Data sovereignty, by design
MEA is not a vault on good faith. Every architectural decision — from client-side encryption to the tamper-proof audit log — is documented, audited and independently verifiable. Built for organisations worldwide.
The server never sees content in plaintext
The browser encrypts every document before any network transmission. The MEA server receives only the encrypted document — never the content in plaintext. Even physical access to the database is not sufficient to read your documents.
Document key
A unique key protects each document, generated by your browser at upload time.
User key
Each user's key protects their own access. It never leaves their device.
User access
The document key is sealed for every authorised user. Stored server-side, unreadable without the user's key.
Admin recovery
An encrypted recovery path lets an administrator restore access if a key is lost, without ever exposing any private key.
Every version is sealed in an audit chain
Every document version gets a unique fingerprint, written to the audit log with the actor's identity and the exact date. The log itself is periodically sealed: any retroactive modification becomes immediately detectable.
Probative-value timestamping
MEA supports three timestamping levels depending on your compliance requirements:
Qualified timestamping
Maximum level of proof, aligned with recognised trust standards for the most demanding use cases.
Advanced timestamping
Suited to the majority of sector regulatory obligations.
On-site timestamping
Internal timestamping server for isolated environments or maximum data sovereignty policies.
Compliance and data subject rights by design
MEA natively integrates data subject rights and the minimisation principle, in line with applicable data protection requirements (GDPR and equivalent regulations).
Minimisation
Only the data strictly necessary for the declared purpose is collected.
Right to export
Full export of personal data associated with a data subject, in structured format.
Right to erasure
Erasure on request, with production of a timestamped record of deletion.
Data residency
Your data stays in the region or country you choose — you keep control over where it lives.
A deliberate certification programme
Certifications are obtained in a deliberate order — each step strengthens the next. ISO 27001 lays the ISMS foundations before NF Z42-013 validates probative archiving.
ISO 27001
PlannedInformation Security Management System (ISMS) — the foundation of the entire programme.
NF Z42-013
PlannedFrench standard for probative electronic archiving — technical and organisational requirements.
ISO 27701
PlannedISMS privacy extension — formalises data protection compliance within a certification framework.
SOC 2 Type II
PlannedOperational effectiveness audit on trust criteria (security, availability, confidentiality).
NF 461
PlannedStandard for Digital Trust Service Providers — relevant to the cloud archiving offering.
eIDAS QTSP
Optional(Optional) Qualified Trust Service Provider — for in-house qualified timestamping.