CEA - Data storage explained

The Compliant Email Archive (CEA) captures and stores every message sent or received in a separate, secure, tamper-proof database in the cloud. Archived messages are de-duplicated, compressed, indexed and encrypted. This article details exactly where this data is stored, and what encryption and security protocols are applied to it.

Where is email data stored?

The Europe region stores log data on Amazon's AWS platform - specifically, the Frankfurt datacentre.

The archiving service stores copies of journaled email messages securely. Emails are transferred into the archive either via SMTP from the customer’s mail server, or collected via a polling process from a dedicated journal mailbox on the on-premise mail server via Exchange Web Services (EWS), or via IMAP connections.

What type of encryption is used?

Every archived message is given a unique ID, digitally fingerprinted, encrypted, compressed, timestamped, fully indexed and written to the storage system. All messages at rest are encrypted using 256-bit Advanced Encryption Standard (AES-256). Data is stored in separate storage repository folders for each customer. Each tenant repository has its own unique encryption key for the archived data. By default, each tenant will use the Global Encryption key, which is set up during account creation. By default, the solution keeps the emails indefinitely. Specific retention periods are available on request.

What access is available for my archived data?

A secure HTTPS/TLS portal provides the ability to search the archived messages by date, sender, recipient, keywords in the body and/or attachments. Access to the portal can be within Outlook via a web-enabled folder or through any mainstream web browser. The following pre-defined user roles are available:

  • Standard / Basic (LDAP) Users – access to their own nominated email addresses
  • Privileged Users – eDiscovery users who can access all/subset of the archived emails within a single tenant, with comprehensive audit trails showing which emails have been searched for and opened
  • Data Guardian Users – Data Guardian users have access to audit trails within a single tenant and are able to review Privileged User searches
  • Privileged & Delete Users – similar to Privileged Users, with the extended functionality to be able to delete emails from the archive in an audited manner (for example within a ‘Right To Be Forgotten’ process)
  • Administrators – no access to search the archive but can administer accounts and basic settings.

What is the availability of the archiving platform?

The archiving platform is delivered as a high availability clustered environment layered with Kubernetes and Zookeeper to seamlessly orchestrate archiving activity at very high scale. The environment is load-balanced enabling for load to be shared across the environment.

How did we do?