Continuous log ingestion
Real-time log shipping from PowerMTA, MailWizz, Postfix, Exim, nginx, system auth, custom integrations via syslog or filebeat-compatible agents. TLS 1.3 in transit.
RECURRING | 12-MONTH WORM | EUR 89/MONTH
Audit-ready log retention that satisfies SOC 2 CC7.2, ISO 27001 A.8.15, PCI DSS 10, and GDPR Article 30 simultaneously.
Audit-ready log retention that satisfies SOC 2 CC7.2, ISO 27001 A.8.15, PCI DSS 10, and GDPR Article 30 simultaneously.
12-month WORM storage, AES-256 at rest, TLS 1.3 in transit, RBAC access, monthly evidence packaging.
Three compliance drivers force structured log retention for email infrastructure operations. SOC 2 CC7.2 (monitoring) and ISO 27001 A.8.15 (logging) both require evidence of logging activities maintained for the audit observation window, typically 6-12 months. PCI DSS 4.0 specifies 12 months retention with 3 months readily accessible for cardholder data environments. GDPR Article 30 and CAN-SPAM section 7 expect operators to produce historical records on regulator request. The TechJack Solutions 2026 IT log retention guide and Optro security log retention guide both document 12 months as the practical baseline for multi-framework compliance.
Log Retention Compliance operates the audit-ready log retention infrastructure for your email operation. Log ingestion from PowerMTA, MailWizz, Postfix, Exim, nginx, and system auth into centralised storage. 12-month minimum retention in WORM format. AES-256-GCM encryption at rest with keys stored separately. TLS 1.3 in transit. RBAC access controls with audit logging of access events. Monthly audit-ready evidence packaging. Quarterly access review. GDPR-aligned partial-redaction at retention boundary preserving operational metadata while pseudonymising personal identifiers. EUR 89 per month standard tier covering up to 100GB per month.
Monthly price EUR 89
Retention 12 months
Volume included 100 GB/mo
Storage type WORM + AES-256
Five frameworks requiring log retention with their specific scopes.
Each framework specifies different retention periods, scope, and evidence requirements. The subscription satisfies all five simultaneously by defaulting to the strictest requirement per dimension.
| Framework | Retention minimum | Scope | Key control | Subscription posture |
|---|---|---|---|---|
| SOC 2 Type II | 6-12 months | Security monitoring, access events, change events | CC7.2, CC6.2 | 12 months default |
| ISO 27001:2022 | 12 months | Logging activities, access events, monitoring | A.8.15, A.8.16 | 12 months default |
| PCI DSS 4.0 | 12 months + 3 hot | Cardholder data environment activity | Requirement 10 | 12 months + 3-month hot tier |
| GDPR | Data minimisation principle | Processing records, breach events, consent | Article 30, 32, 33 | 12 months + partial redaction at boundary |
| HIPAA | 6 years (specific scenarios) | PHI access, security incidents | 45 CFR 164.316(b) | Extended retention via add-on |
Operations needing HIPAA 6-year retention or other extended retention can extend via add-on at EUR 79/month per additional year beyond the 12-month baseline. Operations needing custom retention (5 years for SEC 17a-4, 7 years for FINRA 4511) scope through consulting engagement.
The audit credit gap between rotating logs and retained logs.
Email infrastructure generates substantial log volume. A medium-sized operation sending 1 million messages per month accumulates PowerMTA accounting logs at roughly 200 bytes per message (200MB per month for accounting alone), plus bounce logs, diag logs, application logs from MailWizz, web server logs, system logs. Total ranges 20-100GB per month for a mid-sized operation. Default operating system log rotation (logrotate on Linux) keeps logs for 4-8 weeks then compresses and eventually deletes them. The default configuration satisfies basic operational troubleshooting but fails every compliance framework requiring 12-month retention.
The first compliance audit reveals the gap. SOC 2 Type II auditors during the observation window request log evidence for specific control activities. Operations producing logs only from the most recent 4-8 weeks fail the evidence requirement because the observation window typically extends back 6-12 months. The auditor either truncates the observation window (reducing the Type II report value), notes the gap in the report (reducing downstream procurement trust), or fails the related controls. The Konfirmity January 2026 SIEM guide documents the audit pattern: auditors expect logs to demonstrate control operation across the full observation window.
