Whitepaper/
Arkivum digital archive solutions for Life Sciences
Introduction
Arkivum is an established provider of data archiving solutions. Arkivum’s Archive as a Service provides a
fully-managed and secure service for long-term data retention with online access and a guarantee of data
integrity that’s part of our Service Level Agreement and backed by worldwide insurance. Recognising that
many organisations don’t allow their data to go off-site, OSCAR, Arkivum’s On-Site Cloud ARrchive,
offers all of the Arkivum shared managed service’s data integrity and management features within a
corporate firewall, making it ideal for organisations where confidentiality or regulation requires all
information to be stored onsite.
The benefits of using Arkivum’s solutions
The most common approach to archiving data in corporate environments is to retain data on the same
systems where it was first created, e.g. enterprise storage servers. The capacity of these servers then
grows to match ever increasing volumes of data and the need to keep ever more of it for compliance or
reuse. This approach is expensive, difficult to manage, and can put data at risk; for example through
hardware failures or accidental data deletion or modification. Keeping infrequently accessed and static
archive data on expensive enterprise storage servers is a luxury in today’s challenging economic climate.
The solution is to move data off these systems into Arkivum managed facilities or services which are
optimised for archiving. This saves money, saves effort, frees up resources, and reduces risk that data
cannot be found or accessed again in the future.
But this isn’t the only benefit of using an Arkivum solution. Most organisations underestimate the longterm Total Cost of Ownership of archiving, especially where stringent data retention requirements need to
be met. Long-term archiving requires specialist expertise, active data management, the procurement and
migration of systems to address obsolescence, and regular auditing to make sure retention metrics are
being met. Arkivum has all these in place, including ISO27001 certification and 21 CFR Part 11
enablement. Using one of our solutions isn’t just about storing data - it’s about accessing our expertise
and approach, which saves having to develop or maintain this in-house.
Specific business and commercial benefits include:
• 50% cost savings
On enterprise storage (or more) are typically achievable by moving archive data off expensive storage
servers and into an Arkivum archive solution, either onsite or using our storage service. We develop
Total Cost of Ownership (TCO) models with our clients to illustrate the specific cost advantages in both
the short, medium and long term of the Arkivum solution compared to other solutions.
• 80% reduction in cost and time for backups
It is common for the majority of data on enterprise storage to be infrequently or ever accessed again.
Moving it to a dedicated Arkivum archive solution means it doesn’t clog-up nightly or weekly backups,
which in turn are both faster and cheaper.
• 100% data retrieval
When faced with compliance audits or the need to reuse valuable company data. Arkivum guarantees
the 100% integrity of all data stored in our service – with no limits on time or volume. Our data
protection measures are so extensive that we are backed by worldwide insurance that covers the costs
incurred to our customers as a direct result of us losing data Availability of our service is also high at
99.9% and it takes less than 5 minutes to start receiving data back from our service.
• 75% reduction in costs of 21CFRpart111 compliance
Many companies focus on the initial parts of the data lifecycle (rather than the whole lifecycle costs) for
Arkivu m Limited
R21 Langley Park Way
Chippenham
Wiltshire
SN15 1GE
UK
+44 1249 405060
info@arkivum.com
@Arkivum
Arkivum.com
Title
Arkivum digital archive
solutions for Life Sciences
Part no
ARK/MKTG/ALL/181
Version
1.1
Date
June 2014
Statu s
Release
1/7
© Arkivum Ltd 2014
21CFRpart11, e.g. putting proper digital signatures processes in place to ensure authenticity. But the
main costs typically are in the long-term where integrity, authenticity, confidentiality and availability
need to be delivered over decade retention periods or longer. This is where Arkivum can make a big
impact as it has the people, processes and infrastructure already in place to deliver these functions.
• 70% reduction in IT power
Arkivum’s use of data tape results in a highly energy efficient storage service. Power consumption is
less than 10% of ‘spinning disks’ in an enterprise storage server. This results in a low carbon footprint
at a time where ‘green IT’ is becoming increasingly important, but also has a major practical benefit on
the customer site where power and cooling maybe limited.
• 100% known costs
Our service and solution is transparent and includes all costs of data retention, including people,
equipment, maintenance, upgrades, migrations, ISO27001 audits – the list is extensive! We can offer
our service at a fixed cost per TB stored, either PAYG or fixed-term, over a period of many years. This
means much more manageable and predictable budgets, with forward planning becoming less of a
gamble – and the ability for Arkivum customers to pass on long-term retention costs onto their
customers!
