Regulatory-grade dynamics gp compliance archive: tamper-evident hash signatures, append-only access logs, customer-managed encryption keys, retention enforcement at partition level. Pre-built policies for IRS Pub 583, HMRC, German GoBD, state sales-tax, GDPR, SOX. Cheaper and stronger than keeping GP live.
Keeping live GP for compliance is expensive AND a weak posture. A purpose-built compliance archive is cheaper AND stronger across every control reviewers actually test.
Retention obligations on GP data are non-trivial. IRS Publication 583 mandates 7-year retention of small-business tax records (with some categories longer — employment-tax records 4 years from filing, asset records for the life of the asset plus 3 years). HMRC requires 6 years for VAT and corporation tax, 3+ years for payroll. German GoBD pushes to 10 years for fiscal records with verifiable integrity and proper organisation — and explicitly requires that the records be machine-readable for the full period. State sales-tax authorities run 3–7 years depending on jurisdiction. SOX requires 7 years with auditable trace from GL to source evidence. GDPR adds Article 15 data-subject access, Article 17 right-to-erasure with legal-basis exemptions, and Article 30 records-of-processing.
Most organisations meeting those obligations by keeping the live GP SQL Server stack alive in read-only mode are running a weak compliance posture and paying for the privilege. Native SQL Server has no tamper-evident integrity — a privileged DBA can rewrite history without detection, which is precisely the scenario that SOX and German GoBD are designed to prevent. Native GP has no append-only read-access log, no native record-level retention enforcement and no customer-managed encryption out of the box. And the cost of running that weak posture is typically USD 8K–40K/year for an SMB install.
Dynamics gp compliance archive flips the equation. Append-only writes to cloud object storage, SHA-256 hash signatures with manifest chaining for tamper-evidence, separate hash-signed read-access log, customer-managed KMS encryption, retention-policy enforcement at the partition level, legal-hold flagging that exempts records from disposal. Cost: USD 1K–8K/year for a typical SMB footprint. And every control above is exactly what a SOX, IRS, GoBD or GDPR reviewer actually tests.
The specific controls that SOX, IRS, HMRC, GoBD and GDPR reviewers actually test — built in, not bolted on.
SHA-256 signatures on every partition with append-only manifest chain. Any post-extract modification fails verification. Reconcile job runs on schedule and reports any drift. This is the control that catches privileged-DBA tampering — the scenario SOX and GoBD specifically guard against.
Every read, every query, every export logged with who/what/when/from-where. Log itself hash-signed and append-only. Critical for GDPR Article 30 records-of-processing, SOX access trace and IRS examiner-disclosure substantiation.
AWS KMS / Azure Key Vault / GCP CMEK / OCI Vault — customer holds the keys, archive holds the data. Key-rotation events captured in audit log. Encryption at rest non-negotiable across all partitions and tiers.
Pre-built policies per regime. Partition-level retention with disposal scheduled at obligation expiry. Disposal events logged. Legal-hold flags exempt records from disposal until lift event. Configurable per record type.
Multi-granular: per record type, per legal entity, per data subject, per litigation matter. Held records exempt from disposal. Hold creation and lift events logged with source authority captured.
RBAC with separation of duties — extract operators, archive admins, audit readers, compliance reviewers, GDPR DPOs each get scoped access. MFA enforced on all access. SSO via OIDC/SAML.
A 6–10 week build for a typical SMB installation with full compliance posture sign-off. Multi-entity rollouts scale linearly.
Inventory retention obligations per record type (tax, payroll, fixed assets, AP, AR). Map to applicable regimes (IRS, HMRC, GoBD, state sales-tax, SOX, GDPR). Identify legal-hold obligations. Document gaps in current GP compliance posture for the executive risk register.
Cloud platform and KMS choice. Customer-managed key provisioning and rotation policy. RBAC role design (extract operator, archive admin, audit reader, compliance reviewer, DPO). MFA / SSO integration. Audit log destination (separate from data plane for blast-radius isolation).
Parallel extract across every company DB. Parquet output with SHA-256 signatures per partition and manifest chain. Document attachments captured. Per-table extract-time row counts and hashes captured as integrity baseline.
Retention policies configured per record type per regime. Legal-hold flags initialised. GDPR data-subject query templates configured. Disposal-schedule configured with notification workflow.
Internal audit / compliance / DPO walkthroughs. Sample SOX trace from GL → subledger → source evidence. Sample IRS examiner query with audit-evidence pack export. Sample GDPR Article 15 data-subject access request. Sample legal-hold creation and lift.
Compliance posture documented for SOC 2 / ISO 27001 evidence. Final delta extract from any still-live GP DB. SQL Server backups taken and stored offline. GP installation decommissioned. Archive becomes system of record for the full retention window.
The concrete scenarios where the compliance archive replaces the live-GP fallback — and does it faster, cheaper and with stronger evidence.
Examiner requests every sales transaction with tax in 4 states over 4 fiscal years. Query runs in seconds, exports with audit-evidence pack (extract timestamp, hash signature, read-log entry). Accepted as substantiation.
HMRC requests 6 years of VAT detail with cross-reference to supporting invoices. Cross-module query pulls AP, AR and any VAT-relevant Dexterity custom fields. Exports with full audit pack.
Internal audit walks a sample of GL lines through to source AP voucher distribution → voucher header → voucher document → invoice attachment. Full chain queryable with hash signatures at every link.
Customer X requests their data. Subject-search runs across RM, SOP, payments, communications, Dexterity custom fields. Export with read-log entry per Article 30. Subject sees only their own data; reviewer sees the full disclosure log.
