Email Archival and eDiscovery
Zoho eProtect offers hassle-free email archival and eDiscovery. The eDiscovery section in Zoho eProtect provides a complete solution to retain, review, and export the emails related to your organization's internal, external or legal investigations. It empowers the legal teams to manage the holds and investigations.
Email Archival
Email archival is the process of retaining emails in an organization for a specific period in an organized manner based on the policies of the organization. This is done for compliance or other such purposes, based on the organizational policies.
The main purpose of archival policy are the following:
- Archival of email content for a specific period, so that it cannot be permanently deleted before the retention period.
- Deleting the email content permanently after the defined archival period.
- Compliance with industry regulations and internal policies to retain content for a minimum period of time.
- Reduce the risk, in case of any security breach or litigation caused due to deletion of content by employees.
Does your organization require email archival?
Yes, if your company falls under Sarbanes-Oxley, SEC 17a-3/4, NASD 3010, HIPAA or other such regulations, then you will need to have an email archival policy. Moreover, email is the standard, universal and reliable communication mode for businesses - crucial and sometimes confidential too. They are often needed as substantial evidence. So a copy of the communication must be retained to ensure that the organization follows the compliance standards and can respond to any legal issues that arise related to such communications. This ensures that there is no data loss due to the deletion of data by the employees.
eDiscovery
eDiscovery (electronic discovery) refers to a legal process of “discovering” electronic data by identifying, processing, reviewing and producing retained emails which are potentially relevant to litigation. It assures that the legal team can gather and access the required information in a simple interface, without technical dependency or complexity.
Retention Policies
Almost every government regulation requires "records" to be captured, managed, retained for specific periods of time, and made available to the government agency when asked. These records can include hard copy content, email, voicemail, instant messages, and social media.
The considerations for establishing and maintaining your organization’s email archival policy remain the same; they are business needs, legal requirements, organizational culture, approaches to archival policies, litigation holds, automation, and implementation.
The Retention Policies available in eProtect has two sections :
- Retentions
- Email Filters
Retentions
The retentions section defines the default retention period. The default retention period determines the duration for which the emails of all users in the organization will be retained in Zoho eProtect. If you did not configure the retention period at the time of eProtect setup, you can configure it by following these steps:
- Log in to Zoho eProtect and select eDiscovery in the left pane.
- Navigate to the Retentions section under Retention Policies.
From the Retentions section, select either Retain forever or enter the number of days in the Retain for field.
Note: By default, the retention period is 365 days.- Click the Save button.
Note:
The Default Retention Period can be overwritten by Custom Retention Policies which allow for certain emails of specific users or a certain type of email to be retained for a different archival period for a specific need. Refer to Customizing archival period for more details.
Customizing Retention Period
The Retentions on the eDiscovery menu, displays the default retention policy and the list of custom retention policies defined by administrators. Note that when an email expires beyond the set retention period, it will be automatically cleaned up or purged, once every 10 days. Just below the default retention policy, you will find an option to create a new custom retention policy. In case there are any special or custom requirements that need certain emails, based on custodians or certain conditional criteria, to be retained for a different period of time, the administrators can define custom retention policies. Custom retention policies can be defined based on various parameters.
To define new custom policies, follow these steps:
- Log in to Zoho eProtect and select eDiscovery in the left pane. The Retention Policies section appears.
- Click Create custom retention policy from the Retentions section and provide a name for the custom policy.
- Select the custodian by either checking All user accounts or Specific user accounts or a Specific department.
- Add the account names under User mailboxes if you chose Specific user accounts.
- Select Departments if you chose the Specific department option.
- Select Retain spam emails also if you want the spam emails to be archived.
- Select the period for which you want to retain the emails that match the requirements of the custom policy.
- In the Condition query, provide the conditions based on which you want to define the custom policy for email archival from the granular options provided:
- Contains - contains text/ email address in the entire email
- Email subject - subject contains the selected term
- Content - email content contains
- From - from email address contains
- To - To email address contains
- Cc - Cc email address contains
- Bcc - Bcc email address contains
- Reply To - Reply to email address contains
- Has attachment - Only the emails with attachment
- Attachment name - Attachment content contains
- Attachment content - Attachment content contains
- Only outgoing emails - Include only outgoing emails
- Choose which emails you wish to archive based on the custom policy - All, Sent or Received.