• 0% vendor lock-in.
Our use of data tape allows us to support data escrow for our archive service and external offline
copies of data for OSCAR – encrypted in both cases if required. Files are stored in exactly the format
you supply then and are easily retrieved from tape using stand-alone tape drives and LTFS open
source software - which means you are in no way tied into our service or any proprietary technology. If
your business drivers and requirements change, due to mergers, acquisitions or re-sizing, you can
easily and quickly migrate from the Arkivum solution if you need to.
How does Arkivum support 21CFR11 compliance?
Arkivum can be instrumental in helping a company achieve 21CFR11 compliance. Arkivum’s service
meets the key requirements of 21CFR11: Integrity, authenticity, confidentiality and the need for
availability (ready access). We have designed system from ground up with information security in mind.
We have been certified to ISO27001, which includes a detailed risk assessment of the integrity,
availability and confidentiality of customer assets in our possession.
This all means that Arkivum’s service or OSCAR onsite solution can substantially reduce the cost and
effort of meeting compliance. We are very transparent in what we do – you need to know that your data is
safe in our hands. We openly share details of our people, processes and infrastructure with both
customers and auditors and we are willing to be audited when a customer is itself being 21CFR11
audited.
With respect to 21CFRpart11, Arkivum supports retention of documents that are both in-scope and outof-scope2. Our service is classed as an ‘Open System’ and hence controls for open systems apply. The
controls for open systems (21CFRpart11 Sec 11.30) include all the controls for closed systems
(21CFRpart11 Sec 11.10), so in the table below we show how we address both sets of requirements.
Arkivum Limited
R21 Langley Park Way
Chippenham
Wiltshire
SN15 1GE
UK
+44 1249 405060
info@arkivum.com
@Arkivum
Arkivum.com
Title
Arkivum digital archive
solutions for Life
Sciences
Part n o
ARK/MKTG/ALL/181
Ve rsion
1.1
Date
June 2014
S tatus
Release
2/7
© Arkivum Ltd 2014
21 CFR part 11 requirement
Arkivum approach
Sec. 11.10 Controls for closed systems.
• Automated and regular integrity checks are
performed on of all data and metadata held in
the service to confirm integrity.
Persons who use closed systems to create,
modify, maintain, or transmit electronic records
shall employ procedures and controls designed
to ensure the authenticity, integrity, and, when
appropriate, the confidentiality of electronic
records, and to ensure that the signer cannot
readily repudiate the signed record as not
genuine. Such procedures and controls shall
include the following:
(a) Validation of systems to ensure accuracy,
reliability, consistent intended performance, and
the ability to discern invalid or altered records.
• Integrity is checked using checksums that have
been agreed with customer to ensure that no
tampering can occur on any copies of the data
without detection.
• Multiple copies are held of customer data, so if
integrity is lost in one copy (e.g. failure of
storage technology) then other copies can be
used to replace it with a known good copy.
• Checksums and detection of any integrity loss
are both fully automated and periodically
executed to ensure that data remains
unchanged, invalid or altered data is detected,
and the archive service is delivered within
specified levels of performance.
• Arkivum conducts regular tests of our software
and systems through fault injection and failure
simulation to validate that threats to data
integrity, availability and confidentiality are all
mitigated and handled correctly.
Sec. 11.10
(b) The ability to generate accurate and complete
copies of records in both human readable and
electronic form suitable for inspection, review,
and copying by the agency. Persons should
contact the agency if there are any questions
regarding the ability of the agency to perform
such review and copying of the electronic
records.
• Arkivum’s service ensures all customer data
can be readily accessed in its entirety and in
bit-for-bit identical form to the originally
submitted data.
• Arkivum’s service supports a customer in being
able to generate accurate and complete
reports for an inspection or review by the
United States, Food and Drug Administration
(FDA).
• High availability and online access to all
customer data through file system and web
interfaces means that complete record sets
can be retrieved and delivered to the FDA
when required.
Arkivum Limited
R21 Langley Park Way
Chippenham
Wiltshire
SN15 1GE
UK
+44 1249 405060
info@arkivum.com
@Arkivum
Arkivum.com
Title
Arkivum digital archive
solutions for Life
Sciences
Part n o
ARK/MKTG/ALL/181
Ve rsion
1.1
Date
June 2014
S tatus
Release
3/7
© Arkivum Ltd 2014
Sec. 11.10
(c) Protection of records to enable their accurate
and ready retrieval throughout the records
retention period.