ISO 27001:2022 surveillance audits run on a three-year certification cycle with annual surveillance visits. Operations rotating logs at 4-8 weeks consistently fail A.8.15 (logging) and A.8.16 (monitoring activities) at surveillance because the log evidence does not cover the surveillance window. The result is non-conformity findings that require remediation before the next surveillance cycle; persistent non-conformity can lead to certification suspension.
PCI DSS 4.0 is the most prescriptive of the frameworks. Requirement 10.5 specifically requires 12 months retention with 3 months readily accessible for cardholder data environments. The SSOJet April 2026 SSO compliance guide documents PCI DSS 4.0 explicit retention period as the strictest among common frameworks. Operations subject to PCI DSS (e-commerce processors, payment platforms, any handling of cardholder data including email transactional flows around payment confirmations) cannot satisfy compliance without the 12-month baseline.
GDPR sits differently. The regulation does not specify retention periods; it specifies data minimisation principles requiring that personal data not be retained longer than necessary. The practical interpretation for email infrastructure logs: 12 months is generally defensible as necessary for incident response, breach notification (Article 33 72-hour window), and processing records (Article 30). The subscription partial-redaction pattern at the 12-month boundary (hashing recipient email addresses while preserving operational metadata) satisfies the data minimisation principle while preserving operational audit value. The EDPB guidance from 2024-2026 has explicitly endorsed pseudonymisation patterns of this type.
The WORM requirement is the structural property that makes log evidence trustworthy to auditors. Without WORM, an auditor cannot distinguish between a log that records what actually happened versus a log that was retroactively edited to show what should have happened. The Konfirmity January 2026 guide documents WORM as the audit-trust mechanism for SOC 2 and ISO 27001 alignment specifically because the immutability property converts subjective trust into structural trust. Operations using ordinary mutable storage for logs typically lose audit credit for log-based controls because the evidence chain cannot be established. The subscription configures WORM at the storage layer (object storage with object-lock policies, dedicated WORM-capable filesystems, or append-only structures with access controls preventing deletion before retention expiry) making the immutability structurally enforced rather than procedurally requested.
What runs continuously and what arrives monthly.
WORM storage layer
Object storage with object-lock policy preventing modification or deletion until retention boundary. 12-month default retention; longer available via add-on.
AES-256-GCM encryption
Per-batch nonce, keys stored on separate infrastructure with own access controls. Disk theft or unauthorized storage access yields unreadable data.
RBAC access controls
Three-level RBAC (read-only operational, search-export compliance, administrative). Access events themselves logged. Quarterly access review with documented attestation.
Monthly evidence package
Log volume stats, access log summary, retention enforcement report, integrity verification, control mapping references. Audit-ready format suitable for SOC 2 or ISO 27001 observation window.
Integrity verification
Periodic checksums of WORM-stored logs confirming no alteration since write. Cryptographic verification suitable for forensic chain-of-custody.
Retention boundary handling
Automated deletion at 12-month boundary with cryptographic verification. Personal identifiers (recipient email) hashed at boundary while operational metadata retained for forensic value.
Incident query support
Log search and export for incident investigation, regulatory inquiry response, customer dispute resolution. Two queries per month included; additional at EUR 49 per query.
Operational profiles where the subscription pays for itself.
Operations preparing for SOC 2 Type II
Sustained log evidence across the 6-12 month observation window. The monthly packages collated into observation window summaries satisfy CC7.2 evidence requirements.
Operations under ISO 27001 surveillance
12-month log evidence for annual surveillance audits. A.8.15 and A.8.16 controls demonstrated through continuous retention.
PCI DSS scope operations
Email infrastructure handling payment-related transactional flows requiring 12-month retention with 3 months readily accessible per Requirement 10.5.
