Skip to content

Cesivi Archive Variant A: SharePoint On-Premises Retirement Archive

Whitepaper — v1.2
Audience: Compliance buyers, CIOs, records managers, IT architects


The Problem

SharePoint Server 2013, 2016, and 2019 farms are entering end-of-life. Organizations that built their compliance records infrastructure on these farms now face a dilemma:

Retention obligations do not expire when the farm does.

HIPAA requires covered entities to retain certain policies and audit records for six years. SOX §103 requires audit work papers to be kept for seven years. GDPR Article 5 storage limitation requires data to be kept no longer than necessary — but that necessity is defined by law, not by server lifecycle. And for any organization involved in, or anticipating, litigation, FRCP 37(e) requires preservation of electronically stored information (ESI) from the moment a dispute is reasonably foreseeable.

The options available today are unsatisfying:

Option What it costs Compliance problem
Keep the SP farm running on EOL hardware Hardware / maintenance / license costs compound annually. Security patches stop. A farm running unpatched 2013-era code is a liability, not a compliance asset.
Raw filesystem dump Cheap storage. Auditors do not accept raw files. Chain of custody is broken. Identity is lost. Items cannot be browsed in their original SP context.
SharePoint Online migration Expensive per-user, per-month licensing. Still requires an archive for deleted content. Microsoft pricing changes introduce long-term cost uncertainty.
Commercial archival vendors Purpose-built but expensive per-seat or per-GB. Often locked to specific clouds. Lock-in. Additional integration layer.

The gap: A solution that preserves the full SharePoint experience — lists, libraries, versions, permissions, user identities, metadata — in a read-only, tamper-resistant, retention-enforced archive, at a predictable one-time CapEx cost, with no per-user or per-GB recurring fees.


The Cesivi Approach

Cesivi Archive Variant A fills this gap. It is an on-premises retirement archive that:

  1. Imports full fidelity — lists, libraries, items, all versions, attachments, content types, fields, permissions, users, groups, and term-store entries. Not a flat export. Every bit of the SharePoint data model is preserved.

  2. Sets archive mode — immediately after import, all imported webs and lists are locked to read-only. The ARCHIVED banner appears in the WebUI. Every write attempt (REST, CSOM, SOAP, OData batch) is rejected with a clear error. There is no admin bypass for retained items.

  3. Freezes identity — at import time, Cesivi captures a snapshot of every user's identity (SID, UPN, display name, email, groups). Even if the source Active Directory is decommissioned, auditors still see "Alice Smith" instead of Unknown user (id=S-1-5-21-...). The three-tier resolver (Live IDP → Snapshot → Unknown) gracefully handles partial AD decommission.

  4. Immutable audit substrate (WORM) — every significant event (item imported, archive mode toggled, identity snapshot captured, ACL frozen, retention assignment, legal hold applied/released) is written to a sealed-segment JSONL journal with SHA-256 hash chaining. Once a segment is sealed, the filesystem sets it read-only (Windows ReadOnly flag or Linux chattr +i). Any post-hoc modification breaks the hash chain and is immediately detectable.

  5. Continuous integrity verification — a background walker re-hashes stored content on a configurable cadence (default: every 24 hours). Items with hash mismatches are quarantined and blocked from download until remediated. The on-access gate also re-hashes files at read time (configurable: Off / Sampled / Every Read).

  6. Retention enforcement — a hard gate with no admin bypass blocks all delete and modify operations on items within their retention window. The window is set per archive site (default: 7 years from item creation). Retention windows can only be extended, never shortened.

  7. Legal hold — a compliance officer can apply a legal hold to any item, list, or site. Hold beats retention: even after the retention window expires, a held item cannot be deleted. Every hold application, release, and access event is written to the WORM log.

  8. ControlCenter visibility — a unified ControlCenter dashboard provides real-time KPIs for every archive subsystem, with live SignalR updates, CSV export, and drill-down into individual events, mismatches, blocked attempts, and hold audit trails.

The auditor's experience: They browse the archived site in a browser. They see the same list views, item forms, and user names they would have seen on the live farm. They can search, filter, and export. They cannot modify anything. The audit log is available on demand with CSV export.


Architecture

  ┌─────────────────────────────────────────────────────────────────┐
  │  Source SharePoint Farm (to be decommissioned)                   │
  │  ┌──────────┐  ┌──────────┐  ┌──────────┐  ┌────────────────┐  │
  │  │ Site 1   │  │ Site 2   │  │   Users  │  │  Term Store    │  │
  │  └──────────┘  └──────────┘  └──────────┘  └────────────────┘  │
  └────────────────────────┬────────────────────────────────────────┘
                           │  Cesivi.MigrationTool  archive-import
                           ▼
  ┌─────────────────────────────────────────────────────────────────┐
  │  Cesivi Archive Instance                                         │
  │                                                                  │
  │  ┌──────────────────────────────────────────────────────────┐   │
  │  │  Archive Site (archive_mode = true)                       │   │
  │  │  Lists / Libraries / Items / Versions / Attachments       │   │
  │  │  Content Types / Fields / Metadata / Navigation           │   │
  │  └──────────────────────────────────────────────────────────┘   │
  │                                                                  │
  │  ┌─────────────┐  ┌────────────────┐  ┌───────────────────────┐ │
  │  │ WORM Audit  │  │  Integrity     │  │  Retention + Hold     │ │
  │  │ Log         │  │  SHA-256       │  │  Gate                 │ │
  │  │ (JSONL +    │  │  Walker        │  │  (no admin bypass)    │ │
  │  │ hash chain) │  │                │  │                       │ │
  │  └─────────────┘  └────────────────┘  └───────────────────────┘ │
  │                                                                  │
  │  ┌─────────────────────────────────────────────────────────┐    │
  │  │  Identity Snapshot Store  +  Frozen ACL Store            │    │
  │  │  (per-user SID/UPN/email snapshot; role assignments)     │    │
  │  └─────────────────────────────────────────────────────────┘    │
  │                                                                  │
  │  ControlCenter  (/Archive)   StorageBrowser   REST API           │
  └─────────────────────────────────────────────────────────────────┘