• Arkivum’s service ensures all customer data
can be readily accessed in its entirety and in
bit-for-bit identical form to the originally
submitted data.
• Arkivum’s service supports a customer in being
able to generate accurate and complete
reports for an inspection or review by the
United States, Food and Drug Administration
(FDA).
• High availability and online access to all
customer data through file system and web
interfaces means that complete record sets
can be retrieved and delivered to the FDA
when required.
Sec. 11.10
(c) Protection of records to enable their accurate
and ready retrieval throughout the records
retention period.
• Arkivum guarantees data integrity (accuracy)
and provides a very high level of availability
with fast access (read retrieval). Both are in
our Service Level Agreement (SLA) (100%
data integrity, 99.9% availability, less than 5
minutes retrieval latency).
• Accuracy: checksums are used on all data we
store. We cross-check and agree these
checksums with the customer to ensure we
have correctly received the data. We use the
checksums to actively manage data integrity
by detecting corrupted data and restoring
integrity using the replicas we store for each
and every file. Whenever a customer requests
a file from the archive, the checksums are
used to confirm that it is bit-identical to the
original. No files are ever returned without
passing this test.
• Ready retrieval: Files in the Arkivum service
are stored in two separate data centres in
online tape libraries. For the OSCAR onsite
solution, tape libraries are installed on the
customer site. Tape libraries mean that access
to files is quick – less than 5 minutes to get to
the start of any file and then a very high data
rates when getting data back. If files are
accessed frequently, then they can be cached
on hard drives to provide fast repeated access
without needing to pull data from tape or over
the network every time
Arkivum Limited
R21 Langley Park Way
Chippenham
Wiltshire
SN15 1GE
UK
+44 1249 405060
info@arkivum.com
@Arkivum
Arkivum.com
Title
Arkivum digital archive
solutions for Life
Sciences
Part n o
ARK/MKTG/ALL/181
Ve rsion
1.1
Date
June 2014
S tatus
Release
4/7
© Arkivum Ltd 2014
Sec. 11.10
(d) Limiting system access to authorized
individuals.
• We have a full information security
management process in place that covers all
aspects of security including people, process,
facilities, equipment and software. We are
certified to ISO27001 and regularly audited for
compliance.
• Data storage at our data centres and escrow
site uses a range of physical security
measures. Each customer’s data is on a
dedicated set of tapes, including the escrow
copies.
• Remote online access to data is only available
to the customer that submitted the data.
Hardware firewalls are used to tightly control
both customer access to and Arkivum
management of our service.
• Only specific trained and authorised Arkivum
staff can administer our storage systems.
Sec. 11.10
(e) Use of secure, computer-generated, timestamped audit trails to independently record the
date and time of operator entries and actions that
create, modify, or delete electronic records.
Record changes shall not obscure previously
recorded information. Such audit trail
documentation shall be retained for a period at
least as long as that required for the subject
electronic records and shall be available for
agency review and copying.
• We store a complete record of where every file
has come from, what its ownership and
permissions are, when it has been retrieved by
the customer, when we’ve migrated it to new
media, when we’ve checked its integrity, when
it went into escrow - and any unauthorised
attempts to access the file. This allows
assertions to be made that records are
secured and haven’t changed. · Records are
kept of customer data access as well as any
activities within our service that ‘touch’ the data
such as integrity checks. These are held in
secured log files that are timestamped, digitally
signed by Arkivum, replicated for safety and
cannot be overwritten. This ensures that a full
audit trail is available for all customer data.
Arkivum Limited
R21 Langley Park Way
Chippenham
Wiltshire
SN15 1GE
UK
+44 1249 405060
info@arkivum.com
@Arkivum
Arkivum.com
Title
Arkivum digital archive
solutions for Life
Sciences
Part n o
ARK/MKTG/ALL/181
Ve rsion
1.1
Date
June 2014
S tatus
Release
5/7
© Arkivum Ltd 2014
Sec. 11.10
(f) Use of operational system checks to enforce
permitted sequencing of steps and events, as
appropriate.
• All data in the Arkivum service is WORM (write
once, read many) unless explicitly requested
by the customer. Attempts to
append/modify/overwrite/delete are all trapped
and blocked.
