing a narrowed list of matching documents

See Search & Filters and Compliance for audit log export steps.

The Audit Trail

Every access, download, and permission change is recorded automatically, with the user identity and timestamp, in an immutable log. You don't need to do anything to enable this: it runs for every document in Locker from the moment it's uploaded.

Coming Soon

Screenshot: audit-log-compliance, the Audit Logs page filtered to a specific document showing a chronological event list

Next Steps