--- title: "Research & Education" date: 2026-04-27T12:49:00+02:00 author: Hannes Heckel canonical_url: "https://www.fast-lta.de//en/verticals/research-education" section: Verticals Pages --- Independent of cloud providers and funding terms # Secure research data for the long term DFG Guideline 17 requires research data to be retained for ten years. The GDPR, export controls and confidentiality agreements rule out cloud storage for an increasing proportion of this data. On-premises infrastructure is not a fallback option — it is the only compliant solution. [Request a consultation ](https://www.fast-lta.de//en/fast/contact/general "Request a consultation") ![An isometric laboratory 202604241659 1 | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/An_isometric_laboratory_202604241659-1.jpeg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1777280310&s=18265adcdbde93d7d387df14a5ed9af3) ### Why cloud storage is increasingly off the table for research data [\#](#why-cloud-storage-is-increasingly-off-the-table-for-research-data "Why cloud storage is increasingly off the table for research data") Universities and public research institutes (in Germany, for example Fraunhofer, Helmholtz, Max Planck, and Leibniz institutes) face a structural challenge. The data base grows exponentially (sequencing data, climate models, imaging series, qualitative interview data), while the regulatory requirements on where it may be stored become more restrictive. Four factors make cloud storage for a growing share of research data not merely suboptimal but impermissible: **1. Export control and dual-use regulation.** Research results in security-relevant fields (materials science, biosecurity, defence research, nuclear technology) fall under EU and national export-control rules. The EU Dual-Use Regulation (Regulation (EU) 2021⁄821) governs the transfer of such items and technology. Transferring this data to a cloud provider whose data centers lie outside the EU, or that operates under US CLOUD Act jurisdiction, can constitute an export-control breach. The regulation exempts basic scientific research and information already in the public domain, but applied and security-relevant results are squarely in scope. **2. GDPR for personal research data.** Clinical studies, population surveys, genomic data: personal research data may be transferred to third parties only under strict conditions. GDPR Article 28 requires data processing agreements that many cloud providers do not offer in the form data protection officers will accept. **3. Confidentiality agreements with industry partners.** Third-party-funded projects with industrial partners regularly include NDA clauses that require project data to be processed on systems fully under the research institution’s control. **4. Funding requirements.** Horizon Europe projects require Data Management Plans (DMPs) that evidence the storage location, access control, and long-term availability of research data. ​“We use a commercial cloud service” is rarely sufficient in combination with the data categories above. --- ### Ten-year research-data retention: what it means for your infrastructure [\#](#ten-year-research-data-retention-what-it-means-for-your-infrastructure "Ten-year research-data retention: what it means for your infrastructure") European research-integrity codes converge on a ten-year retention standard for research data and all materials needed to reproduce a result. A prominent example is the German Research Foundation’s Guidelines for Safeguarding Good Research Practice (Guideline 17, 2019): research data and the materials underlying a published finding must generally be kept for at least ten years, accessible, intact, and traceable. “Accessible” means the data must be readable throughout the entire period, regardless of which software or systems change in that time. ​“Intact” means it must be demonstrable that the data has not been altered since its creation. ​“Traceable” means that access and changes must be logged. These three requirements are only partly met by software-based archiving. Software locks can be disabled, systems are replaced, formats stop being read, licenses expire. Hardware WORM (immutability enforced at the device level) is the only method that meets all three over a ten-year period without gaps. ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ## Silent Cubes for research-data archiving Silent Cubes are designed as a long-term archiving system for exactly this set of requirements: **Bit-level integrity:** Every stored record is protected by a cryptographic checksum process. Silent bit rot or storage errors are detected and corrected before they cause data loss. For research data that will be used as a basis for reproducibility in ten years, this is not an optional feature; it is a prerequisite. **Hardware WORM:** The immutability of a record is a property of the hardware controller, not a software setting. No administrator, ransomware attack, or compromised system account can change or prematurely delete an archived research record. For research-integrity audits, funder evidence, and reproducibility checks, that is a defensible argument. **Institutional control:** All data stays fully under the institution's control. No dependence on a third party's availability, no cloud-contract cancellation that triggers data loss, no data center in another jurisdiction. **Configurable retention periods:** Ten years for code-compliant retention, or longer, for clinical data, environmental measurements, or other categories with specific retention duties. ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) [Find out more ](https://www.fast-lta.de//en/products/silent-cubes "Find out more") ![SCDS HU Pro HWWORM | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/SCDS-HUProHWWORM.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772121892&s=9e9f51c50282d0054642755ea718461b) --- ![X60802x SBMA1x SBP frontal2x Air Gap | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/X60802xSBMA1xSBP-frontal2xAirGap.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772468089&s=648f39bb328f5d8c494ebe5e2dcba9bb) ## Silent Brick System: backup for large research data sets Genome sequencing data grows into the petabyte range per project. Climate model simulations produce volumes that scale economically in no commercial cloud archive. Imaging series from telescopes, scanning electron microscopes, or particle detectors fill entire storage racks every week. The Silent Brick System is built as a scalable backup system for exactly these volumes. The modular architecture grows with the research data set without changing the base architecture or license base. **Physical air gap:** The Silent Brick Max Air severs the network connection at the hardware level after the backup job completes. Ransomware active in a research data center cannot physically reach these backup copies. This is especially relevant for institutions whose primary systems are internet-connected and that have experienced targeted attacks on research data in recent years. **Multi-site operation:** Universities with several campuses, or non-university institutions with distributed institutes, can manage decentralized Silent Brick Systems from a central console. Each site backs up locally; administration is central. ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) [Find out more ](https://www.fast-lta.de//en/products/silent-brick-system "Find out more") --- ## Silent AI: unlock research literature and project data internally Research institutions accumulate knowledge faster than individual search can keep up: publications, internal reports, raw-data annotations, project documentation, standards catalogs, grant-proposal texts. The knowledge exists; it is just not retrievable. **Silent AI** brings AI-assisted document analysis onto your own infrastructure. Researchers can ask questions about project data, publications, and internal documents in natural language and get relevant passages immediately, from the institution's entire knowledge base, not just from what was opened in the past few weeks. Decisive for research institutions: no data transfer to the cloud. No US CLOUD Act risk. No GDPR problem with personal research data. No breach of confidentiality agreements with industry partners. The AI analysis runs entirely on premises, on servers the institution controls, in a data center subject to its own data-protection rules. ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### US CLOUD Act The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) authorizes US authorities to require US companies to hand over data — regardless of where that data is physically stored, including servers located in the EU. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/us-cloud-act) ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) [Find out more ](https://www.fast-lta.de//en/products/silent-ai "Find out more") ![2026 SAI frontal | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/2026-SAI-frontal.jpeg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1772122968&s=9c06679cda8115826b582a2405de8be0) --- ### Compliance at a glance [\#](#compliance-at-a-glance "Compliance at a glance") Regulation / requirementSpecific dutyFAST LTA solution**Research-integrity codes** (e.g. German DFG Guideline 17)10-year retention; integrity, accessibility, traceabilitySilent Cubes hardware WORM; bit-level integrity; full audit trail; open file formats**GDPR Art. 5, 28, 32**Integrity of personal research data; no uncontrolled transfer to third partiesFully on-premises operation; no processing by external cloud providers**Horizon Europe DMP**Evidenced storage location, access control, long-term availabilityHardware archiving with configurable retention; institutional control documentable**EU Dual-Use Regulation (EU 2021⁄821)**No transfer of export-controlled data into impermissible jurisdictionsFully on premises in Germany; no transfer to foreign cloud providers**EU Data Act (Reg. (EU) 2023⁄2854, applicable since 12 Sep 2025)**Transparency in data processing; right to data portability in a structured formSilent Cubes in the open OpenDocument format enable portability; on-premises operation ensures full control**Good research practice (reproducibility)**Long-term available, unaltered dataHardware WORM as physical evidence of non-alteration; bit-level integrity checking ## Questions and answers #### Do Silent Cubes formally meet ten-year research-data retention requirements, and is there confirmation for grant applications? Hardware WORM at device level meets the three core requirements of research-integrity codes such as the German DFG Guideline 17: integrity (the hardware controller prevents alteration physically), accessibility (data in an open format, no software dependency), and traceability (a full access audit trail). FAST LTA provides technical documentation that can be used in research-data management plans and funding applications. For specific applications or funder evidence, our specialists are glad to speak directly with your institution's research-data management officer. ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) #### How do you build a Data Management Plan (DMP) with Silent Cubes that meets Horizon Europe requirements? A DMP for Horizon Europe projects must document where data is stored, who has access, how integrity is ensured, and how long-term availability is guaranteed. Silent Cubes provide concrete, verifiable answers to all four. FAST LTA provides DMP text templates and technical description blocks that can be inserted directly into Horizon Europe DMP templates. On request, we support the DMP process. #### Can a university with several campuses run a shared Silent Cubes infrastructure? Yes. Silent Cubes and the Silent Brick System support distributed multi-site configurations. Each site can run its own archiving and backup unit, administered through a central management interface. Access rights, retention periods, and document classes can be configured per institution or department. Replication between sites for higher resilience is possible. For consortia (for example shared use by several institutes), tenant-separated operating models are feasible. #### How long can research data be kept on Silent Cubes, and what happens after 10 years? The storage media in Silent Cubes are designed for a minimum service life of 30 years, well beyond the ten-year minimum. The hardware-WORM lock applies for the configured retention period. After it expires, data is not deleted automatically: release for deletion has to be triggered actively, to prevent accidental data loss. For data with longer retention duties, such as clinical trials (at least 25 years for the trial master file under EU Regulation 536/2014) or radiotherapy records (30 years under national radiation-protection law, in Germany §85 StrlSchG), longer retention periods can be configured. ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) #### Are Silent Cubes suitable for very large data volumes such as genome sequencing, climate models, or telescope images? Yes. Silent Cubes and the Silent Brick System scale into the petabyte range. The modular architecture allows step-by-step expansion without base-architecture changes. For very high write rates, such as sequencing data or live measurement campaigns, the Silent Brick System offers especially high sequential write performance. We carry out capacity and throughput planning together in the consultation, based on your actual data volumes and growth rates. Made in EuropeResearch-integrity compliant (e.g. DFG Guideline 17)GDPR Art. 32ISO 27001On-premises, no cloud dependency2,500+ customers since 2008 ## Request a consultation Speak with a specialist who knows both the research-integrity requirements and your infrastructure. [Book an appointment ](https://www.fast-lta.de//en/fast/contact/general "Book an appointment") ![IMG 3121 | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/fast/IMG_3121.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&crop=focalpoint&fp-x=0.5013&fp-y=0.5653&dm=1779445861&s=5b48d3c6a6a5eba9ce2eaf1d2c10b325)