Email archiving

Email archiving (AWS S3 Glacier Deep Archive)

To fulfill retention obligations under tax and commercial law, NeuroPraxis Kleinmachnow archives its business email correspondence long-term in the cloud. The archiving is carried out automatically and in compliance with the GDPR (DSGVO).

Provider: Amazon Web Services (AWS) — Amazon Web Services EMEA SARL, Luxembourg.

What is archived?

The emails of the practice’s two business mailboxes (torabi@neuropraxis-kleinmachnow.de and info@neuropraxis-kleinmachnow.de) are archived. The archiving covers all IMAP folders (inbox, sent, drafts and other folders) of a complete calendar year. The emails are combined by year into a compressed archive and uploaded to AWS S3.

Storage location and encryption

  • Storage location: AWS S3 Glacier Deep Archive, Stockholm region, Sweden (eu-north-1) — within the European Union
  • Encryption: Server-side encryption with AES-256 (SSE-S3). All archived emails are stored in encrypted form. All data transmission is TLS-encrypted: the retrieval of emails from mailbox.org via IMAPS as well as the upload to S3 storage via HTTPS
  • Access control: Access to the archive storage is restricted to the practice owner. Public access is completely blocked

Archiving process

The emails are automatically downloaded from the mailboxes at mailbox.org once a year, compressed and uploaded to AWS S3 Glacier Deep Archive.

Once archived, years are not overwritten. This ensures that the retention obligation is maintained even if individual emails are later deleted from the active mailbox — the archive contains the complete status at the time of archiving.

Retention period and deletion

The archived emails are retained in accordance with the statutory retention obligations (6 years for business letters, 10 years for accounting documents). The archive is retained uniformly for 10 years in order to correctly capture emails with receipt character (e.g. invoices) as well. After the period expires, the archives are automatically and irrevocably deleted. Deletion is carried out by an automatic lifecycle rule of the storage service — manual intervention is not required.

Legal basis

The archiving is carried out on the basis of Art. 6 para. 1 lit. c DSGVO (fulfillment of a legal obligation). The statutory retention obligations result from:

  • § 147 para. 1 no. 2 AO (Fiscal Code, Abgabenordnung) — retention obligation for received and sent business letters (6 years)
  • § 147 para. 1 no. 1 AO — retention obligation for accounting documents, e.g. invoices by email (10 years)

Restoration (retrieval)

Access to the archived emails is only intended in exceptional cases, for example as part of a tax audit, a legal dispute or in the event of data loss of the email service. Restoration from Glacier Deep Archive takes 12–48 hours and is only carried out for a legitimate reason.

Processing on behalf

The archiving is carried out within the framework of the existing data processing agreement (DPA) with AWS. This results from the AWS GDPR Data Processing Addendum (DPA). Further information on processing on behalf with AWS can be found in the section Processing on behalf (AWS services) of the privacy policy.