Regulatory compliance capabilities

Health Insurance Portability and Accountability Act requires patient data protection, access controls, and audit trails.

• End-to-end encryption ensures patient data is never visible to servers
• Complete audit trails document who accessed what and when
• Fine-grained access control with named keys for different care teams
• Data retention policies supported through archival strategies
• Offline operation for field healthcare workers and remote clinics

See healthcare use cases → | Detailed patterns →

Sarbanes-Oxley Act requires financial audit trails, immutable records, and access controls.

• Immutable records through append-only architecture
• Cryptographic integrity proves records haven't been altered
• Complete transaction history for audit requirements
• Time travel to reconstruct any historical state
• Signed changes prove authorship of all modifications

See financial services use cases → | Detailed patterns →

General Data Protection Regulation requires right to be forgotten, data portability, and access logging.

• Right to be forgotten via purgeDocHistory() method
• Data portability through export capabilities
• Access logging for complete audit trails
• Data protection by design through end-to-end encryption
• Consent management through named key distribution

See compliance patterns →

Payment Card Industry Data Security Standard requires payment card data protection, access controls, and audit trails.

• Payment card data protection through document-level encryption
• Access controls with named keys for restricted access
• Audit trails for all access and changes
• Encryption of sensitive payment data
• Token management for secure payment processing

See compliance patterns →

• ✅ Complete change history (append-only)
• ✅ Cryptographic signatures (authorship proof)
• ✅ Tamperproof records (hash-chained)
• ✅ Time travel (reconstruct any state)
• ✅ Timestamped changes

• ✅ End-to-end encryption (server can't decrypt)
• ✅ Fine-grained access control (named keys)
• ✅ Access logging (who accessed what)
• ✅ Data retention policies (archival support)
• ✅ Right to be forgotten (purge capabilities)

• ✅ Client-side encryption (AES-256-GCM)
• ✅ Key management (password-protected KeyBag)
• ✅ Secure key distribution (offline channels)
• ✅ Key rotation support
• ✅ Data sovereignty (client-side tenants)

• Every change is cryptographically signed with author's Ed25519 key
• Timestamps are included in every change entry
• Document history can be traversed with iterateDocumentHistory()
• Time travel allows reconstructing any historical state
• Deletions are marked with tombstones (preserving history)

• Prove who changed what and when
• Reconstruct state at any point in time
• Demonstrate data integrity to auditors
• Track access patterns for compliance
• Support legal discovery requirements

See time travel docs →

• Time-based sharding — Create databases by time period (yearly, monthly)
• Archival databases — Move old data to read-only archive databases
• Document lifecycle — Mark documents as archived instead of deleting
• GDPR purge — Use purgeDocHistory() for right to be forgotten

See data modeling patterns →

• Append-only nature means data accumulates over time
• Plan for growth management from the start
• Use time-based sharding for efficient archival
• Consider retention requirements per document type
• GDPR allows data deletion via purge methods

See compliance patterns →