SOX §802 imposes criminal liability for knowingly destroying or falsifying records that are "made or kept in connection with" a financial transaction — a standard that courts have applied broadly to financial service documents, not just audit records. ISO 27001:2022 A.5.28 independently mandates preservation of evidence for legal proceedings. For fintech products, compliance document archives are the primary evidence in CFPB examinations, FTC investigations, and customer disputes. A company that operates a financial product but maintains only the current version of its Terms and Privacy Policy has no ability to prove what disclosures a user accepted at the time of signup — a critical gap in any dispute resolution or regulatory examination.
Low because compliance archives are a defense-in-depth control rather than a direct user-facing disclosure, but their absence makes legal disputes and regulatory examinations significantly harder to defend.
Implement a versioned legal document archive at app/legal/archive/page.tsx. Store historical PDFs or versioned HTML in public/legal/ and index them with effective dates:
// app/legal/archive/page.tsx
const termsHistory = [
{ version: '2.1', effectiveDate: '2024-02-01', href: '/legal/terms-v2.1.pdf' },
{ version: '2.0', effectiveDate: '2023-06-15', href: '/legal/terms-v2.0.pdf' },
]
export default function LegalArchive() {
return (
<section>
<h1>Legal Document Archive</h1>
<h2>Terms & Conditions</h2>
<ul>
{termsHistory.map(({ version, effectiveDate, href }) => (
<li key={version}>
<a href={href}>Version {version}</a> — effective {effectiveDate}
</li>
))}
</ul>
</section>
)
}
At minimum, archive Terms, Privacy Policy, and any fee schedules. Link the archive from the footer alongside current documents.
ID: finserv-disclosure.presentation-quality.compliance-archive
Severity: low
What to look for: Enumerate all legal documents in the project (Terms & Conditions, Privacy Policy, fee schedules, TILA disclosures). For each, check whether at least 2 historical versions are maintained — either on a dedicated archive page, in a database table, in version control with tagged dates, or as versioned PDFs in the public/ directory.
Pass criteria: At least 2 historical versions of at least 1 key legal document (Terms, Privacy Policy, or fee schedule) are maintained and accessible. The archive includes version numbers and effective dates for each version. Quote the file path of the archive page or the directory where historical versions are stored.
Fail criteria: Only the current version of all legal documents exists; no historical versions are maintained or accessible anywhere in the codebase.
Skip (N/A) when: The project is less than 3 months old and documents have never been updated since initial creation.
Detail on fail: Quote the document locations found. Example: "Privacy Policy at app/privacy/page.tsx and Terms at app/terms/page.tsx are current-version only. No archive page exists. No versioned PDFs in public/. Users cannot view previous versions."
Remediation: Implement a document versioning system in app/legal/archive/page.tsx:
// app/legal/archive/page.tsx
interface DocumentVersion {
version: string
effectiveDate: Date
url: string
}
const termsArchive: DocumentVersion[] = [
{
version: '2.1',
effectiveDate: new Date('2024-02-01'),
url: '/legal/terms-v2.1.pdf',
},
{
version: '2.0',
effectiveDate: new Date('2023-06-15'),
url: '/legal/terms-v2.0.pdf',
},
]
export default function LegalArchive() {
return (
<div>
<h1>Document Archive</h1>
<h2>Terms & Conditions</h2>
<ul>
{termsArchive.map((doc) => (
<li key={doc.version}>
Version {doc.version} (effective {doc.effectiveDate.toLocaleDateString()})
— <a href={doc.url}>View PDF</a>
</li>
))}
</ul>
</div>
)
}