- Select either Retain forever or enter the number of days you wish to retain the emails in the Retain for field.
- Click Preview Results to check whether the condition query provides the expected results.
- Click Save to save the custom retention policy.
You can create and save multiple custom retention policies for different purposes. Mostly each custom retention policy will differ based on periods of archival and the conditions required for retention.
Note:
When an email matches multiple custom retention policies, emails are always retained as required by the archival policy with the longest archival period. Emails that are on hold are retained till the hold is removed.
Email Filters
Every organization's need for data archival varies according to the industry and its business needs. Some may require storing all emails of the entire organization for compliance purposes, while others may choose to store certain VIP mailboxes or certain client communication emails which were sent to or received from outside the organization. The archival rules also known as Email Filters act as an ingestion filter for emails to be allowed into eDiscovery for archival. It provides admins with the option to choose the types of emails that they want to archive in the eDiscovery portal such as sent emails or received emails or retain only a specific subset of sent/ received emails and so on.
To control what gets stored/retained you can create a Custom Filter. You can do this in the following ways:
- While setting up your organization, you can select the filter criteria by which only a subset of emails get retained. This filter (EDISCOVERY_FILTER) is a default ingestion filter and it is applied to all user mailboxes.
- To have more fine-grained or granular control on specific filters on certain mailboxes, say group mailboxes or emails from a certain department, etc. you can create Custom Filters.
Define the appropriate Retention Rule to ensure you retain the required emails while not filling up your storage with unnecessary emails.
Follow these steps if you have not configured the default filter:
- Log in to Zoho eProtect and select eDiscovery in the left pane.
- Navigate to Email Filters under Retention Policies.
- Choose either All emails or Emails based on the conditions below.
- If you selected Emails based on the conditions below, set the ingestion rule conditions from the below list:
- Retain all sent emails
- Retain all sent emails - outside the organization
- Retain emails sent - only within the organization
- Alternatively, you can specify selected domains and choose to retain the emails that are sent only to those domains.
- Retain all received emails
- Retain emails received - only within the organization
- Retain emails received from external organization accounts
- Alternatively, you can specify selected domains and choose to retain the emails that are received from those domains.
- Exclude spam emails.
- Click Next. The default email filter gets configured as EDISCOVERY_FILTER.
Custom Email Filter
As an administrator, you will know your organization's goals for archival and can determine what needs to be archived in eDiscovery. To have more fine-grained or granular control on specific filters on certain mailboxes, say group mailboxes or emails from a certain department, etc. you can create custom Email Filters.
Follow these steps to add a custom Email Filter:
- Log in to Zoho eProtect and select eDiscovery on the left pane.
- Navigate to Email Filters under Retention Policies.
- Click Add Filter and provide a Filter name.
- Select either All emails or Emails based on conditions below.
- If you select All emails, mention the users and click Save.
- In case you select Emails based on the conditions below, specify all the conditions (all received emails/received from within the organization/received from outside the organization, all sent emails/sent within the organization/sent outside the organization, deleted emails and exclude spam emails). You can also mention specific domain(s) under the All sent emails and All received emails categories.
- Mention the Associated users it applies to and click Save.
Once the filter is saved, the new custom filter will appear under the list view. Click on the Filter name to view its details or edit permissions, if required. Click on the Associated Users tab to view the list of users associated with this filter.
Investigations
An Investigation or a case is a legal probe against certain email communications or documents. When there is a legal case or a probe or an investigation pertaining to email communication, the organization should retain all the related emails until that investigation is completed/ closed. The administrator creates a new Investigation to manage the entire investigation cycle. Sometimes the investigation can be required for internal investigations too. The Investigation section in eProtect has three units - open, closed and trash.
Open - All the ongoing investigations will be listed in this section. This section allows you to create an investigation to search archived data, place holds on data, export files, create tags and created audits for certain accounts.
Closed - Closed section lists all the closed investigations. You can either choose to reopen or delete an investigation from this section.
Trash - Trash contains all the deleted investigations. Trashed investigations will be available for 30 days post which they will be deleted.
Among the three sections, the Open section allows you to perform all the core operations on an investigation. You can merely view the operations that were set for the closed and trashed investigations.
Follow these steps to create an Investigation in Zoho eProtect:
- Log in to Zoho eProtect and select eDiscovery in the left pane.
