Back to Compliance Report

Server Verification & Data Integrity

Technical documentation of the Azure infrastructure for immutable data storage

Data Location: Switzerland
WORM Storage
10-Year Retention
Geo-Redundant

High Availability: RA-GRS (Switzerland)

Notary API on Azure Functions with geo-redundant Blob Storage replication.

Azure RA-GRS configuration with primary and secondary locations in Switzerland

Azure RA-GRS configuration with primary and secondary locations in Switzerland

Read-Access Geo-Redundant Storage (RA-GRS)

Synchronous writes to Switzerland North, asynchronous replication to Switzerland West.

  • Primary: Switzerland North (Zurich)
  • Secondary: Switzerland West (Geneva) – automatic failover
  • Immutable Blob Storage Container
  • Azure Functions with Managed Identity

Certificate Pinning (TLS)

URLSession Delegate with SHA-256 SPKI hashes for MITM protection.

  • SPKI Pinning: SHA-256 hash of public key
  • TLS 1.3 with Perfect Forward Secrecy
  • Certificate chain validation to Root CA

Immutable Storage: WORM Policy (Locked)

Version-Level Immutability with locked 10-year Retention Policy.

Azure Immutable Blob Storage with locked Time-Based Retention Policy

Azure Immutable Blob Storage with locked Time-Based Retention Policy

Notarization Flow

ServerVerificationService.notarize() → Azure Function → Immutable Blob.

  • Blob Name: {entryId}_v{version}.json
  • Upload with conditions: { ifNoneMatch: '*' } prevents overwrites
  • Idempotency Check: On 409 Conflict → verify identical data
  • Content-MD5 Header for transport integrity

Request Security

Multi-layered security: App Check, HMAC, Replay Protection.

  • Firebase App Check Token (X-Firebase-AppCheck header)
  • HMAC-SHA256 Request Signature (X-Signature header)
  • Nonce + requestTimestamp for replay protection
  • Rate Limiting per App-ID (429 with Retry-After)

Locked Retention Policy

Policy State: Locked – cannot be deleted or shortened.

  • Retention Interval: 3650 days (10 years)
  • Version-Level Immutability Scope
  • Compliance: SEC 17a-4(f), FINRA 4511(c), CFTC 1.31(c)-(d)

Regulatory Certification

Microsoft Azure Storage meets strict regulatory requirements for electronic records.

Cohasset Associates Assessment

Cohasset Associates, Inc. assessed the capabilities of Microsoft Azure Storage relative to the recording, storage, and retention requirements for electronic records.

  • SEC 17 CFR § 240.17a-4(f) – Regulates exchange members, brokers or dealers
  • FINRA Rule 4511(c) – Defers to format and media requirements of SEC Rule 17a-4(f)
  • CFTC 17 CFR § 1.31(c)-(d) – Regulates commodity futures trading
It is Cohasset's opinion that Microsoft Azure Storage, with the Immutable Storage for Azure Blobs feature and Policy Lock option, retains time-based Blobs (records) in a non-erasable and non-rewriteable format and meets relevant storage requirements of SEC Rule 17a-4(f), FINRA Rule 4511(c), and the principles-based requirements of CFTC Rule 1.31(c)-(d).
Back to GoBD Compliance Report