MiFID II requires investment firms to retain records of all client communications, including website content, for 5-7 years. VaultShot automates this with daily captures and cryptographic integrity verification.
No credit card required. Free plan available.
MiFID II Article 16 requires firms to retain records of all services and transactions for at least 5 years
ESMA guidelines classify website content as a form of marketing communication subject to retention
National regulators (FCA, BaFin, AMF) request historical website content during supervisory reviews
Key Information Documents (KIDs) and PRIIPs disclosures on websites must be archived with timestamps
Under MiFID II Article 16(6) and ESMA's Technical Standards, investment firms must retain records that enable regulators to reconstruct all client-facing communications. Website content falls squarely within this scope. National competent authorities across the EU regularly request website archives during thematic reviews and firm-specific supervisory examinations.
7 years
Maximum MiFID II retention requirement for some record types
MiFID II's record retention obligations are among the most prescriptive in global financial regulation. Article 16(6) requires investment firms to retain 'sufficient' records to enable the national competent authority to monitor compliance — and ESMA's Delegated Regulation 2017/565 spells out exactly what that means for digital communications. Your website's product pages, KID (Key Information Document) disclosures, cost and charges breakdowns, and marketing communications all fall within scope. The retention period ranges from five to seven years depending on the record type and member state implementation. VaultShot captures each page daily and applies SHA-256 hashing, creating the kind of verifiable, immutable record that supervisory authorities across the EU accept as evidence of compliance.
Cross-border passporting under MiFID II creates a record retention headache that most firms underestimate. If your investment firm is authorized in Ireland but passports into Germany, France, and the Netherlands, you're subject to the record retention requirements of each host state's national competent authority — and those requirements don't always align perfectly with ESMA's guidelines. BaFin's interpretation of 'marketing communication' may differ from the AMF's, and both may request website archives as part of their supervisory processes. VaultShot simplifies this by capturing your entire website regardless of which jurisdiction's rules apply. One archive, one hash standard, one set of compliance certificates — admissible across all EU member states.
The practical challenge with MiFID II website compliance is that most firms don't realize they're non-compliant until an examination is already underway. National competent authorities in the EU have shifted toward thematic reviews — industry-wide examinations that focus on specific topics like cost transparency, ESG disclosures, or marketing practices. When your firm receives a data request as part of a thematic review, you typically have 15 to 30 business days to produce archived website content. If you don't have an automated archiving system, your IT team spends those 30 days frantically trying to reconstruct website history from CMS backups, CDN logs, and developer version control — none of which carry the cryptographic integrity proof that regulators prefer. VaultShot makes the data request a five-minute task instead of a month-long fire drill.
Every feature is designed to produce evidence that regulators accept.
Every screenshot is cryptographically hashed at capture time. Any modification — even a single pixel — produces a different hash, proving the file is original.
Screenshots are stored on AWS S3 with WORM-grade immutability. Files cannot be deleted or overwritten — meeting FINRA 17a-4 and SEC requirements.
Set it and forget it. VaultShot captures your website on your schedule — hourly, daily, or weekly — ensuring no gaps in your compliance timeline.
Each capture generates a professional PDF with hash, timestamp, metadata, and screenshot preview — ready to hand directly to auditors or regulators.
Anyone can verify a screenshot's authenticity by uploading it or pasting its hash. Provides instant, independent proof that the file is untampered.
VaultShot automatically detects and dismisses cookie consent banners before capture — ensuring clean, unobstructed screenshots every time.
Same SHA-256 hashing standard. Fraction of the cost.
| Feature | VaultShot — $19/mo | PageFreezer — $500+/mo | Smarsh — $1,000+/mo |
|---|---|---|---|
| SHA-256 Hashing | ✓ | ✓ | ✓ |
| Automated Captures | ✓ | ✓ | ✓ |
| PDF Certificates | ✓ | ✓ | ✓ |
| Self-Service Signup | ✓ | ✗ | ✗ |
| Month-to-Month Billing | ✓ | ✗ | ✗ |
| Setup in Minutes | ✓ | ✗ | ✗ |
| Monthly Price | $19/mo | $500+/mo | $1,000+/mo |
Try the free snapshot tool — no account needed. Or go Pro for $19/mo with daily automated captures, hash verification, and PDF certificates.
No credit card required. Cancel anytime.