- Navigate to Investigations to view or create Investigations.
- Click Create Investigation to create a new investigation.
- Provide the Investigation name and a detailed description of the particular investigation.
You can create single or multiple holds based on different conditions, as required for the investigation. The emails that are placed on hold via investigations will not be deleted even after the expiry of the archival period defined by default or custom retention policy.
Searches
Before you create a Hold, list down the criteria required for the particular investigation. Based on the various criteria, create different search conditions. In case you need to get this reviewed by legal or compliance or admin teams, you can get it reviewed before you create a Hold. Search helps you try various saved search conditions on the data, preview results and validate these searches before creating the Holds.
Create a New Search
To create a search, follow the below instructions:
- Log in to Zoho eProtect and select eDiscovery in the left pane.
- Navigate to the Investigations section, select the desired investigation and click New Search.
- Enter a name for the search.
- Choose one of the below options to select the users for whom the search needs to be done:
- All user accounts
- Specific user accounts
- Specific department
- Based on your selection, select the User mailboxes or Select Departments.
- Select the Include spam emails checkbox if required.
- Select the date range for which the search must be performed.
- If required, select tags.
- Enter the Condition query as per your needs.
- Select either All, Sent or Received in the Select mail type field.
- Click Save search. You can also Preview results before saving the search.
You have now successfully created a new search.
Condition Query
Select the condition with which you'd like to perform the search and enter the search key respective to the condition. You can perform a search with multiple conditions, in which case the results returned will match all of the conditions that you have set for the search. In other words, an AND search will be performed.
For example, if you choose the To condition and enter the search key times.com, then choose the Cc condition and enter the search key technews.com, and finally pick the Has attachment condition, the results returned will be emails that have attachments and have been sent to times.com, Cc'd to technews.com. The emails that match all three of the entered conditions will be returned as results of this search.
Note:
- To search for an exact phrase, enter the search key in double quotes. For example, if you choose the condition Contains and enter the search key as "media information", only the emails that contain the exact words 'media information, in that exact sequence will be returned as results. In case there are emails with the words 'information media', those will not be returned as results.
- If you want to search for emails that have words beginning with specific terms, add an * (asterisk) to the end of those terms. For example, if you want to search for emails that contain words beginning with the term gat, choose the parameter and enter the search key as gat*.
Administrators can Export or Export & Delete the data matching the search criteria by clicking on the Export search results or Export & Delete button, respectively. On clicking the button, the action will be triggered and gets listed under the respective tabs along with its current status. Once the status shows completed, you can download the file in ZIP or PST format. To know more about the actions, refer to Exports or Export and Deletes.
Note:
Export & Delete action will permanently and irrevocably remove the data from eDiscovery. Please note that since this action will leave no copies behind, it is recommended to download the file within 90 days. It will also delete emails which are on hold or whose archival period is not yet expired, hence this option needs to be used with caution.
View / Download an email (EML format)
In order to view or download the content of the emails listed in the Search result, follow the steps given below:
- Under the Searches tab, provide the Conditional query to filter the emails and click on Preview results to view all the emails that match the query.
- Click on the email you want to view from the list.
- To download an email in EML format, follow these steps:
- Click on Show Original in the right top corner to view the original message.
- Options to Download Content or Copy to clipboard / Show full content are available on top of the message.
- Click on Download Content to export an email in .eml format.
Holds
Each Investigation will retain emails based on one or more holds as needed for the Investigation. A Hold retains the email that is required for the investigation, based on a specific set of conditions. Since a single investigation or case may require retaining different sets of emails based on various conditions like the subject, received time, sender, attachments, custodians and so on, there can be multiple Holds created for each Investigation.
Administrators can Export or Export and Delete the data matching the hold criteria by clicking on the Export search results or Export & Delete button, respectively. On clicking the button, the action will be triggered and gets listed under the respective tabs along with its current status. Once the status shows completed, you can download the file in ZIP or PST format. To know more about the actions, refer to Exports or Export and Purge.
Note:
Export & Delete action will permanently and irrevocably remove the data from the eDiscovery portal. Please note that since this action will leave no copies behind, it is recommended to download the file within 90 days. It will also delete emails which are on hold or whose archival period is not yet expired, hence this option needs to be used with caution.