Customer Y requests erasure. Records scrubbed at the partition level, signature rotated, deletion-evidence captured. Tax-retention exemption flagged with legal-basis citation in the response.
Litigation creates hold obligation: all PM records for FY2019-2022 frozen. Hold created with case ID, source authority and expected duration. Records exempt from disposal until lift event.
Dynamics gp compliance archive is a regulatory-grade long-term archive of every active and historical Great Plains record, built specifically to satisfy retention mandates that auditors, examiners and regulators actually enforce: IRS Publication 583 for small-business tax records (7 years), HMRC for VAT (6 years) and corporation tax records, German GoBD for fiscal records (10 years), state sales-tax retention (3–7 years depending on jurisdiction), GDPR Article 30 records-of-processing and Article 15 data-subject access, SOX 7-year retention with auditable trace, and any industry-specific obligation. The archive ships with the controls that compliance reviewers actually test: tamper-evident hash signatures, append-only read-access logs, role-based access with MFA, encryption at rest with customer-managed keys, and retention-policy enforcement at the partition level.
Two layers. First, every Parquet partition written to the archive carries a SHA-256 hash signature. Signatures are linked into an append-only manifest chain — any post-extract modification to any partition breaks the chain and fails verification on the next reconciliation run. Second, the source GP extract itself is timestamped with the extract job ID, the source company DB, the row counts and the per-table hashes captured at extract time. The combination means an auditor can be handed: (a) the original GP-side row count and hash from extract time, (b) the current archive-side row count and hash from any later moment, (c) proof that (a) and (b) match. Standard SOX, IRS and GoBD reviewers accept that as integrity evidence.
Pre-built retention policies for: IRS Pub 583 (US small business, 7 years for tax records, longer for some specific record types), HMRC (UK VAT 6 years, corporation tax 6 years, payroll 3+ years), German GoBD (fiscal records 10 years, with verifiable integrity and proper organization), French Code de Commerce (10 years for accounting records), Italian Codice Civile (10 years for accounting), Spanish Código de Comercio (6 years), state sales-tax for all 45 US states with sales-tax regimes (3–7 years), SOX (7 years with auditable trace), GDPR (records-of-processing and data-subject access with read-log). Custom retention policies for industry-specific obligations (FDA, HIPAA, FINRA, GLBA, MiFID II, Basel III) configurable at the record-type and partition level.
GDPR Article 15 gives data subjects the right to obtain a copy of all personal data an organisation holds about them — and that includes the records sitting in retired GP systems. Dynamics gp compliance archive handles the request as a parameterised query: subject identifier (customer ID, vendor tax ID, employee ID) → cross-module search across RM01101 customer master, RM30101 invoice history, RM30201 apply history, PM00200 vendor master, PM30200 voucher history, payroll records and any related Dexterity custom fields → exportable subject-data pack with each record's original source, original date and hash-signed extract evidence. The disclosure itself is logged in the read-access log per Article 30 records-of-processing obligation, with the log entry itself hash-signed.
Yes — and the enforcement is auditable. Article 17 right-to-erasure requests are processed as a targeted record removal: the affected partitions are rewritten with the personal data fields scrubbed (PII columns null-ed, supporting attachments deleted), a deletion-evidence record is added to the audit log capturing what was removed, when, on whose authority and on which legal basis, the affected partition's hash signature is rotated, and the manifest chain captures the rotation event so future auditors can verify that the deletion was governed and not opportunistic data tampering. Note the legal-basis exception: records that must be retained for tax, accounting or anti-money-laundering obligations are flagged and excluded from erasure with the legal-basis citation captured in the response.
SOX requires that any GL entry can be traced back through the subledger to the original source evidence (the AP voucher, the AR cash receipt, the SOP shipment, the PO receipt). The archive preserves the full chain: GL30000 GL transaction line → AP voucher distribution (PM30200) → AP voucher header (PM30200) → AP voucher document (PM10500) → original invoice attachment (if captured), with each link carrying its own hash signature and the chain itself queryable from the search UI. An external auditor can pick any GL line in the archive, click through to the original supporting evidence, and export the full chain with the audit-evidence pack ready for SOX workpaper inclusion. No reconstruction, no manual cross-reference, no risk of broken links.
Yes. When litigation or regulatory inquiry creates a legal-hold obligation that suspends normal retention disposal, the archive supports hold-flagging at multiple granularities: per record type (e.g., hold all PM records for the 2019-2022 fiscal years), per legal entity (hold every record for company DB FAB1), per data subject (hold every record involving Vendor X or Customer Y), or per matter (link to the specific litigation case ID). Held records are exempt from any subsequent retention-disposal job, and the hold itself is logged with its source authority (legal counsel, court order, regulator letter), creator, creation date and expiry. When the hold is lifted, the lift event is logged with the same provenance and normal retention disposal resumes.
Keeping a live GP installation for compliance is a poor compliance posture, not just expensive. The SQL Server stack needs patching, the Windows Server needs hardening, the GP licence keeps incurring enhancement-plan fees, and the underlying database carries no native tamper-evidence — a privileged DBA can rewrite history without detection. Dynamics gp compliance archive replaces all of that with a purpose-built compliance posture: append-only writes, hash-signed integrity, separate read-access logging, customer-managed encryption keys, role-based access with MFA enforcement, retention-policy enforcement at the partition level. Total cost typically USD 1K–8K/year for an SMB footprint versus USD 8K–40K/year for the live GP equivalent — and the compliance posture is materially stronger.
Get a 30-minute compliance scoping call. We'll map your retention obligations across IRS, HMRC, GoBD, state sales-tax, SOX and GDPR — and give you a 6–10 week build plan with the compliance posture documented for your SOC 2 or ISO 27001 evidence pack.