EU operations with GDPR posture
Article 30 records of processing activities, Article 33 breach evidence, partial-redaction pattern aligned with data minimisation. EDPB-endorsed pseudonymisation approach.
Operations under regulatory scrutiny
Operations with prior regulatory inquiry, ESP relationships under deliverability review, or industries with heightened scrutiny. Retained logs become evidence-on-demand.
Operations with existing SIEM
SIEM operations using this subscription as archive layer for compliance retention beyond hot-tier SIEM retention. SIEM handles active monitoring; this subscription handles long-term WORM compliance.
Frequently asked.
What does Log Retention Compliance deliver?
Recurring subscription operating audit-ready log retention infrastructure for your email operation. Log ingestion from PowerMTA, MailWizz, Postfix, Exim, nginx, and system auth into centralised storage; 12-month minimum retention in WORM format; AES-256-GCM encryption at rest; TLS 1.3 in transit; RBAC access controls with audit logging of access events; monthly audit-ready evidence packaging suitable for SOC 2 Type II observation window or ISO 27001 surveillance audit; quarterly access review; deletion automation at retention expiry with cryptographic verification. EUR 89 per month standard tier covering up to 100GB log volume per month.
Why does email infrastructure need specialised log retention?
Three drivers. First: compliance framework requirements. SOC 2 CC7.2 and ISO 27001 A.8.15 both require evidence of logging activities maintained for the audit observation window. PCI DSS 4.0 specifies 12 months retention with 3 months readily accessible. Second: incident response requiring historical log analysis going back weeks or months. Third: regulatory inquiry response. GDPR Article 30 and CAN-SPAM section 7 expect operators to produce historical records on regulator request. Operations without retained logs cannot respond to inquiry beyond claiming the data does not exist.
What is WORM and why does it matter for audit purposes?
Write Once Read Many. Logs get written to storage configured to prevent modification or deletion until the retention period expires. The audit relevance: WORM storage demonstrates to auditors that logs could not have been altered after creation. The Konfirmity January 2026 SIEM use cases guide documents WORM as the audit-trust mechanism for SOC 2 and ISO 27001 alignment. The subscription configures WORM at the storage layer making the immutability structurally enforced rather than procedurally requested.
What logs does this cover?
Five categories: MTA logs (PowerMTA acct/bounce/diag, Postfix postlog, Exim mainlog) covering message-level delivery events; application logs (MailWizz, custom apps) covering campaign-level activities; web server logs (nginx access/error) covering tracking pixel hits, unsubscribe page hits, MTA-STS policy fetches; authentication logs (auth.log, sshd, sudo) covering operational access; custom integration logs. Standard subscription covers up to 100GB per month across all categories combined. Operations exceeding this can extend storage at EUR 19 per additional 50GB per month.
How does access control work?
RBAC at three levels. Level 1: read-only access for operational personnel covering log review during incident response. Level 2: search and export access for compliance personnel covering audit evidence collection. Level 3: administrative access for retention policy management. Access events at every level get logged to a separate audit log subject to the same WORM and retention policies. Quarterly access reviews verify personnel with log access still need the access and produce written reports suitable for inclusion in audit evidence packages.
What does the monthly evidence package contain?
Audit-ready package: log volume statistics per source category; access log summary covering who accessed logs during the month and why; retention enforcement report covering logs aged out with cryptographic deletion verification; integrity verification report covering periodic checksums of WORM-stored logs; incident-related queries with redacted snapshots; control mapping references showing which logs satisfy which framework controls. Operations preparing for audit get the monthly packages collated into observation window summaries on request.
How does GDPR right-to-erasure interact with retention?
Email infrastructure logs contain operational metadata rather than personal data in the GDPR sense. Recipient email addresses appear in logs and constitute personal data; the engagement handles this through partial-redaction at retention boundary. At the 12-month boundary, recipient email addresses get hashed to a one-way digest while operational metadata retains plain-text form for ongoing audit value. The hash cannot reverse but allows correlation across logs if needed for forensic purposes. The EDPB guidance from 2024-2026 has explicitly endorsed pseudonymisation patterns of this type.
How does this interact with my SIEM?
