Concept
Immutability And Legal Hold
How EBA repository immutability, governance mode, compliance mode, and legal hold relate to protection patterns.
Immutability
Immutability is enabled on the EBA repository. Protection patterns decide whether their backups use that immutability and which mode applies.
How immutability protects a backup
Checked first
Repository Capability
The repository must support Object Lock. Sendense verifies this with repository capability checks before immutability can be used.
Governance or compliance
Pattern Opt-In
The protection pattern chooses whether its backups use repository immutability and which mode applies.
Per backup
Retain-Until Applied
Each protected backup receives a retain-until time derived from its retention.
Until expiry
Deletion Blocked
The backup cannot be deleted before its retain-until time passes. Legal hold blocks deletion regardless of retention until the hold is released.
Governance And Compliance Mode
Choose compliance mode carefully
While active, compliance-style immutability is extend-only through normal operations. Select it deliberately rather than as a stronger default.
Pattern Immutability Eligibility
Not every EBA repository can support pattern immutability. It requires a version-aware EBA repository with Object Lock support and a qualified capability state, based on visible checks such as provider capability, bucket versioning, and repository mode.
When immutability is blocked, reprobe the repository, enable the required provider settings, or choose a qualified repository.
Bucket Default Retention
Some repositories expose bucket default retention: an administrator-managed repository policy that applies retention to future writes. It depends on repository capability, bucket versioning, and Object Lock support.
Bucket default retention is separate from protection-pattern retention. It can impose a repository-level retention floor, but protection patterns still define backup schedule and retention selection.
Legal Hold
Legal hold prevents affected recovery points from being deleted until the hold is released or expires. It is configured through EBA governance controls, not inside a protection pattern.
- A hold can apply to a repository, a VM, a specific backup or recovery point, or all protected data where global hold is available.
- Each hold records a name, reason, creator, creation time, optional case or matter reference, optional expiry, and release reason.
How Deletion Is Blocked
Re-checked before final deletion
Deletion and cleanup re-check governance before deleting. A recovery point that becomes held during its deletion grace period is not treated as eligible for final deletion.
Audit Trail
- Repository capability changes and immutability changes are auditable.
- Legal hold creation, update, expiry, and release are auditable.
- Destructive cleanup actions require explicit operator intent and are auditable.
Related Docs