Allium Data Archive (ADA): compliant digital archiving for the Czech public sector
A digital archiving and records-disposal system built to the Czech NSESSS v4 national standard. Together with Allium we turned a strict, irreversible regulatory process, the disposal proceeding (skartační řízení), into a controlled, verifiable, and usable workflow, engineered to a standard that can pass national attestation.
Delivery snapshot
Regulatory process, made verifiable
A look at what QuantumSpring delivered as Allium's engineering partner: the full disposal-proceeding lifecycle implemented against NSESSS v4, from ingestion through archive selection, transfer, and verifiable destruction. The full story is below.
Building something under strict compliance rules? We can walk you through how we did it.
100%
PoC milestone delivered
NSESSS v4
National standard targeted
End to end
Ingestion to verifiable destruction
Full audit
Exportable transaction log
The Client & the Challenge We Partnered to Solve
Czech originators, meaning public bodies and regulated organizations, are legally required to manage the full lifecycle of their electronic records, ending in the disposal proceeding (skartační řízení). Records with an expired retention period (skartační lhůta) must be appraised, proposed for disposal, submitted to the National Archive for selection of archival materials (výběr archiválií), transferred to the National Digital Archive when selected, and verifiably destroyed when not, with a complete and auditable trail throughout.
Allium needed a system that turns this regulatory process into a controlled, verifiable, and usable workflow, engineered to a standard that can pass national attestation. That is where QuantumSpring joined as the delivery partner for architecture, engineering, QA, and DevOps.
The Core Challenge: a strict, stateful, irreversible process
Doing this correctly is hard for three reasons. First, it is governed by the NSESSS v4 national standard, with strict rules for SIP package structure, metadata (Appendices 4, 6, and 8), transaction logging, and machine-to-machine exchange (the EISSD interface and the National Digital Archive SIP validator). Second, the process is stateful and multi-party: originator, eSSL system, and archive exchange a sequence of XML documents (requests, decisions, transfer confirmations) that the system must import, reconcile, and act on. Third, errors are irreversible: destroying a record before the archive confirms transfer, or losing an audit header, is a compliance failure that cannot be undone.
Regulatory complexity
Why this is hard to get right
The standard defines exactly how packages, metadata, and logs must look, and how three parties exchange decisions over machine-to-machine interfaces.
Because destruction is permanent, the system has to make the unsafe path impossible, not merely discouraged.
3 parties
Originator, eSSL, National Archive
Irreversible
Destruction cannot be undone
XML exchange
SIP packages and decisions
Appendices 4·6·8
Metadata and logging rules
Our Approach: an AI-native studio engagement
QuantumSpring ran the build as an AI-native studio engagement. Development was driven through an agentic pipeline: Claude executes implementation and QA tasks directly from Linear and GitHub, guided by internal skills (implement, code review, dotnet) and a checklist-driven QA loop that runs the test suite for feedback before work is accepted. End-to-end tests, both functional and visual, run in a Dockerized Playwright environment aligned across developer machines, agents, and CI, so results are reproducible everywhere.
The regulatory domain was translated into an explicit backlog. NSESSS test scenarios and requirement IDs (for example TS-11, TS-14, TS-22, and TS-26, with individual requirement and Appendix references) were mapped to user stories with acceptance criteria, so every compliance rule is traceable to a shipped, testable feature.
Delivery model
Regulation translated into tested features
Requirement IDs became user stories with acceptance criteria and automated tests, so compliance is demonstrable rather than asserted.
Reproducible, Dockerized end-to-end tests kept behavior identical across every environment.
Agentic
Delivery from Linear and GitHub
Checklist QA
Test suite before acceptance
Dockerized e2e
Playwright functional and visual
Traceable
NSESSS IDs mapped to user stories
What We Built: the disposal lifecycle, end to end
The system covers the full lifecycle, from receiving closed records through to verifiable destruction, with the integrity, suspension, and audit features the standard requires.
Ingestion and storage
Receipt of closed records (spisy) from the eSSL system over a REST API, unzip handling, parsing of METS v2024 mets.xml into structured metadata, storage-location tracking, and a filing-plan (věcné skupiny) view keyed on the unique identifier (JID).
Disposal workflow (skartační řízení)
Generation of SIP packages with and without components, disposal proposals for records with expired retention, and the full archive exchange: import of the selection request, decision XML, and transfer-confirmation XML, selection of entities for transfer, and dispatch of disposal-proposal information to EISSD.
