✓
Email Compliance Checklist
Assess your email archiving and compliance posture
Use this checklist to evaluate your organization's email archiving practices against regulatory requirements and industry best practices. Check each item that applies, then calculate your compliance score at the end.
📅
Retention Requirements
General Requirements
Defined retention periods
Documented retention periods for different email types
Regulatory alignment
Retention periods meet your industry's legal requirements
Consistent application
Retention policies apply to ALL email (not just select mailboxes)
Deletion procedures
Process exists for deleting emails after retention period expires
Retention by Regulation
| Regulation | Applies To | Minimum Retention |
|---|---|---|
| SEC 17a-4 | Broker-dealers, financial services | 6 years (first 2 immediately accessible) |
| FINRA 3110 | FINRA member firms | 3-6 years depending on record type |
| HIPAA | Healthcare, health plans | 6 years from creation or last effective date |
| SOX | Public companies (US) | 7 years for audit-related communications |
| GDPR | EU resident data handlers | As long as necessary (must justify) |
| IRS | All US businesses | 7 years for tax-related communications |
Identified applicable regulations
You know which regulations apply to your organization
Documented justification
Retention periods are documented with regulatory justification
🔒
Archive Integrity
Capture Completeness
All mailboxes archived
Every user mailbox is captured (no exceptions)
Shared mailboxes included
Distribution lists, shared inboxes, service accounts archived
External email captured
Both inbound and outbound email archived
Internal email captured
Email between internal users archived
Attachments preserved
All attachments stored with parent message
Calendar invites archived
Meeting invitations with attendee responses captured
Tamper Protection
Immutable storage
Archived emails cannot be modified after capture
Hash verification
Cryptographic hashes verify message integrity
Audit trail
All access to archived emails is logged
Chain of custody
Documentation exists proving archive integrity
🔍
Search & Retrieval (eDiscovery Readiness)
Search Capabilities
Full-text search
Can search email body, subject, and attachments
Metadata search
Can search by sender, recipient, date range
Boolean operators
Supports AND, OR, NOT, phrase search
Attachment search
Can search inside PDF, Office documents
Legal Hold & Export
Export formats
Can export to EML, PDF for legal review
Legal hold capability
Can freeze specific emails from deletion
Audit logging
All searches and exports are logged
Access Control
Role-based access
Different permission levels (admin, auditor, user)
User self-service
End users can search their own archived email
Access logging
All archive access is logged with user identity
🛡️
Data Protection
Encryption
Encryption at rest
Archived emails encrypted in storage
Encryption in transit
TLS for email capture and archive access
Key management
Encryption keys securely stored and backed up
Backup & Disaster Recovery
Regular backups
Archive data backed up on schedule
Backup verification
Backups tested for successful restore
Geographic redundancy
Backups stored in separate location
DR plan tested
Disaster recovery plan tested annually
Data Sovereignty
Data location known
You know where archived data is physically stored
Jurisdiction acceptable
Data storage location meets regulatory requirements
💬
Modern Messaging Channels
Microsoft Teams
Teams archiving enabled
Teams chats and channel messages captured
Private chats included
1:1 and group chats archived (not just channels)
File shares captured
Files shared in Teams conversations preserved
Slack
Slack archiving enabled
Slack messages captured
Private channels included
Not just public channels
Direct messages included
DMs captured per policy
📋
Policies & Procedures
Documentation
Email retention policy
Written policy exists and is approved
Acceptable use policy
States email may be monitored/archived
Legal hold procedures
Documented process for litigation holds
eDiscovery procedures
Process for responding to legal requests
Training & Awareness
IT admin training
Archive administrators trained on system
Legal/compliance training
eDiscovery procedures understood
Annual review
Policies reviewed and updated annually
🏆
Calculate Your Score
Your Compliance Score
___/ 50
Count the items you checked above
| Score | Rating | Recommendation |
|---|---|---|
| 45-50 | Excellent | Maintain and continuously improve |
| 35-44 | Good | Address gaps in high-risk areas |
| 25-34 | Fair | Prioritize retention and integrity items |
| 15-24 | Needs Work | Significant compliance risk - act quickly |
| <15 | Critical | Major gaps - seek expert guidance immediately |
Tip: Focus first on items in the "Retention Requirements" and "Archive Integrity" sections - these carry the highest regulatory risk.
Next Steps
- → Schedule quarterly compliance review
- → Test eDiscovery process with mock legal request
- → Verify backup restoration works
- → Review and update policies annually
This checklist is provided for informational purposes. It is not legal advice. Consult with qualified legal counsel to understand the specific compliance requirements that apply to your organization.
Need help closing compliance gaps?
Piler Enterprise helps organizations meet email retention and eDiscovery requirements