Comparison to Alternatives

Criterion Cesivi Archive Keep SP on EOL Raw FS dump SP Online migration Commercial vendor
Full SP data fidelity (lists, versions, CTs) ✅ Yes ✅ Yes (but EOL) ❌ No ⚠️ Partial ⚠️ Varies
Auditor-browsable SP interface ✅ Yes ✅ Yes ❌ No ✅ Yes ⚠️ Custom UI
WORM tamper-resistant audit log ✅ Yes (hash chain) ❌ No ❌ No ❌ No ⚠️ Varies
Hard retention gate (no bypass) ✅ Yes ❌ No ❌ No ⚠️ Policy only ⚠️ Varies
Legal hold (hold beats retention) ✅ Yes ❌ Manual ❌ No ⚠️ Limited ⚠️ Varies
Identity preserved after AD decommission ✅ Snapshot tier ❌ No ❌ No ⚠️ Only if migrated ⚠️ Varies
SHA-256 content integrity verification ✅ Continuous walker ❌ No ❌ No ❌ No ⚠️ Varies
Ongoing licensing cost ✅ CapEx-once ❌ Annual + hardware ✅ None ❌ Per-user/month ❌ Per-seat/GB
Vendor lock-in ✅ Open SPI contracts ❌ MS ecosystem ✅ None ❌ Microsoft ⚠️ Varies
Air-gapped deployment ✅ Fully on-prem ✅ Yes ✅ Yes ❌ Requires internet ⚠️ Varies

Compliance Positioning

Cesivi Archive Variant A is designed for four compliance families. Full citation-to-feature mapping is in COMPLIANCE_COOKBOOK.md.

HIPAA: §164.316(b)(1) requires retention of compliance documentation for six years. §164.310(d)(2)(iv) requires data backup and integrity controls. Cesivi satisfies both via the WORM audit log and SHA-256 integrity walker. The 7-year default retention window provides HIPAA safe harbour.

GDPR: Article 5(1)(e) requires storage limitation. Article 17(3)(e) exempts erasure when processing is necessary for legal claims. Article 32 requires integrity and confidentiality. Cesivi's legal hold prevents premature erasure while the WORM log and integrity gate satisfy Art. 32's technical controls requirement.

SOX §103/§404/§802: Audit work papers must be retained for seven years (§103). Internal controls over financial reporting require tamper-evidence (§404). Anti-tampering provisions (§802) require that audit records cannot be altered. Cesivi's WORM substrate, hard retention gate, and no-admin-bypass policy directly satisfy these requirements.

FRCP 37(e) — eDiscovery chain of custody: Legal hold provides documented chain-of-custody from hold-applied to hold-released, with every blocked deletion attempt logged with caller identity and surface (REST/CSOM/SOAP). The hold/release audit trail survives in the WORM log and can be exported to CSV for counsel.


Total Cost of Ownership

Cesivi Archive is a CapEx-once, OpEx-low solution:

  • CapEx: One-time purchase of the Cesivi license, allocated to hardware (a single Windows or Linux server with adequate storage) and implementation (typically 2–4 days for a standard single-farm import).
  • OpEx: Minimal — OS patches, routine backup of the data directory, annual review of the WORM chain verification report.

Contrast with:

  • SP Online / commercial archival vendor: Typically USD 3–15 per user per month plus storage costs. For a 1,000-user organization, a 10-year retention obligation costs USD 360,000–1,800,000 in subscription fees alone.
  • Keeping SP on EOL: Ongoing server licensing, Windows Server CALs, hardware refresh, and security liability (unpatched SP is a known attack vector). Costs compound annually.

Cesivi's pricing is not published in this whitepaper (contact your account representative), but the cost model is: no per-user fee, no per-GB fee, no recurring cloud subscription.


Roadmap

v1.2 ships Variant A (on-premises SP farm retirement). The v1.3+ roadmap:

Item Target version Notes
Variant B — SPO local backup v1.3 Archive SharePoint Online tenant exports locally
S3 Object Lock backend v1.3 Plug-in via existing IWormAuditLogStore SPI
Azure Blob Immutability backend v1.3 Plug-in via existing IWormAuditLogStore SPI
Identity federation at scale v1.3 Production AD/Entra adapters for large user bases
Multi-tenant archive collections v1.4 Host multiple independent farm archives on one instance

The cloud backend SPIs (IWormAuditLogStore, IArchivedAclStore, IIntegrityStore, IArchiveRetentionStore, IArchiveLegalHoldStore) are already shipped with contract-test suites in v1.2. Third-party cloud adapters can be implemented against these contracts today.


How to Evaluate Cesivi Archive

  1. Start with Tutorial G: TUTORIAL_G_ARCHIVE_ONPREM_RETIREMENT.md — Install, import, verify, tour. Approximately 60 minutes on a fresh install.

  2. Review the compliance cookbook: COMPLIANCE_COOKBOOK.md — Per-regulation citation tables and worked examples for HIPAA, GDPR, SOX, and FRCP 37(e).

  3. Contact us for a guided pilot or evaluation license.


See also