The core requirements for compliance are preventing unauthorised deletion or modification of the protected data, and ensuring adequate audit records are maintained.

Thinking SAFE addresses these requirements with a combination of techniques, including automatic storage distribution and auditing, strong cryptography and secure key management, and synchronisation with the atomic clock. Every item protected is time-stamped using a signal from the atomic clock and cryptographically signed at source, providing authentication. These cryptographic signatures are verified repeatedly throughout the storage process, particularly whenever the item is transmitted, stored or retrieved. This means that it can be proven beyond reasonable doubt that the item restored is identical to the item originally protected.

Additional security measures, relating to timestamps and digital certificates, allow proof of when and where the item was originally protected. Multi-site storage capability is used to ensure that items cannot be deleted or corrupted by any single-site attack. The central principle is that each site retains an independent copy of data, with retention defined by policy, and with all communication between sites secured by certificates and restrictive protocols. This multi-site protection can be further enhanced by using multiple service providers to store copies of the data or just the cryptographic signatures used to verify the data, providing security against internal attacks or collusion.

This level of protection was traditionally restricted to military applications, but wider availability and reduced costs have made this an effective solution for medical, banking, insurance and other compliance-critical applications. Archiving data to physical media such as WORM disc or tape can also be considered to improve security, but is not sufficient on its own, so should only be used in addition to physically distributed storage and cryptographic security.

Modern compliance solutions typically require multiple layers of physical security to prevent unauthorised destruction of protected data and ensure authenticity. Without such measures, it is very difficult to protect against an internal attack, even with appropriate physical access controls in place. Hence, electronic transport of the data to multiple physical locations, combined with off-line data silos should be considered essential to achieving long-term compliance.