Email Retention Regulations in India & How Businesses can Ensure Compliance

I'm Evaluating I'm Exploring I'm Interested Security Slide Decks Vaultastic Videos Webinars

In the era of technology, interactions and conversations have moved to various forms of electronic communication, of which, email still remains the primary mode in business.

A myriad of important document exchanges ranging from offer letters, financial statements from the banks, property documents, unique identity services, authorization and authentication systems, now happen over email.

But what happens if this information is lost, stolen, or deleted?

With laws such as the Information Technology Act 2000, SEBI and the most recent Data Protection Bill, 2018, it becomes not only essential but necessary to safeguard and retain electronic communication in India.

In this 30 minute webinar, Mr. Rohan Pujari, Product Consultant, Mithi Software, addressed the benefits of a cloud email archiving solution to help you formulate a sound retention policy and protect all email data.

In this webinar, we spoke about:
  • What is an email retention policy
  • Reasons to implement a retention policy
  • Laws in India mandating email retention
  • What to look for in an archiving solution
  • How Vaultastic can help with email retention
  • Unlimited Q&A

Questions asked during the webinar

  • Does Vaultastic support de-duplication?
    Yes, your Vaultastic account can be deployed on two AWS cloud regions viz Singapore and India. You can decide where to deploy your account based on the regulations your organisation needs to adhere to.
  • Does Vaultastic support de-duplication?
    All our plans are unlimited storage plans which means that internally our engineering figures out the way to store the data in the most optimal form, freeing you from the concern of provisioning yourself, therefore it doesn’t really matter whether we de-dup or don’t.
    De-dup was more an idea in the earlier days to conserve storage when storages were in-prem because it was important to optimise the consumption and not have a run away storage whereas we are on the cloud and the way we have designed the system it doesn’t matter at all.
  • What is time limit of storing an email?

    We have three retention based plans – a one year attention, a seven year retention and lifetime retention. You can choose which is applicable to you and choose a different plan for different sets of users.For example, the top management could be given lifetime retention of email because whatever they transact in their emails could have timeless value. Maybe the people who work with finance and billing, whose work comes under the regulation umbrella can be given 7 year retention and the remaining users whose mails you really don’t need to archive, but want to give them a very simple automated backup solution you could go in for one year retention for those users.

    We also have a fourth plan where you can retain data of ex employees for a longer period of time or forever, at a nominal price for storage. Learn more here.

  • How cost is calculated? based on TB or number of users?
    With the exception of the Hold plan which is calculated per GB, the cost of all other plans is based on the number of users. We allow mixing of plans, so you can consume based on your needs. You can have a look at our pricing plans here.
  • What if a user went to the Vaultastic portal and deleted a mail?
    No, this is not possible. Vaultastic is a read only system, so once an email goes into the portal it cannot be deleted. The self service portal and all the access controls are designed to disable delete.
  • What will be the date of email retrieved from the archive? Current or actual date?
    It will be the actual date and not the current date. So if you do a dump, if you ask Vaultastic to give you a PST or EML format file for selected email which you discover, they will have the original date.
  • After 10 years will the email vanish?
    If you have a 7 year retention, it will retain all the mail for that came up to 7 years before today. Similarly, for the one year retention based plan.
  • How much time would it take to retrieve an email?
    While you can keep terabytes of data on the cloud, all the data is available online, so if a user looks for a mail which is 15 years old he/she will still find it in the same few seconds that he/she would take to find a mail of Today. This is the promise which we make, all the data is available online, search ready and has no mounts, tapes, drives and volumes. It’s all a continuous, contiguous volume, and it is all indexed, so a mail of any period can be found instantly.
  • I want to archive my employees mails, but I don’t want to give them access to Vaultastic, is this possible?
    We have designed Vaultastic to allow all employees to also access their own email vaults, to increase productivity. However, if you do not want to give access to all the users, you can allow the access to only the top management or the administrator who has the rights to do an umbrella search across the mailbox of all the users.
  • Is there a max size of data that can be exported?

    We do not have any limit on the amount of data you want to pull out of Vaultastic. The philosophy being, easy data in and easy data out. There are two ways to download data. One is via the internet, where you log in to the portal and download, but there will be a limit on how much can be downloaded from there which is dependent on the last mile, so it could take a long time to download 1 or 2 TB of data.To avoid this, we provide you with an option to ship your data on a physical device which is an amazon snowball device, which we can rent, put the requested data on it and send it to you.

