The duck creek compliance archive: data archival store plus the compliance overlay — per-jurisdiction retention policy enforcement (NAIC + 50 states + long-tail claims), signed evidence packs for state market-conduct exams and NAIC accreditation, legal hold management, NIST 800-88 certified destruction, SIEM-integrated audit trail covering every event.
The duck creek data archival store gives you queryable retention. The duck creek compliance archive gives you defensible, signed, auditable retention that holds up under NAIC examination, state market-conduct exam, reinsurance treaty audit and litigation discovery.
Most P&C carriers approaching Duck Creek Platform retirement think first about the data-retention problem — extract every record, load into a cloud archive, decommission the source. That solves the foundational problem of where the data lives and how it gets queried. It does not, by itself, solve the compliance problem: how does the carrier prove to a state insurance department examiner, an NAIC accreditation reviewer, an external SOX auditor, a reinsurance treaty auditor, a claims litigation counsel or a regulatory enforcement officer that the right records were retained for the right windows under the right rules, that no record was modified or destroyed inappropriately, and that retrieval activity matches the carrier's stated record-keeping practice? Without engineered evidence, the carrier ends up reconstructing this story by hand under audit time pressure — slowly, expensively, and often unconvincingly.
The duck creek compliance archive is the engineered alternative — the duck creek data archival store plus a compliance overlay that turns every retention decision, every retrieval, every modification and every destruction into signed evidence. The per-jurisdiction retention policy engine carries NAIC Model Audit Rule, NAIC statutory accounting principles, 50-state insurance department record-keeping rules, long-tail claim statute-of-limitations rules (asbestos, environmental, construction defect, latent injury, occurrence-basis professional liability), SOX 7-year retention for publicly traded carriers, IRS 7-year retention for tax records, reinsurance treaty audit obligations and state consumer-access rights (CCPA / CPRA / CPA / CTDPA / VCDPA). Per-record retention is computed as the maximum applicable window, refreshed annually as rules change, and enforced through S3 Object Lock / GCS Bucket Lock / Azure immutable blob / OCI WORM.
Signed evidence packs for state market-conduct exams and NAIC accreditation include the requested record populations with cryptographic signatures, RFC 3161 trusted timestamps, the retention-policy basis per record and the chain-of-custody log. Reinsurance treaty audit evidence packs include per-treaty per-bordereau cession history with full lineage back to originating Duck Creek transactions and the treaty configuration in effect per bordereau. Litigation discovery output packages include the matter-scoped records with court-acceptable signatures. Certified destruction workflows execute NIST 800-88-aligned purge with signed JSON certificates of destruction. Every retrieval, modification, legal hold action and destruction event lands in the carrier's existing SIEM via standard integration. The duck creek compliance archive does not require a parallel audit infrastructure — it makes the carrier's existing SOX, internal audit and SIEM programs work for Duck Creek retention without manual reconstruction.
One archive, one retention engine, one audit trail — many overlapping audit constituencies.
Records sufficient to support NAIC Annual Statement for 7+ years. Statutory accounting principles preserved per record. Annual Statement, Schedule F, Schedule P reconstruction supported.
California, New York, Texas, Florida and 46 other states. Per-state per-LOB retention rules encoded. Long-tail claim statute-of-limitations extensions applied dynamically.
7-year retention with auditable trace from GL entry to source transaction. External audit substantiation packages generated on demand.
7-year retention for tax-relevant records (premium tax, loss-reserve deductions, reinsurance ceded premium). IRS audit substantiation supported.
Per-treaty audit rights extending 5-10 years beyond active treaty period. Treaty configuration and bordereau detail preserved. Audit packs generated per cedant request.
CCPA / CPRA / CPA / CTDPA / VCDPA and counterparts. Privacy office routes consumer requests. Response within state-mandated window. Third-party PII redaction.
Once the duck creek data archival store is in place, layering the compliance overlay typically takes 4–8 weeks.
Compliance officer, statutory reporting lead, external audit liaison, claims counsel, reinsurance lead, privacy officer and CFO walk through the applicable regimes. Per-jurisdiction retention rules confirmed. Long-tail claim extensions reviewed. SOX, IRS and treaty audit obligations confirmed.
Per-jurisdiction retention rules loaded into the retention policy engine. Long-tail claim statute-of-limitations rules encoded per coverage type per state. SOX, IRS, treaty audit and consumer-access rules layered in. Per-record retention computed and validated against compliance officer expectations.