• Processes executed by Arkivum staff are
tightly governed and can only be executed by
nominated individuals, e.g. moving media
offsite to escrow, migration of media within our
tape libraries, and maintenance and upgrade.
• All customer data is stored in fixed locations
that are agreed in advance with our customers.
We never move customer data to another
location without permission first.
• Data for each customer is on dedicated tapes.
These tapes are only ever handled by trained
Arkivum staff, who are responsible for their
safekeeping through use of our highly
automated data management systems.
• We use a barcode and RFID based tape
tracking system so we know the exact location
of every tape we hold. This is done all the way
from blank media arriving into our facilities for
QA through to loading tapes in our Data Centre
tape libraries and then any secure transfer of
externalised tapes to our escrow site.
• We record exactly who at Arkivum does each
activity and all our staff adhere to tightly
defined company policies that embody digital
preservation and information security
recommended practice.
Sec. 11.10
(g) Use of authority checks to ensure that only
authorized individuals can use the system,
electronically sign a record, access the operation
or computer system input or output device, alter a
record, or perform the operation at hand.
Sec. 11.10
(h) Determination that persons who develop,
maintain, or use electronic record/electronic
signature systems have the education, training,
and experience to perform their assigned tasks.
• Arkivum integrates with Active Directory to
secure ingest of files into our service and
access to files within our service.
• Administration actions, e.g. deleting data or
specifying the key used to encrypt data, can
only be done through a secured administration
interface. · Only authorised Arkivum staff can
perform actions that have the potential to
change or move data, e.g. migrations.
• Electronic signatures and use of electronic
record systems is a requirement on customer
systems.
• Our service allows the safe and secure longterm storage of data that has already been
signed and exported from these systems.
Arkivum Limited
R21 Langley Park Way
Chippenham
Wiltshire
SN15 1GE
UK
+44 1249 405060
info@arkivum.com
@Arkivum
Arkivum.com
Title
Arkivum digital archive
solutions for Life
Sciences
Part n o
ARK/MKTG/ALL/181
Ve rsion
1.1
Date
June 2014
S tatus
Release
6/7
© Arkivum Ltd 2014
Sec. 11.10
(i) Use of appropriate controls over systems
documentation including:
(1) Adequate controls over the distribution of,
access to, and use of documentation for system
operation and maintenance.
(2) Revision and change control procedures to
maintain an audit trail that documents timesequenced development and modification of
systems documentation.
• Arkivum is certified to ISO27001 “Information
Security Management System”
• ISO27001 This includes Control A12
‘Information Systems Acquisition, Development
and Maintenance’ In this context, information
systems are taken to mean the operating
systems, infrastructure, business applications,
off-the-shelf products, services, and internally
developed software and applications. A12
includes software engineering, version control,
change management, document management
and security of information that describes the
design and operation of the system.
• As a result, Arkivum has an independently
audited approach to controlling access to
documentation on our systems and an audit
trail of how our systems and associated
documentation change over time.
Sec. 11.30 Controls for open systems.
Additional measures:
Persons who use open systems to create,
modify, maintain, or transmit electronic records
shall employ procedures and controls designed
to ensure the authenticity, integrity, and, as
appropriate, the confidentiality of electronic
records from the point of their creation to the
point of their receipt. Such procedures and
controls shall include those identified in 11.10, as
appropriate, and additional measures such as
document encryption and use of appropriate
digital signature standards to ensure, as
necessary under the circumstances, record
authenticity, integrity, and confidentiality.
• All data held in our service is encrypted using
AES256 to ensure confidentiality. Encryption
happens on the customer site before data
leaves the customer network. The keys for
decryption never leave the customer network
so no one else can read the data, including
Arkivum.
• There is an option of digitally signed
confirmation of receipt of data by Arkivum for
non-repudiation (chain of custody).
• Industry standard checksums (e.g. MD5) are
generated for all data received into our service.
The checksums can be exchanged with the
customer to verify correct receipt of data to
ensure an unbroken data integrity chain.
Arkivum Limited
R21 Langley Park Way
Chippenham
Wiltshire
SN15 1GE
UK
+44 1249 405060
info@arkivum.com
@Arkivum
Arkivum.com
Title
Arkivum digital archive
solutions for Life
Sciences
Part n o
ARK/MKTG/ALL/181
Ve rsion
1.1
Date
June 2014
S tatus
Release
7/7
© Arkivum Ltd 2014