Two integration patterns. Pattern one: customer has no SIEM and uses this subscription as the primary log retention infrastructure. Pattern two: customer has existing SIEM (Splunk, Elastic, Datadog, Sumo Logic, Wazuh) and uses this subscription as long-term archive layer beyond the SIEM hot retention. Logs forward to both the customer SIEM (for active monitoring) and to this archive (for 12-month WORM compliance retention). The customer SIEM handles operational visibility; this subscription handles compliance retention.
Related services.
Operational reality of running WORM storage in 2026
WORM (Write Once Read Many) storage has matured substantially through 2022-2026 as cloud-native and on-premises options have proliferated. The implementations that meet compliance framework requirements typically use one of three approaches: object storage with explicit retention locks (S3 Object Lock, Azure Blob Storage immutability, equivalent on-premises systems), append-only file systems with cryptographic timestamps, or specialised compliance storage from vendors targeting regulated industries.
Our implementation runs S3-compatible object storage with retention locks at the object level, encryption at rest using AES-256-GCM with per-object data encryption keys wrapped by a master key, encryption in transit using TLS 1.3 with certificate pinning between ingestion agents and storage endpoints. The architecture survives standard auditor scrutiny because the retention guarantees are enforced by the storage layer itself rather than by access controls that could be bypassed.
The cost of WORM storage at this volume runs roughly 3-5x conventional object storage pricing because the retention guarantees increase the underlying infrastructure cost. We absorb the differential into the EUR 89 monthly fee for standard tier; customers with substantially higher log volume can scale up through the volume-tier pricing rather than running into surprise overage charges.
The deletion automation at retention expiry uses cryptographic verification: the object is overwritten with deterministic random data, the random pattern is verified, the object record is cryptographically signed to attest to the deletion event, the signature plus deletion log entry is retained indefinitely as evidence that the deletion happened. The pattern satisfies the chain-of-custody requirements that some compliance frameworks impose on regulated data lifecycle.
Audit-ready evidence packaging for common compliance frameworks
The monthly evidence package we generate is structured to drop directly into common audit workflows without additional auditor-side preparation. The structure below reflects what we have delivered across customer audits since 2023.
For SOC 2 Type II audits: the evidence package includes audit log integrity verification (cryptographic hashes of stored logs with chain of custody documentation), access log review (who accessed what logs and when, with role attribution), retention compliance attestation (which log categories are retained for which periods with policy reference), incident response evidence (any security events affecting log infrastructure with response documentation). The package maps directly to SOC 2 CC7.2, CC7.3, and CC7.4 controls.
For ISO 27001 surveillance audits: the evidence package emphasizes A.8.15 (logging) and A.8.16 (monitoring activities) with similar structure to SOC 2 but adjusted for ISO 27001 documentation conventions. The package includes activity log evidence, monitoring evidence, and incident logging evidence with mappings to the relevant Annex A controls.
For PCI DSS 4.0 audits: the evidence package addresses the 12-month retention requirement with 3-month ready access (Requirement 10.5.1) plus audit log review evidence (10.4.x) plus log protection evidence (10.3.x). Our package includes the specific control mappings auditors expect rather than requiring auditors to translate generic logging evidence into PCI DSS framework references.
For GDPR Article 30 records of processing activities: the evidence package includes processing activity records sufficient to demonstrate compliance with GDPR documentation requirements. The package is less standardised than SOC 2 or PCI DSS because GDPR requirements are more principle-based, but our format covers the common documentation needs that supervisory authorities request during inquiries.
Common log retention configuration mistakes and how to avoid them
Production log retention deployments encounter specific configuration mistakes regularly. The patterns below capture what we have observed across customer environments before they engaged us, plus what surfaces in audit findings when log retention has been operating without the right discipline.
Mistake 1: retention period inconsistent with actual policy. The compliance framework documentation states 12-month retention; the actual storage retains only 90 days because the deletion automation was configured against an earlier policy version. Auditors discover the gap during evidence review and flag it as a finding. The fix is verifying actual storage retention matches stated policy through regular policy-to-implementation audits, ideally automated.