State market-conduct exam, NAIC accreditation, SOX, IRS, treaty audit and litigation discovery evidence pack templates configured. RFC 3161 trusted timestamping integrated. Signature key management aligned with carrier PKI.
Legal hold management interface deployed for claims counsel and compliance team. NIST 800-88 certified destruction workflow configured. Signed certificate of destruction template aligned with state insurance department documentation expectations.
SIEM integration verified via syslog / CloudTrail / Azure Monitor / Cloud Audit Logs / OCI Audit. Pre-built correlation rules for unusual retrieval patterns deployed. Internal audit and SOC review workflows configured.
Compliance officer, external audit liaison, claims counsel and CFO sign off on the duck creek compliance archive. Production cutover. Steady-state operation begins. Annual retention policy refresh scheduled.
Six controls that distinguish engineered, signed, auditable retention from 'we have the data somewhere'.
Per record, the archive records every retention window applied (NAIC, state, SOX, IRS, treaty audit, consumer-access) and the basis for each. Auditors see exactly why each record is retained for its specific window.
S3 Object Lock / GCS Bucket Lock / Azure immutable blob / OCI WORM enforces immutability for the computed retention window. No admin can shorten retention without breaking the lock signature.
Evidence packs include trusted timestamps from RFC 3161-compliant time-stamping authorities. The pack proves not just what records existed but when the export occurred.
Evidence packs signed with the carrier's PKI. Tamper-evident — any subsequent modification breaks the signature. Examiners and courts accept the pack as authoritative.
Every retrieval, modification, hold action and destruction event lands in the carrier's existing SIEM. SOX, internal audit and security operations review through their existing workflows.
Per-jurisdiction retention rules refresh annually. Records under active retention recompute against the new rules. Audit log captures every change. Compliance officer signs off on the annual refresh.
A duck creek compliance archive is the engineered, signed, audit-grade retention environment for Duck Creek Policy, Billing, Claims, Treaty and statutory reporting data that satisfies the overlapping regulatory regimes applicable to P&C insurance carriers: NAIC statutory accounting principles (SAP) and Model Audit Rule, state insurance department record-keeping rules (typically 5 to 30+ years per LOB per state), long-tail claim statute-of-limitations rules extending decades for asbestos, environmental and construction defect, SOX 7-year retention for publicly traded carriers, IRS 7-year retention for tax records, reinsurance treaty audit obligations extending years beyond active treaty periods, and the growing patchwork of state consumer-access rights (CCPA / CPRA / CPA / CTDPA / VCDPA and counterparts). The duck creek compliance archive is the duck creek data archival store with compliance-specific controls layered on top: per-jurisdiction retention policy enforcement, signed evidence pack generation, legal hold management, certified destruction workflows and SIEM-integrated audit trail covering every retrieval, modification and destruction event.
The duck creek data archival store is the foundational queryable Parquet-on-object-storage product — extract Duck Creek data, transform to Parquet, load into S3 / GCS / Azure Blob / OCI Object Storage with indexing for sub-15-second retrieval. A duck creek compliance archive is the data archival store plus the compliance overlay: per-jurisdiction retention policy engine enforcing NAIC + 50-state + long-tail rules with computed maximum retention per record, signed evidence pack generation for state market-conduct exams and NAIC accreditation reviews, legal hold management for litigation and regulatory investigations, certified destruction workflows with NIST 800-88 chain-of-custody and signed JSON certificates of destruction, SIEM-integrated audit trail meeting SOX and state examiner expectations, and pre-built compliance reporting templates for the major audit constituencies. The archive is the substrate; the compliance archive is the substrate plus the controls that make it defensible under regulatory and litigation pressure.
P&C insurance carriers are subject to multiple overlapping regimes simultaneously. NAIC Model Audit Rule and statutory accounting principles (SAP) require records sufficient to support the Annual Statement for 7+ years. State insurance department rules extend much further — California 6 years for personal lines and 10+ for workers' comp, New York 6 years post-policy-termination, Texas 5 years policies and longer for claims, Florida 5 for property and 10+ for medical malpractice. Long-tail liability claims (asbestos, environmental, construction defect, latent injury) extend decades per the statute of limitations on the underlying loss. SOX requires 7-year retention with auditable trace for publicly traded carriers. IRS requires 7-year retention for tax records. Reinsurance treaties commonly extend audit rights 5-10 years beyond the treaty period. State consumer-access rights (CCPA / CPRA / CPA / CTDPA / VCDPA) require carriers to respond to policyholder data access requests within defined response windows. The duck creek compliance archive satisfies all of these through one unified retention policy engine and one unified audit trail.