Exports
The results of a Hold or a Save Search can be exported by the administrator, whenever required. These exports will be listed under the Exports tab of the particular investigation that has been exported along with their current status. Please note, it may take some time depending on the file size. Once the status shows completed, you can download the exported file by clicking on the link given.
Tags
In a specific investigation, you can choose to tag emails from the search preview or the hold preview. To create a tag and apply it to an email, follow the instructions below:
- Log in to Zoho eProtect and select eDiscovery on the left pane.
- Navigate to the Investigations section, and select the relevant investigation.
- Select the Tags tab.
- Select the Create Tag option, enter a tag name, pick a color, and click Save.
- Now, select a saved search or a hold from the Searches or Holds tab.
- Click the Preview Results option.
- Select the checkboxes across the emails that you want to tag.
- Select the Tag as option and choose the relevant tag.
- These tagged emails can also be viewed from the Tags section. Click on a particular tag and all the emails associated with that tag will be listed.
Holds
Once a Hold is created, the emails retained by the 'Hold' will be retained until the Hold exists. An admin can view the Holds based on the below categories:
- Organization Holds - Holds placed on data at the organization level across all user accounts.
- User Holds - The holds placed over data that are part of specific user accounts get listed here.
- Department Holds - The holds placed over data that are part of specific departments get listed here.
Administrators can Export or Export and Delete the data matching the hold criteria by clicking on the Export search results or Export & Delete button, respectively. On clicking the button, the action will be triggered and gets listed under the respective tabs along with its current status. Once the status shows completed, you can download the file in ZIP or PST format. To know more about the actions, refer to Exports or Export and Purge.
Note:
Export & Delete action will permanently and irrevocably remove the data from the eDiscovery portal. Please note that since this action will leave no copies behind, it is recommended to download the file within 90 days. It will also delete emails which are on hold or whose archival period is not yet expired, hence this option needs to be used with cautio
Data management
The data management section in eDiscovery helps you manage the data that have been exported and deleted across departments, users and organization in your eProtect account.
Export and Purge
This tab lists the Export & Purge operations performed by the administrator along with the current status of the action. It may take some time to complete this action depending on the file size. Once the exported file is ready for download, the status will be shown as completed. Click on the file to view the details and the download link. The exported file will be cleaned up after 90 days and so, it is recommended to download the file within the said period.
As the Export & Purge action will permanently and irrevocably remove the data from the eDiscovery portal and leaves no copy behind, it is highly recommended to download the file on time promptly. It will also delete emails which are on hold or whose archival period is not yet expired, hence this option needs to be used with caution.
eArchive Search
With the eArchive option, your organization's users can access their archived emails themselves without reaching out to the admin. This minimizes the time and effort required for the admin to search and export the user's email on their behalf. Follow these steps to permit or deny search access to users:
- Log in to Zoho eProtect and select eDiscovery on the left pane.
- Navigate to the eArchive section and enable the eArchive Search Access.
- Click Add and select the users for whom you want to permit eArchive access.
- Confirm the user selection.
To revoke the eArchive Search access, hover over the user and click the delete icon. Alternatively, select one or more users and click the Delete button on the top menu. The users will no longer be able to access their archived emails.
Note:
- Admins can refer to the Investigation Search section to search their archived emails.
- If you are a user, refer to the steps provided in the eArchive search for users help page.
Email flow configuration
The Email flow configuration defines how Zoho eProtect must receive your organization's emails and process them further. The options available under the mail receiving type differ based on your email provider. Click the preferred mail-receiving method to learn more about it.
Email Provider/ Archival Type | Google Workspace | Microsoft 365 | Microsoft Exchange server | Other Providers |
Journalling | Yes | Yes | Yes | No |
API | Yes | Yes | Yes | No |
MX | Yes | Yes | Yes | Yes |
Default flow
- Default flow is the one that you configure when you set up your account. The method of archiving which you choose in default flow will automatically be applied to all the domains you add to your account.
There are three ways to archive your emails :- Journalling - Add eProtect's journal mailbox address in the Third-party email archiving section. The journal mailbox address will be displayed after you finish the subsequent steps.
- API - This method will archive a copy of your emails using the API method.
- MX - MX method is recommended if you enable Email Protection for your organization.
- The default flow can be set for popular email providers. The email provider-specific flow configurations can be found in the respective sections :
- Google Workflow
- Microsoft 365
SMTP Discovery
As an administrator, you can add all your organization users to Zoho eProtect by enabling SMTP Discovery. The SMTP Discovery feature detects new users as and when they send or receive a clean email.