  • How will the email be restored?

    In order to restore mail, go to the console, find or select the mail you want to restore, which could be the users entire mailbox itself and give the command export. What the system will do is, it will ask me if you want it in PST or EML format and it will run a job in the background and send you a download link by email.It could take from a couple of minutes to a couple of hours depending on how big the data to be exported is. For example, if there is a compliance request or someone is asking for a mail of a few users, let’s say a compliance officer, then what the administrator will do, is run a search, select the mails, tell the system to generate a PST or EML and send it straight to the compliance officer.

  • For restoration do we have Multi factor authentication enabled?
    Currently we do not have it, but it is part of our roadmap and will be available soon.
  • What is the difference between Office 365 legal hold & Vaultastic?

    The office 365 legal hold is a virtual in place archive which means that once a legal hold is deployed on the platform, the users cannot delete the email, so they remain in the users mailbox. It is not a copy.What Vaultastic does is, no matter which platform you’re using, G Suite, Office 365, Exchange or Lotus notes, a separate physical copy of the mail is maintained in an alternate centre which is hosted on Amazon giving you another level of redundancy, and freeing you from vendor lock-in.

    You can migrate your platform with ease because all your data is safe at a third location. In addition, Vaultastic is totally tamper proof whereas in legal hold at least the administrator can do some level of tampering even though it can be audited.

  • How do we ensure privacy? If the super admin has access to all the users’ accounts?
    It is up to the organisation to decide who gets the super admin rights. Multiple roles can be defined and levels of roles can be established. The whole system is configurable to disable functions for a certain set of users.
  • Is Vaultastic anti-spam enabled? Is there any customization for spam related thresholds?
    Anti Spam control is not within the scope of Vaultastic’s function. Vaultastic archives email from the primary platform so it is assumed that the mail which comes to the primary platform before delivery to the end user has already been scanned for viruses and spam.
  • During transit, is the email encrypted? How does this work?

    Vaultastic adheres to very strict data security guidelines, one of them being that the data is encrypted at rest and in transit. So any time there is any access or transfer of email from the system which could be for download, upload, transfer or viewing, that whole system or the whole transaction is encrypted using SSL.For example the user could be using a browser, or ingesting email from the primary email platform or downloading email, all this happens on an SSL encrypted network line.

  • Can we fix a policy like ‘Mails from a particular user should not go to archival”. e.g in our scenario we generate loads of internal emails.
    Vaultastic deploys a journaling rule irrespective of the platform, it could be G Mail, Office 365, Lotus Notes etc. So whenever a user sends or receives a mail, it is sent to the Vaultastic account. Therefore the rule above will have to be configured in the journaling rule in the primary mail system.
  • Will Vaultastic work with a hosted solution?
    Vaultastic is platform and infra agnostic, it can work with hosted and cloud solutions.
  • Can we archive only live mail or existing data as well?
    We suggest that you start archiving live mails. Vaultastic has systems and tools to help you upload existing data as well. You can upload any amount of existing data and in any of the formats we support, however we allow you to upload historical data only if you choose the durability plan which is a lifetime retention plan.
  • The fixed price is for how long? Does it change with dollar price?
    We are a saas company, so as a SaaS company we offer the entire service to you based on an SLA you simply consume. There is zero infrastructure, zero management, so in order to do this there is a lot of input cost for us which includes partnering with Amazon, Trend Micro etc and many of these we buy using a dollar, so there could be variation based on that but we have built in sufficient buffer into our pricing to ensure that a small variation of the dollar price will not impact us. So our pricing typically is fixed at least for a year and in all likelihood will only drop and not increase.
  • We have our solution hosted on premise and will transferring to Vaultastic consume a lot of bandwidth?
    Yes it will consume bandwidth but not a lot of it. For example, if you have about 3000 users you would need probably about 7 to 8 MBPS Line or maybe even less so somewhere in that range is what we will have to additionally provision. That will be the only infrastructure addition you might have to make to enable archiving from in-prem to Vaultastic on the cloud.
  • Is ediscovery available to all the users?
    Yes eDiscovery is available to all the users, but it is in your control. We have a very hierarchical like structure where for example, a Department Head could be given the rights to search within the users of his own department, whereas each individual user would be able to search only within his/her own email vault.
  • What is the time to go live or onboarding?
    The system is always ready and the onboarding time typically is just a few hours. The time taken is more if migration of data is involved, which depends on the data size. We propose, to go live, start archiving fresh mail and over time the migration can be done.
  • Can I retrieve my own emails (received and sent by me) myself from archival?

