Skip to main content
Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit

Email archive of record

Purview plus MxVault — the four-state answer to email retention.

For FSCA-regulated, JSE-listed, and records-retention-bound organisations — and the M365 teams who advise them. MxVault is a tamper-proof, journal-based email archive on an independent hyperscaler. Complementary to Microsoft Purview, not a competitor.

Analyse your retention gap Book a compliance audit

Three ways email records fail you

Each one is a real risk on our register. Each has a production-level audit rule behind it. Most organisations have only thought about one of the three.

You can’t find it

Records of legal or regulatory significance go missing — deleted, aged out past their statutory floor, or tampered with before you knew you needed them. An archive you can’t defend as unmodified has no evidentiary value. This is the risk behind ISO 27001 control A.5.33 (Protection of Records).

A.5.33 · integrity · availability

You can’t produce it in time

The records exist, but your production workflow misses the 30-day subpoena deadline, the regulator’s tighter window, or the legal-hold mid-matter. Inability to produce in time is equivalent to non-production — courts call it adverse inference.

FRCP 37(e) · adverse inference

It’s on the same vendor as your mail

Your archive-of-record lives inside the same hyperscaler as your production email. A vendor outage, security incident, policy change, or jurisdictional event hits both simultaneously — and several regulators explicitly treat that as a material control gap.

FSCA · SEC 17a-4 · FCA · MiFID II

Which quadrant are you in?

Two yes/no questions — do you run Microsoft Purview Records Management, and do you run MxVault? The answer puts you in one of four states. Find yours, then decide whether to move.

Purview Records Mgmt: No
Purview Records Mgmt: Yes
MxVault: No
State A

No archive

Gap. No journal-based archive of record.

  • A.5.33 records protection at risk
  • Jurisdiction retention floors unsatisfied
  • No tamper-evidence, no legal-hold path, no auditor-access path
State B

Single-vendor

Covered within Microsoft. Compliant — but concentrated.

  • Purview Records Management handles retention and legal hold
  • Archive and live mail share one hyperscaler and one vendor
  • FSCA, SEC 17a-4, FCA, and MiFID II read this as a concentration risk
MxVault: Yes
State C

Separated

Covered externally. Records obligations met on an independent hyperscaler.

  • WORM archive, per-message hashing, unlimited legal hold
  • No classification or DLP — Purview (or equivalent) still required for A.5.12 and A.8.10
  • Strong posture for regulated sectors; incomplete posture for data protection
State D

Defence in depth

Purview and MxVault together. Division of responsibility, documented.

  • Purview — live classification, DLP, eDiscovery, litigation hold on live mailboxes
  • MxVault — tamper-evident archive of record on an independent hyperscaler
  • The posture regulators prefer, and auditors understand once it’s documented

Better together — separation of concerns

Purview and MxVault do different jobs. Treating them as alternatives is the mistake. Run both, draw the line between them, and your ISMS gets cleaner, not more complicated.

Purview does

  • Sensitivity labels and classification
  • Data loss prevention on live mail
  • eDiscovery Premium and litigation hold
  • Information Protection and Insider Risk

MxVault does

  • Journal capture of every inbound and outbound message
  • WORM storage with per-message SHA-256 hashing
  • Unlimited legal hold, independent of retention duration
  • Archive-of-record on an independent hyperscaler

Together

  • Live controls on live mail (Purview) plus preserved evidence (MxVault)
  • Vendor separation between mail system and archive of record
  • Clear division of responsibility documented in your ISMS
  • The posture regulators in concentrated-risk sectors expect to see

Retention by jurisdiction

We engineer MxVault to the statutory floor of your jurisdiction. Our default is seven years — the South African floor. We extend it per contract for the EU, UK, US, UAE, and KSA where statutes demand more, and sector overlays push the bar higher still.

South Africa Statutory floor: 7 years POPIA
Recommended retention 7 years
Statutory floor 7 years
Privacy ceiling POPIA (Protection of Personal Information Act 4 of 2013)

Retention drivers

  • 7 yr Commercial Companies Act 71 of 2008 § 24
  • 5 yr Tax Tax Administration Act 28 of 2011 § 29; VAT Act 89 of 1991
  • 3 yr Labour BCEA 1997 §§ 29, 31

Sector overlays

  • AML/KYC (FICA) 5 yr Financial Intelligence Centre Act 38 of 2001
  • Financial services (FAIS / FSCA) 10 yr Financial Sector Regulation Act 9 of 2017; typical 5–10y product-dependent
  • Medical (HPCSA) 6 yr Health Professions Council retention guidance (post-last-entry, adults)

Prescription Act 68 of 1969 — 3y debts, 30y judgments. Information Regulator active since 2021; fines up to ZAR 10m.

