Data sovereignty
QAudit is designed to meet the requirements of clients who operate under strict data residency and sovereignty obligations. This page explains where data is stored, for how long, and what guarantees exist.
Cloud infrastructure
QAudit runs on S3NS, a French sovereign cloud infrastructure operating under the SecNumCloud qualification framework (France's national cybersecurity agency ANSSI qualification for cloud services). SecNumCloud imposes strict requirements on data localisation, operational sovereignty, and access control.
All event data — every event payload, signature, chain-link hash, and evidence pack — is stored within the SecNumCloud perimeter and is not replicated to any infrastructure outside it. Neither the cloud provider nor any entity outside the accredited perimeter can access data without the client's explicit authorisation.
Append-only event store
Events are stored in an append-only log. Once an event is signed and chained:
- it cannot be modified;
- it cannot be deleted;
- the record of its receipt cannot be removed.
This is not a policy — it is a structural property of the event store. The signing and chaining mechanisms mean any alteration would produce a detectable integrity failure. There is no admin interface, no API endpoint, and no background job that can overwrite or expunge an event. Correction of a business error is done by emitting a new corrective event, not by modifying the original.
Retention
QAudit retains all stored events for a minimum of 10 years from the date of receipt. This period aligns with the French dématérialisation archiving obligation and similar regulatory frameworks.
The 10-year clock starts at receipt_ts — the moment the Gateway assigned a timestamp to the event. Evidence packs follow the same retention schedule: a pack produced at period close is retained for 10 years from its production date.
During the retention period, events and packs are continuously available for download from the dashboard and via API.
What happens at system end-of-life
If the QAudit platform is decommissioned before a tenant's retention obligations are fulfilled, Serensia is contractually required to ensure continuity. The migration path is:
- A full export of the tenant's event store (all canonical payloads, signatures, and chain metadata) is produced.
- Evidence packs not yet past their retention date are included.
- The export is handed to the tenant in a format compatible with independent verification (the same format as evidence-pack events files).
The migrated archive is self-verifying: the Ed25519 signatures remain valid against the organisation's public key regardless of which system produced them or when the migration occurred.
Encryption
All data is encrypted:
- At rest — using AES-256 encryption managed by the key management system. Encryption keys are themselves stored in the key management system inside the SecNumCloud perimeter.
- In transit — using TLS 1.2 or higher on all network paths, including internal service-to-service communication.
No plain-text event data is written to any persistent storage layer.
Audit trail of access
Every access to the event store — whether by a user, an API client, or a Serensia support agent — is itself recorded as a qaudit.* event on the relevant tenant's chain. This means the record of who read the data carries the same integrity guarantees as the data itself.
Support-session access requires explicit consent and generates a qaudit.session.opened event visible in the event explorer. See Platform events for the full catalogue of platform-emitted events and their integrity properties.
Legal basis
The data sovereignty model is part of the QAudit service contract. The relevant obligations — 10-year retention, SecNumCloud hosting, append-only guarantee, migration obligation at end-of-life — are contractual commitments, not just technical properties. The contract specifies the precise terms; this page describes the technical mechanisms that underpin them.