Skip to content
MEA
Security & Compliance

Data sovereignty, by design

MEA is not a vault on good faith. Every architectural decision — from client-side encryption to the tamper-proof audit log — is documented, audited and independently verifiable. Built for organisations worldwide.

Zero-knowledge encryption

The server never sees content in plaintext

The browser encrypts every document before any network transmission. The MEA server receives only the encrypted document — never the content in plaintext. Even physical access to the database is not sufficient to read your documents.

Document key

A unique key protects each document, generated by your browser at upload time.

User key

Each user's key protects their own access. It never leaves their device.

User access

The document key is sealed for every authorised user. Stored server-side, unreadable without the user's key.

Admin recovery

An encrypted recovery path lets an administrator restore access if a key is lost, without ever exposing any private key.

From document to user — client-side encryption, authorised access and admin recoveryPlaintext documentDocument keyUser keyUser accessAdmin recovery
Tamper-evident integrity

Every version is sealed in an audit chain

Every document version gets a unique fingerprint, written to the audit log with the actor's identity and the exact date. The log itself is periodically sealed: any retroactive modification becomes immediately detectable.

Trusted timestamping

Probative-value timestamping

MEA supports three timestamping levels depending on your compliance requirements:

Qualified timestamping

Maximum level of proof, aligned with recognised trust standards for the most demanding use cases.

Advanced timestamping

Suited to the majority of sector regulatory obligations.

On-site timestamping

Internal timestamping server for isolated environments or maximum data sovereignty policies.

Data protection

Compliance and data subject rights by design

MEA natively integrates data subject rights and the minimisation principle, in line with applicable data protection requirements (GDPR and equivalent regulations).

Minimisation

Only the data strictly necessary for the declared purpose is collected.

Right to export

Full export of personal data associated with a data subject, in structured format.

Right to erasure

Erasure on request, with production of a timestamped record of deletion.

Data residency

Your data stays in the region or country you choose — you keep control over where it lives.

Certification roadmap

A deliberate certification programme

Certifications are obtained in a deliberate order — each step strengthens the next. ISO 27001 lays the ISMS foundations before NF Z42-013 validates probative archiving.

  1. ISO 27001

    Planned

    Information Security Management System (ISMS) — the foundation of the entire programme.

  2. NF Z42-013

    Planned

    French standard for probative electronic archiving — technical and organisational requirements.

  3. ISO 27701

    Planned

    ISMS privacy extension — formalises data protection compliance within a certification framework.

  4. SOC 2 Type II

    Planned

    Operational effectiveness audit on trust criteria (security, availability, confidentiality).

  5. NF 461

    Planned

    Standard for Digital Trust Service Providers — relevant to the cloud archiving offering.

  6. eIDAS QTSP

    Optional

    (Optional) Qualified Trust Service Provider — for in-house qualified timestamping.

Ready to archive with confidence?

Start for free — no credit card required.