Europe Statutory floor: 10 years GDPR
Recommended retention 10 years
Statutory floor 10 years
Privacy ceiling GDPR (Regulation (EU) 2016/679)

Retention drivers

  • 10 yr Commercial Member-state commercial codes (DE HGB § 257 — 10y; FR Code de commerce L123-22 — 10y; NL Burgerlijk Wetboek — 7y; typical 7–10y)
  • 10 yr Tax Member-state fiscal codes (DE AO § 147 — 10y; FR LPF L102B — 6y; IT DPR 600/1973 — 10y; typical 6–10y)
  • 5 yr Labour Varies 2–10y; pension-basis data typically 10+y

Sector overlays

  • Financial services (MiFID II) 5 yr MiFID II Art 16(7) — 5y, extensible to 7y
  • Healthcare 30 yr Long-tail clinical records, member-state specific
  • Telecoms varies Traffic/metadata retention — unstable post-CJEU; national implementations vary

Retention is set by member-state law — EU-wide layer is the GDPR ceiling only. Member-state floors range DE/FR 10y to NL 7y.

UK Statutory floor: 6 years UK GDPR + Data Protection Act 2018
Recommended retention 6 years
Statutory floor 6 years
Privacy ceiling UK GDPR + Data Protection Act 2018

Retention drivers

  • 6 yr Commercial Companies Act 2006 § 388 (3y private co accounting; 6y plc); 10y for resolutions; Limitation Act 1980 § 5 — 6y simple contract
  • 6 yr Tax Taxes Management Act 1970 § 12B; Finance Act 1998 Sch 18 para 21; VAT Act 1994 (HMRC Notice 700/21) — 6y; 20y for fraud/negligence
  • 6 yr Labour Working Time Regs 1998 reg 9, NMWA 1998, ERA 1996 — typical 2–6y; pensions often 6+y

Sector overlays

  • Financial services (FCA) 7 yr FCA SYSC 9, SYSC 18; MiFID II retained — typically 5–7y
  • Healthcare (NHS) 8 yr NHS Records Management Code — varies by record type

Limitation Act 1980 6y simple contract / 12y deed drives practical floor for commercial correspondence. EU adequacy decision in force but periodic review.

United States Statutory floor: 7 years None federal; state comprehensive privacy laws
Recommended retention 7 years
Statutory floor 7 years
Privacy ceiling None federal; state comprehensive privacy laws (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, etc.) + sector laws

Retention drivers

  • 7 yr Tax IRC § 6501 — 3y general, 6y >25% understatement, 7y bad debt, indefinite for fraud; employment tax 4y
  • 3 yr Labour FLSA 3y payroll, ADEA 3y, ERISA 6y, OSHA 5y (30y exposure), I-9 3y

Sector overlays

  • Broker-dealers (SEC 17a-4 / FINRA) 6 yr Exchange Act Rule 17a-4 — 6y customer comms/account docs, first 2y accessible; historically WORM, amended to allow audit-trail alternatives
  • Investment advisers (SEC Advisers Act) 5 yr Advisers Act Rule 204-2 — 5y from fiscal year end, first 2y in offices
  • Banking (OCC/FDIC/Fed, BSA/AML) 5 yr BSA/AML 5y from transaction; general 5y
  • Public companies (SOX § 802) 7 yr Sarbanes-Oxley — 7y audit workpapers/financial records; criminal penalties for destruction
  • Healthcare (HIPAA) 6 yr HHS HIPAA — 6y policies/records; state medical-record laws 7–25+y
  • Pharma (FDA 21 CFR) varies Life of product + 1y; batch records 1y past expiration

FRCP Rule 37(e) — litigation-hold duty once litigation reasonably anticipated overrides any schedule. No federal GDPR-equivalent; state laws patchwork.

UAE Statutory floor: 7 years Federal PDPL
Recommended retention 7 years
Statutory floor 7 years
Privacy ceiling Federal PDPL (Federal Decree-Law 45/2021) + DIFC DP Law 2020 + ADGM DP Regulations 2021

Retention drivers

  • 5 yr Commercial CCL 32/2021 Art 26 — 5y onshore general accounting
  • 7 yr Tax Federal Decree-Law 47/2022 — Corporate Tax (effective 2023) 7y; Federal Decree-Law 8/2017 — VAT 5y general, 15y real-estate
  • 2 yr Labour Federal Decree-Law 33/2021 — 2y post-termination onshore; DIFC/ADGM 6y typical

Sector overlays

  • DIFC financial services (DFSA) 6 yr DFSA rules — 6y
  • ADGM financial services (FSRA) 6 yr FSRA rules — 6y
  • Banking (Central Bank of UAE) 5 yr 5y general; AML extended to 5y beyond relationship end
  • VAT real estate 15 yr Federal Decree-Law 8/2017

Three coexisting regimes — onshore (mainland), DIFC, ADGM. PDPL enforceable from early 2023 with fines up to AED 5m per violation. Corporate Tax 7y floor is post-2023.