Long-tail liability claims are the longest tail in P&C insurance retention. Asbestos claims have been litigated 50+ years after the original policy term, because the underlying disease can manifest decades after exposure. Environmental claims under CERCLA can surface decades after the original loss event because the liability attaches to remediation activities not yet performed. Construction defect statutes vary by state but commonly extend 10–20 years from substantial completion, and the underlying litigation can stretch many years beyond statute. Latent injury and occurrence-basis professional liability share similar tails. The duck creek compliance archive carries per-coverage-type, per-state statute-of-limitations rules and computes retention dynamically per record. A 2026 GL occurrence policy with environmental exposure in a state with CERCLA-aligned retention may receive a 50+ year retention. The S3 Object Lock window is set to the computed maximum. The record becomes eligible for purge only when every applicable retention window has expired and no legal hold remains.
State market-conduct exams arrive on a 3-5 year cycle per state per LOB. Examiners request specific record populations: policies bound during a defined date range, claims with certain status codes, complaint files associated with specific policyholders, marketing materials in effect during the exam period, underwriting guidelines, rate filings, claim handling guidelines. The duck creek compliance archive evidence pack generator lets the carrier's compliance team execute these queries against the archive, package the results with cryptographic signatures, timestamp them through a trusted time source (often RFC 3161 timestamping), include the retention-policy basis and the chain-of-custody log, and produce a single signed JSON-plus-PDF evidence pack for examiner submission. The pack is tamper-evident — any subsequent modification breaks the signature. Examiners accept the pack as authoritative evidence; subsequent inquiry typically focuses on the contents rather than the chain-of-custody.
Reinsurance treaty audits arrive every 2-3 years per major treaty per cedant. Auditors retrieve per-treaty per-bordereau ceded premium, loss-ceded entries, recoverables, reinstatement premium and profit commission to verify cession accuracy. The duck creek compliance archive treaty audit evidence pack includes per-treaty per-bordereau financial detail with full lineage back to the originating Duck Creek policy or claim transaction, the treaty configuration in effect during each bordereau period (proportional, excess-of-loss, facultative, retention, cession percentage), cession calculation methodology, and the chain-of-custody log for every retrieval. The pack is cryptographically signed and timestamped. Cedant-side reconciliation against the auditor's records happens through standard variance investigation. Settlement of audit findings (additional ceded premium owed, premium refunds owed, recoverable adjustments) gets posted to current-period Fusion AR/AP through the standard cession integration workflow.
When every applicable retention window expires for a record and no legal hold remains active, the record becomes eligible for purge. The duck creek compliance archive certified destruction workflow executes the purge with NIST 800-88 chain-of-custody, signs a JSON certificate of destruction covering record identifier, every retention window applied (NAIC, state insurance, SOX, IRS, treaty audit, consumer-access rights), the basis for each retention window's expiration, the destruction timestamp and the operator identity. The certificate is preserved in the archive for SOX-grade audit substantiation. The SIEM log captures the destruction event. State insurance department examiners reviewing the carrier's record-keeping practice see signed evidence that retention was computed correctly per their state's rules and destruction was executed with audit-grade chain-of-custody. This is materially stronger than the typical 'delete and hope' approach to expired records.
The duck creek compliance archive ships with standard SIEM integration via syslog or CloudTrail for AWS, Azure Monitor for Azure, Cloud Audit Logs for GCP and OCI Audit for Oracle Cloud Infrastructure. Every retrieval, modification, legal hold action and destruction event lands in the carrier's existing SIEM where the SOX team, internal audit and security operations already have monitoring, alerting and review workflows. Pre-built SIEM correlation rules cover unusual retrieval patterns (volume spikes, off-hours access, unfamiliar requesters, retrievals against records under active legal hold). SOX audit substantiation pulls the archive's retrieval log alongside the carrier's other SOX-relevant logs. Internal audit's annual review of retention practices uses the duck creek compliance archive's retention-policy report. The compliance archive does not require a parallel SIEM or audit infrastructure — it plugs into what the carrier already runs.
30-minute scoping call with your compliance officer, statutory reporting lead, external audit liaison, claims counsel, reinsurance lead and privacy officer. We walk through the applicable regulatory regimes, retention obligations, evidence pack requirements, legal hold inventory and SIEM integration — and produce a concrete duck creek compliance archive deployment plan with sign-off-ready governance documentation.