With SMTP Discovery, you can perform the following actions:
- Add the discovered email address to eProtect. The available actions are:
- Add as user
- Add as group
- Add as alias
- Exclude the user
- View the excluded email addresses in the Excluded Users tab and add them at a later date.
- View the email addresses added via SMTP Discovery.
- Remove the discovered email addresses from SMTP Discovery.
Note:
If you remove an email address from the SMTP Discovery section, the user's emails will not be archived or secured by Zoho eProtect. Admins should follow the manual user addition procedure to add new user accounts.
Configure SMTP Discovery
The steps to setup SMTP Discovery are given below:
- Log in to Zoho eProtect and select eDiscovery on the left menu.
- Navigate to SMTP Discovery and toggle the enable button.
- Navigate to the sections given below to learn more about how to manage user addition/ exclusion via SMTP Discovery.
SMTP Discovery Settings
To reduce the manual efforts in adding the discovered users, eProtect provides an option to add the users automatically based on license availability. You can configure the automatic addition of users from the Settings tab.
Note:
The auto-add feature is applicable only for organizations with the MX and Journalling mail flow types.
Follow these steps to auto-add users:
- Log in to Zoho eProtect and select eDiscovery on the left menu.
- Navigate to SMTP Discovery and select the Settings tab.
- To add users automatically, toggle the Auto-add user if license is available button.
- Configure the settings based on which the user should be added:
- Enter the minimum number of clean emails received to the email address.
- Enter the minimum number of clean emails sent from the email address.
- Toggle the auto-enable eDiscovery and email protection based on your requirement.
- If required, choose the weekly report option and enter the admin email address to whom you wish to receive the reports.
- Click Save.
The users will be automatically added to eProtect and a notification email will be sent to the admin email address configured by you.
Discovered Users
The Discovered Users tab is where you can find the user accounts that are not added to eProtect. This tab provides user details such as the email address, inbound and outbound email count and the discovered date. Follow these steps to add or exclude users from the Discovered Users tab:
- Log in to Zoho eProtect and select eDiscovery on the left menu.
- Select SMTP Discovery and navigate to the Discovered Users tab.
- Hover over a user, click the more options icon on the right and select one of the available options:
- Add as user - The email address will be added as a user to your organization based on license availability.
- Add as group - The new group gets created with the discovered email address.
- Add as alias - Select an existing user account to which you wish to add the new user as an alias.
- Exclude user - The user will be excluded from the Discovered Users tab.
- Enter the group name and select the group members if you chose the Add as group option.
- Additionally, you can select a user to view all the emails received by them.
The user will be added or excluded based on your selection.
Excluded Users
The Excluded Users tab displays the list of user accounts that were discovered by SMTP Discovery but not added to eProtect for some reason. When a user has an active mailbox but is not added to eProtect, their emails will neither be archived nor be scanned for potential spam activities. This becomes a great risk to your organization's email security.
If you excluded an email address by mistake, you can still add them from the Excluded Users tab. Follow these steps to manage users in the excluded users tab:
- Log in to Zoho eProtect and select eDiscovery on the left menu.
- Select SMTP Discovery and navigate to the Excluded Users tab.
- Hover over a user, click the more options icon on the right and select one of the available options:
- Add as user
- Add as group
- Add as alias
- Select a user to view the emails received by them.
Added Users
In this tab, you can view the list of users who were added from the discovered users tab. The details available in this tab are:
- Email address - The email address of the user.
- Inbound email count - Number of incoming emails of the newly added user.
- Outbound email count - Number of emails sent by the user.
- Discovered Date - Date when the user was detected by eProtect.
- Added As - Lists whether the user was added as a user/ group/ alias.
Note:
- You can delete a department which does not have a sub-department.
- Once you delete it, the users in that department get added automatically to the main parent department.
eDiscovery Settings
Enable / Disable eDiscovery
As an administrator, you can customize your eDiscovery portal by clicking on the Settings tab. This section allows you to enable or disable eDiscovery for your organization. In case, you have already enabled eDiscovery and later, due to some unforeseen reason, wish to disable the service, then the emails that get delivered to your organization's user account will no longer be retained, while the older emails will be retained as per the existing archival policy.