Saudi Arabia Statutory floor: 10 years PDPL
Recommended retention 10 years
Statutory floor 10 years
Privacy ceiling PDPL (Royal Decree M/19 of 1443H, SDAIA regulations, effective 14 September 2024)

Retention drivers

  • 10 yr Commercial Law of Commercial Books 1409H; Companies Law 2022 — 10y commercial books/accounting/contracts/corporate governance
  • 10 yr Tax ZATCA — Zakat and Corporate Income Tax 10y; VAT general 6y, 11y real estate, ~15y for capital assets (asset life + 5y)
  • 10 yr Labour Saudi Labor Law (Royal Decree M/51 of 2005, amended 2021) — no explicit number; 10y practice aligned with commercial baseline

Sector overlays

  • CMA-regulated (listed/financial) 10 yr CMA rules — 10y minimum, longer for insider/market-abuse
  • SAMA (banks/insurers) 10 yr SAMA — 10y, extended for AML
  • Healthcare (MOH/CBAHI) 15 yr Medical records 15y typical; paediatric to age-of-majority + 15y

Saudi baseline is 10y where UAE onshore is 5y. PDPL fines up to SAR 5m per violation, doubled for repeat. In-Kingdom data localisation and Arabic-language requirements for ZATCA/MOC audits.

Statutory floor — not legal advice. Confirm with your counsel before contracting. Litigation holds override retention for any matter where preservation is ordered.

We don’t claim integrity. We prove it.

An archive you can’t defend is worse than no archive — it gives you false confidence. Here is how we prove MxVault to your auditor, before the audit starts.

  • Vendor attestations. SOC 2 Type II and ISO 27001 attestations published by Cryoserver at the Cryoserver trust centre. We hold a current copy on file for your auditor on request.
  • Our own tests. Global Micro runs a quarterly legal-hold test and an annual auditor-access test on MxVault — recorded in our ISMS evidence archive. Your auditor sees the test logs, not a marketing claim.
  • Per-message integrity. Every ingested message is SHA-256 hashed and written to WORM storage. The index is tamper-evident; a modified message breaks the hash chain and surfaces as a reconciliation failure.

How it integrates — zero user impact

Users see nothing. Admins configure one journal rule. After that, the archive runs itself.

  1. Exchange Online journal rule — a single transport rule captures every inbound and outbound message at source, before any user-level retention policy applies.
  2. SMTP ingest to MxVault — journalled messages flow to MxVault on an independent hyperscaler, completely separate from your Microsoft 365 tenant.
  3. Hashed, written, indexed — each message is SHA-256 hashed, written once to WORM storage, and indexed for sub-second search by sender, recipient, date, subject, and content.

FAQ

Does MxVault replace Microsoft Purview?

No. Purview classifies your data, enforces DLP on live mail, and powers live eDiscovery. MxVault is the tamper-evident archive of record on an independent hyperscaler. They solve different problems and most of our regulated-sector customers run both. The four-state matrix above is the mental model — we recommend State D for any organisation a regulator watches.

Does MxVault replace my backup?

No. Per-workload backup (AvePoint, Acronis, Veeam) protects mailbox, SharePoint, and Teams recoverability against operational loss. MxVault is a journal-based archive-of-record channel — a completely different control objective, evaluated separately under A.8.13 Information Backup in our ISMS.

What about email from before we signed up?

Historical mailbox import is scoped per-tenant during onboarding. We pull the archive of whichever mailboxes you nominate, ingest them into MxVault with original timestamps preserved, and hash each message on the way in so the historical corpus benefits from the same tamper-evidence as new mail.

Which hyperscaler does MxVault run on?

An independent hyperscaler, distinct from Microsoft 365 — chosen per customer to match data-sovereignty posture. We confirm the specific region during contracting so your auditor and your records policy can reference it exactly.

Is seven years enough?

Seven years is the South African statutory floor and our contracted default. For EU jurisdictions with ten-year retention, SEC 17a-4 broker-dealers, SAMA-regulated banks, or any sector with longer obligations, we extend retention per contract. Retention duration and legal-hold duration are independent — a legal hold runs as long as the matter demands, not bounded by retention.

See your exact compliance posture

A GMS compliance audit walks your tenant against the four-state model, shows you where you are today, and costs the move to State D if that’s what your regulator expects. Free, no tenant access required.

Start your audit preview