    Yes you can do this by logging in into the self service portal, from where you can select your own mail. If it is one or two mails you can just forward it directly from there, you can reply to an email from there and it will use your original email ID in the sender ID.Alternatively you can select a few mail and download it as a PST yourself. The whole idea of giving the self service portal to users is to improve productivity, otherwise the IT team is continuously involved in just recovering mail.

  • Is there a minimum number of users needed to start Vaultastic?
    Absolutely not. As all Vaultastic plans are based per user and pay for only what you consume, there is no minimum number required. So there’s a flexibility in our pricing and in our handling of a user mixed plan.
  • What happens when a users email id is renamed?
    If an email is renamed in the primary platform, on Vaultastic, the vault of the original named user would remain as it is and Vaultastic would create a new vault for the new named user. This is how the system currently works, but we are happy to refine it further and look into this matter.
  • What about the alias mailbox?
    Alias is currently treated as a separate user and is not charged for. For example, if you have an email ID ravi@mithi.com and his alias is chiefmanager@mithi.com typically if a mail is sent to chiefmanager it will go to Ravi’s mailbox and will get archived in Ravi’s mailbox.
  • What is the difference between Storage and Lifetime, in Vaultastic?
    The storage is the cumulative total of the consumption by all users on the archive domain. The Lifetime is the time for which a mail is maintained on the server.
  • In Vaultastic, can we create folders to save emails?
    No, Vaultastic is a collection, so mails sent and received goes into a collection and then this collection can be discovered. The idea of archival is not to give you a folder view but a collection of mails that are immutable and Discovery centric.
  • We have an endpoint DLP? if the user has the right to reply to mail from the archive then how do we ensure no leak happens?

    In this case, for your domain we could route email from the Vaultastic platform to your DLP. We have a lot of connectors and a lot of flexibility per customer configuration.Alternatively you can configure that the user cannot reply to the email from Vaultastic for your domain. So your users would be able to see the mail, download the mail, discover, print but they will not be able to reply, forward the email.

    You can pick and choose wherein for some users you might want to disable the reply function all together and for some you want to allow but point it to the dlp.

  • Do we have option to get a log like which user has restored and which email?
    Yes, this is known as an audit trail which maintains details of all the transaction by all the users. It includes login, password change, policy change, email download, search. All these logs are maintained for a period of 10 years.
  • What happens when I disable or delete an account on the primary mail server?
    If you disable or delete an account on the primary mail server, it does not affect the archival system at all. The archive account stays as is, it is just not receiving any new mail. So you now have the option to move the data to the Hold plan which is a storage based plan which will save money and ensure that your data will stay safe.
  • I suppose retrieval can be done on all parameters like subject, from, to or key words.
    Retrieval can be done on all the attributes of an email such as from Id, to Id, date range, attachments. The search of the keywords will be within attachments as well. It’s a very comprehensive discovery because the indexing system is on a very rich indexing platform. So all the email as soon as they are ingested are indexed, decomposed and stored away.
  • Can I disable print, download or export an email?
    Yes, this configuration can be done per user, so you can decide which user gets which function from the self service portal. It can be only view, it can be disallow download or it can be disallow configuration. The administrator can configure this.
  • May you please explain on the SSO for archive mailbox access?
    Each user is given a log in to a self service portal, which is a browser based portal, so for example you go to acmecorp.vaultastic.com and sign in with your email ID which is your company email ID, let’s say ravi@acmecorp.com and password. So once signed in, you will see the vault and you can search etc. So this log in password has been given from Vaultastic. Instead, we could integrate Vaultastic with your ADS Server or any LDAP server maybe, so that you can achieve a single password for your log ins.

Leave a Reply

Your email address will not be published. Required fields are marked *

*