Destruction with guarantees
Enforced sequencing so nothing is destroyed before the archive confirms transfer, destruction gated behind a mandatory disposal-consent identifier, a permanent-disposal-consent path, and retention of metadata-only headers after destruction per Appendix 8, with a dedicated view of destroyed entities.
Suspension (legal hold)
Blocking of suspended entities from disposal proposals, visible suspension status in metadata, and correct behavior where the retention clock keeps running during suspension.
Integrity features
Fixed cross-references (pevný křížový odkaz) that keep linked spisy together in a single SIP with a shared mets.xml, and automatic versioning of re-submitted packages so disposal views always reflect the latest version.
Audit and reporting
A dedicated audit-log table with an exportable frontend viewer, a transaction-log API structured per Appendix 6, a SIP-change query API, a multi-level server-logs viewer, plus process-results and comprehensive destruction reports.
The product also evolved in how people use it. The system moved from managing individual packages to a Disposal Process model: process-based navigation, stage-specific filtering, process-level bulk actions, and a unified tabbed process-detail view, with inline expandable tree-tables replacing drill-down navigation.
Architecture & Tech Stack
- Backend
- .NET minimal API with a modular endpoint structure, a Scalar/Swagger API surface, a consistent error DTO, and global exception handling with Czech-friendly error translation.
- Frontend
- React and TypeScript, Czech i18n via a translation config (future-proofed for multiple languages), and a recursive tree-table UI.
- Data
- PostgreSQL, with connection-pool resiliency and warm-pool tuning for production stability.
- Auth
- JWT access tokens and role-based access with admin actions. Active Directory login was researched at the client request.
- Standards and interfaces
- NSESSS v4 XML, METS v2024, SIP and AIP packages, the EISSD interface, and the National Digital Archive SIP validator.
- Infrastructure and DX
- Dockerized for production with health checks and an in-app version badge, deployed on Railway, Serilog request logging, Dependabot, and Dockerized Playwright end-to-end tests (functional and visual) aligned across Mac, Linux, and CI.
Results & Outcomes: compliance and reliability first
We frame results as delivered capability and compliance progress. The proof of concept was scoped and delivered with the PoC milestone at 100 percent, and the full disposal-proceeding lifecycle is implemented against NSESSS v4, from ingestion through archive selection, transfer, and verifiable destruction.
- Compliance by traceability: NSESSS test scenarios and requirement IDs mapped to user stories with acceptance criteria and automated tests.
- Core workflow in structured client acceptance (Review by Allium), with attestation requirements actively being addressed.
- Production-hardened: reliability work on the database connection pool, resilient best-effort audit logging, and SIP packaging validated against the National Digital Archive validator.
Results snapshot
Delivered capability
The disposal proceeding runs end to end, with the guarantees the standard requires built into the workflow rather than added afterward.
Volume metrics and formal attestation status will be confirmed with Allium.
100%
PoC milestone complete
Lifecycle
Skartační řízení, end to end
Guaranteed
No destruction before transfer
In review
Client acceptance with Allium

"This is the kind of work we do best: taking a strict, irreversible regulatory process and making it controllable and auditable, delivered to national-standard quality. Our AI-native pipeline let us map every compliance rule to a tested feature, so quality is demonstrable at every step."
Ondřej Šťastný, Co-founder & CEO, QuantumSpring
What Made This Work
Key takeaways
Three things that mattered most
Delivering to a national standard under irreversible constraints came down to three principles.
Compliance by traceability
Every rule maps to a tested feature.NSESSS test scenarios and requirement IDs were mapped to user stories with acceptance criteria and automated tests, so each regulatory rule is traceable to shipped, verifiable behavior.
Irreversibility guarantees
The system makes the unsafe path impossible.Enforced sequencing, disposal-consent gating, and post-destruction metadata headers ensure nothing is destroyed before the archive confirms transfer.
AI-native delivery
Agentic build with reproducible QA.Implementation and QA ran from Linear and GitHub through an agentic pipeline with a checklist-driven test loop and Dockerized end-to-end tests that behave the same on every machine.
Next step
Building under strict compliance rules?
Speak directly with Ondřej Šťastný
A short expert call to evaluate your regulatory constraints, delivery risks, and the fastest path to a system you can attest and trust.
Clear guidance. Senior expertise. No sales talk.