Mistake 2: incomplete log source coverage. The audit-relevant logs are scattered across multiple systems (PowerMTA, MailWizz, system auth, nginx, custom applications), but the retention infrastructure ingests only some of them. Auditors discover the gap when investigating specific incidents and finding the relevant logs were not retained. The fix is comprehensive log source enumeration during deployment and ongoing review when new infrastructure is added.
Mistake 3: encryption key management problems. Logs are encrypted at rest but the encryption keys are stored alongside the logs, defeating the purpose. Or the keys rotate but the rotation breaks access to older logs because the old keys are not retained for legitimate access. The fix is treating encryption keys as separate compliance artifacts with their own retention and rotation policies, distinct from the underlying log data.
Mistake 4: access controls without audit trails. The retention infrastructure has role-based access controls (RBAC) but does not log who accessed what data and when. Auditors cannot verify that access has been appropriately controlled because the evidence is missing. The fix is ensuring the access control layer itself produces audit-grade logs that flow into the retention infrastructure alongside the original data.
Mistake 5: no deletion verification. Data is supposedly deleted at retention expiry but no evidence verifies the deletion happened. Auditors flag this when reviewing data lifecycle controls because the absence of deletion verification means the data may persist beyond the stated retention period. The fix is cryptographic verification of deletion events with signed attestations retained as evidence beyond the deleted data.
Mistake 6: backup retention inconsistent with primary retention. The primary storage retains data for 12 months; the backup retains data indefinitely because backup retention was never configured to match the policy. The data persists in backups beyond the stated retention period, which can produce GDPR compliance problems and discovery exposure that the policy was designed to avoid. The fix is unified retention policy across primary and backup storage with verified consistency.
Volume tiers and scaling beyond 100GB monthly
The EUR 89 monthly standard tier covers up to 100GB monthly log volume. The volume scales with sending operation size; operators with substantial sending volume typically exceed this threshold and need tier upgrades. The pricing structure scales linearly with volume.
The 100-500GB monthly tier runs EUR 199 monthly and covers most operations sending 5-20M monthly messages with comprehensive logging configured. The 500GB-2TB monthly tier runs EUR 449 monthly and covers operations sending 20-100M monthly with detailed logging. Tiers above 2TB are quoted case-by-case based on specific operational requirements and infrastructure topology.
For operators uncertain about their log volume, the initial setup includes a 30-day measurement period at the standard tier; if volume during that period substantially exceeds 100GB, we upgrade to appropriate tier without surprise charges. The pricing transparency matters because compliance budgets are typically fixed annual amounts and operators need predictable monthly costs rather than usage-based billing that could spike unexpectedly.
Cross-jurisdiction log retention requires additional considerations covered separately in the compliance bundle product. Operators with GDPR data residency requirements affecting log storage location should evaluate the compliance bundle rather than the standard log retention product, which assumes flexible storage location.
Migration from existing log retention infrastructure
Operators with existing log retention infrastructure considering migration to our service face the standard migration tradeoffs: continuity of historical evidence, transition planning to avoid gaps in retention, audit-window considerations for organizations in active observation periods.
Migration typically completes in 4-6 weeks for moderate-complexity operations. The pattern: deploy our infrastructure in parallel with existing retention, ingest new logs into both systems for the overlap period (14-30 days), validate data parity between systems, switch ingestion to exclusively our infrastructure, maintain existing system in read-only mode for the duration of its retention obligations, decommission existing system once retention obligations expire.
For organizations in active SOC 2 observation windows, migration during the observation window is operationally possible but requires coordination with the auditor to avoid creating audit findings about control changes during the observation period. Most organizations complete migration between audit cycles to avoid the coordination overhead.
Subscribe to Log Retention Compliance.
Subscription starts the first business day of the month after confirmation. Initial ingestion setup completes in 5 business days covering agent deployment, log source enumeration, and storage provisioning. EUR 89 per month standard tier. Monthly billing with no minimum commitment; annual billing offers 10% discount.
# Median Telegram response: 12 minutes during operating hours