+49 (0) 6172 / 5919-0 info@flam.de

SEC 17a-4 Compliance Archive Software

Self-describing archives with cryptographic Merkle-Tree integrity. Readable in 25 years — without the original application. Auditor verify binary is free.

flworm create in='billing_2025_q1.csv' \ out='billing_2025_q1.flar' \ meta.regulation='SEC-17a4' \ meta.retention=6y
Merkle-Tree Integrity Self-Describing Format Free Auditor Verify

The cost of getting it wrong

>$2 Bln.
SEC fines for recordkeeping violations since 2021 — the largest enforcement wave in the agency's history.
$392 M.
August 2024: 26 firms fined in a single sweep for inadequate electronic recordkeeping. No firm was too small to be targeted.
No proof.
CSV + SHA-256 is not a cryptographic proof. A hash file stored separately cannot prove that data and checksum were created at the same time.
25 years.
Your archiving application will be decommissioned. Your data must remain readable and verifiable long after the software is gone.

Three problems. One solution.

Problem

No proof that data and checksum were created simultaneously

A detached SHA-256 file can be replaced or antedated. Regulators have made clear that this is not acceptable evidence of integrity.

flworm

A Merkle tree is computed over all records and embedded with a cryptographic timestamp directly inside the archive — inseparable from the data.

Problem

Column names and data types are lost after 10 years

Plain CSV without a schema becomes meaningless when the original application is gone and no one remembers what "col7" meant.

flworm

flworm embeds a self-describing schema block — field names, types, units, and encoding — inside every archive. No external catalog required.

Problem

Enterprise compliance tools cost $200K–$500K per year

Full-suite compliance platforms require long procurement cycles, professional services, and vendor lock-in that small and mid-size firms cannot afford.

flworm

flworm starts at €59/month. Self-service setup. No enterprise suite. No professional services required to get started.

What flworm does

📄

Self-Describing Schema

Field names, data types, units, and character encoding are embedded inside every archive. Readable in 25 years without the original application.

ZSTD Compression

State-of-the-art ZSTD compression reduces storage footprint by 60–80% for typical financial and log data without sacrificing speed.

🔗

Merkle-Tree Integrity

A cryptographic Merkle tree is computed over all records and embedded in the archive header — binding data, schema, and timestamp into a single proof.

📋

Metadata Block

Every archive carries a structured metadata block: creation timestamp, host identity, regulation tag (e.g. SEC-17a4), and retention period.

🔒

Optional Signature

Archives can be signed with X.509 certificates or PGP keys to add non-repudiation. Signature verification is part of the free verify binary.

Free Auditor Verify Binary

Auditors and regulators can verify any flworm archive using a free, standalone binary — no license, no account, no dependency on flworm being commercially available.

🔓

Extraction Without License

Data can be extracted from any flworm file using the open format specification. Vendor lock-in is structurally impossible.

📄

Forensic PDF Report

A signed PDF audit report summarizing the archive's integrity state, metadata, and verification result — ready for regulatory submission.

Regulatory coverage

Regulation Retention Requirement WORM Required flworm Support
SEC 17a-4(f) 3–6 years (broker-dealer records) Yes — non-erasable, non-rewritable Supported
SOX 802 7 years (audit records) Recommended Supported
21 CFR Part 11 Lifetime of record per FDA guidance Audit trail required Supported
HIPAA 6 years (medical records) Integrity controls required Supported
EU Telco Data Retention 6–24 months (traffic metadata) Integrity controls required Supported
FINRA 4511 3–6 years (member firm records) Yes — consistent with SEC 17a-4 Supported

How flworm compares

Solution Cost Self-Describing Format Merkle-Tree Proof Free Auditor Verify Extraction Without Vendor
Archive360 $200K–500K/yr
OpenText $100K+/yr
Restic / Borg Free (OSS)
CSV + SHA-256 Free No proof N/A
AWS S3 Object Lock Storage cost No format
flworm From €59/mo

Pricing

Linux & Windows
€59
per month

x86-64 Linux and Windows. Ideal for cloud-native deployments, CI/CD pipelines, and on-premise servers.

Annual subscription: 15% discount

Enterprise
z/OS LPAR
€449
per month per LPAR

Native z/OS support for mainframe batch archiving. Full FLAM5 integration. Runs as a batch job or USS utility.

Annual subscription: 15% discount

AIX & SPARC
€99
per month

IBM AIX Power and Oracle/Sun SPARC platforms. For legacy environments that still hold business-critical data.

Annual subscription: 15% discount

Free verify binary for auditors — regulators and external auditors can verify any flworm archive at no cost. No license agreement required.

Frequently asked questions

What is the difference between flworm and Borg/Restic?
Borg and Restic are excellent backup tools designed for system administrators. They are not designed for regulatory compliance. They do not embed schema metadata, do not produce a Merkle-tree proof of record-level integrity, and do not provide a free standalone verify binary for auditors. flworm is purpose-built to meet the evidentiary standards of financial and healthcare regulators.
Does flworm meet SEC 17a-4(f) requirements?
flworm's archive format is designed to support the key technical requirements of SEC 17a-4(f): non-erasable storage (when paired with WORM media or object lock), self-describing records, and cryptographic integrity verification. The Merkle-tree proof and embedded metadata provide an auditable chain of custody. We recommend consulting your compliance counsel to confirm that your specific deployment configuration satisfies all applicable requirements.
Can an auditor verify the archive without purchasing a license?
Yes. The flworm verify binary is distributed free of charge with no license agreement required. An auditor or regulator can download it, run it against any archive, and receive a complete integrity and metadata report — including Merkle-tree verification, signature check, and retention metadata — without ever contacting limes datentechnik or purchasing any product.
What happens if flworm is discontinued?
The FLAM5 archive format is documented and open. Any archive created with flworm can be read by any implementation of the format specification. Additionally, the verify binary is designed to be a standalone, statically linked executable with no external dependencies — it can be kept indefinitely as part of your records management policy. Your data is not hostage to flworm's commercial availability.
What is a Merkle tree and why does it matter for compliance?
A Merkle tree is a cryptographic data structure in which each record is hashed individually, and those hashes are combined in a binary tree until a single root hash — the "Merkle root" — represents the entire dataset. This means that any modification to any single record changes the root hash, making tampering detectable. More importantly, the Merkle root is embedded in the archive at creation time, binding the integrity proof to the data itself rather than relying on a separately stored checksum file that could be replaced or regenerated.
How does flworm differ from AWS S3 Object Lock?
S3 Object Lock provides WORM storage — it prevents a file from being deleted or overwritten. However, it says nothing about the format or content of the file itself. A CSV stored with Object Lock still has no schema, no Merkle-tree proof, and no embedded metadata. flworm solves the format problem: it defines what the archive contains, how it is structured, and how its integrity can be verified. The two approaches are complementary — you can store flworm archives on S3 with Object Lock enabled.

Start your compliance archive today

From €59/month. Free auditor verify binary included.

Download Free Trial Talk to a Compliance Expert