Skip to content

Piler Enterprise Compliance Overview#

This documentation applies to Piler enterprise edition 2.1.0+

Revision #1

Publication date: 2025-DEC-16

Piler Enterprise Compliance Overview#

This document provides a truthful and detailed overview of Piler Enterprise’s capabilities related to regulatory compliance, security standards, and operational safeguards. All features are accurate as implemented. Final compliance depends on deployment configuration, operational practices, and customer environment.

GDPR / Data Protection#

Capabilities:

  • Configurable retention periods per mailbox or data type.
  • Facilitates data subject access requests (DSAR) via eDiscovery search and export.
  • Supports right-to-erasure requests.
  • Access logging for auditing purposes.

Notes / Caveats:

  • User IDs and email addresses are treated differently; GDPR obligations must be interpreted contextually.
  • Audit logs provide evidence of access but cannot prevent malicious insiders from performing actions with sufficient privileges.
  • Encryption keys may reside locally; separation depends on deployment choice.

HIPAA (Health Information / PHI)#

Capabilities:

  • Emails and attachments can be encrypted at rest (AES-256) and optionally in transit (TLS for remote database connections).
  • Role-based access control separates administrators, auditors, and other users.
  • Access and export actions are fully logged.
  • On-premise deployment supported.

Notes / Caveats:

  • Default deployments often colocate MySQL and archive; TLS encryption is recommended but optional in this topology.
  • PHI protection relies on operational configuration: audit logs, TLS, encryption key management, and retention policies.
  • No Business Associate Agreement (BAA) is provided; separate agreements must be arranged if required.

SEC Rule 17a-4#

Capabilities:

  • Emails can be stored on WORM-compatible object storage (e.g., S3 Object Lock) if enabled.
  • SHA-256 hashes of all messages are stored in metadata tables; verified on retrieval.
  • Optional TSA verification aggregates message hashes for independent, cryptographically verifiable timestamps.
  • Audit logs record all administrative and user actions; optionally forwarded to external SIEM or log management systems.
  • eDiscovery export allows searches by date, sender/recipient, keywords, and supports hash verification.
  • Configurable retention policies prevent application-level deletion; enforcement depends on storage choice and configuration.

Notes / Caveats:

  • Tamper-evidence and WORM functionality depend on correct configuration (object locking, TSA cron jobs, SIEM externalization).
  • A malicious administrator with full privileges could bypass local controls.
  • Full SEC 17a-4 compliance requires external immutable storage and independent audit/log retention.

Industry Security Principles#

Capabilities:

  • Developed following secure coding practices, including OWASP Top 10 guidelines.
  • Security reviews conducted regularly (code scans, dependency checks, configuration audits).
  • Optional external monitoring and logging (SIEM) supports incident detection and investigation.

Notes / Caveats:

  • Security effectiveness relies on operational configuration and administrative practices.
  • Internal controls cannot fully prevent malicious administrators from bypassing local safeguards.

General Guidance#

  • The archive provides technical safeguards to support regulatory compliance.
  • Final compliance depends on customer configuration, operational policies, and independent verification.
  • Piler Enterprise provides strong technical safeguards; for high-assurance scenarios, customers may consider additional layers such as external immutable storage to further strengthen tamper-evidence.
  • Customers and auditors are encouraged to review deployment, configuration, and operational practices to determine suitability for their use case.