Wanted to share our experience with cross-tenant document sharing after upgrading to 23R3. We operate in multiple regions (EU, US, APAC) with separate Vault instances per regulatory requirements.
Post-upgrade, we noticed that cross-tenant sharing configurations became much more restrictive. Documents that were previously shared across our EU and US tenants for harmonized procedures are now blocked by default. The Admin Console shows new GDPR compliance controls that weren’t in 23R2.
I’m particularly interested in how others are handling this with audit trail requirements. Our quality team needs visibility into document access across tenants, but the new access logging seems to create separate audit streams per tenant rather than a consolidated view.
Has anyone successfully configured cross-tenant sharing in 23R3 while maintaining GDPR compliance and comprehensive audit trails?
After implementing 23R3 cross-tenant sharing across our global deployment, here’s what we’ve learned about balancing functionality with compliance:
Cross-Tenant Sharing Configuration: The key change in 23R3 is the introduction of granular sharing policies that map directly to GDPR transfer mechanisms. In Admin Console > Cross-Tenant Settings, you’ll now see:
- Transfer Mechanism dropdown (Standard Contractual Clauses, Binding Corporate Rules, Adequacy Decision, Derogations)
- Purpose Limitation field - explicitly state why data is being shared (e.g., “Harmonized SOP review and approval”)
- Data Minimization controls - select which document fields can cross tenant boundaries
- Retention period per transfer type
For document control specifically, we configured separate sharing policies for different document types. Critical quality documents use SCCs with 7-year retention, while training materials use BCRs with 5-year retention. This granularity is essential for demonstrating GDPR Article 5 compliance.
GDPR and Data Privacy Controls: Beyond the transfer mechanisms, 23R3 introduced several privacy-enhancing features:
- Automatic data residency validation - the system now verifies that shared documents respect regional storage requirements
- Purpose binding - documents shared for “SOP review” cannot be repurposed for “audit evidence” without explicit re-authorization
- Consent management for cross-border transfers involving personal data in documents
- Right to object workflow - users can block cross-tenant sharing of documents they authored
Implement these controls progressively. We started with EU-US transfers (highest scrutiny) and expanded to APAC once processes were validated. Document your legal basis thoroughly - regulators will ask for justification during inspections.
Audit Trail and Access Logging: The consolidated audit trail requires specific configuration. Enable ‘Extended Cross-Tenant Logging’ as mentioned earlier, but also configure:
- Cross-Tenant Event Forwarding: Admin Console > Audit Settings > Forward events to central compliance vault
- Jurisdictional Filtering: Set up saved views per region so local compliance teams see relevant logs
- Retention alignment: Ensure audit log retention matches your longest regulatory requirement (typically 10 years for FDA)
The consolidated Cross-Tenant Audit Report now supports custom filters. Create these standard views:
- Document Access by External Tenant - shows who from other regions accessed local documents
- Sharing Authorization Trail - complete chain of approvals for cross-border transfers
- Privacy Event Log - captures DSR requests and their cross-tenant processing
- Modification History Across Tenants - tracks document changes regardless of where they occurred
One gotcha: the audit trail timestamps are in the source tenant’s timezone by default. Enable ‘UTC Standardization’ in reporting settings for consistent global audit trails.
Practical Recommendations:
- Test your configuration in a sandbox environment first - cross-tenant settings can’t be easily rolled back
- Create a RACI matrix for cross-tenant document ownership - GDPR requires clear controller/processor designation
- Set up automated compliance reports that demonstrate ongoing GDPR adherence
- Train document owners on the new sharing request workflow - it’s more complex but necessary for compliance
Our global quality team now has full visibility across tenants while maintaining strict GDPR compliance. The initial setup took about 3 weeks, but the audit trail consolidation and privacy controls have actually simplified our regulatory submissions.
The audit trail separation you mentioned is actually a feature, not a bug. GDPR Article 30 requires separate processing records per jurisdiction. However, you can create a consolidated view using the Cross-Tenant Audit Report in Admin Console. It aggregates audit logs while maintaining the required jurisdictional separation. The report respects data residency requirements and only shows data the requesting user is authorized to access across tenants.
For GDPR compliance with cross-tenant sharing, make sure you’ve configured the data subject rights workflow. In 23R3, when a user in one tenant exercises their right to access or deletion, the system needs to process that request across all connected tenants. Admin Console > Privacy Controls > Cross-Tenant DSR Processing. This ensures you’re compliant with Articles 15-17 across your global deployment. The workflow automatically generates the required documentation for regulatory submissions.
Thanks for the insights. I found the Cross-Tenant Audit Report, but it’s only showing document access events, not the full audit trail including modifications and sharing changes. Is there a way to expand what’s included in the consolidated view? Our auditors want to see who shared what documents across tenants and when.
You need to enable ‘Extended Cross-Tenant Logging’ in the Admin Console. This was disabled by default in 23R3 due to the data volume it generates. Once enabled, the consolidated audit report will include document sharing events, permission changes, and cross-tenant access grants. Be aware this significantly increases your audit log storage - we saw a 40% increase in our environment. Also configure log retention policies per your regulatory requirements before enabling.