IPFS and the Enterprise Compliance Gap in Decentralized Storage

The InterPlanetary File System (IPFS) underpins much of the public-facing storage layer for non-fungible token metadata, decentralized application assets, and a growing class of Web3 governance documents, according to IPFS documentation. The protocol solves several real engineering problems, including link rot, censorship resistance, and cryptographic content verification.

Adoption in regulated enterprise contexts has been considerably slower, and the gap between Web3 enthusiasm and enterprise practice has widened rather than narrowed over the past two years.

The slower enterprise uptake follows from architectural factors rather than from weak advocacy or insufficient tooling. Commercial pinning services have matured into a layer that mitigates many of the original performance complaints, and a steady stream of industry literature now positions IPFS as a low-cost alternative to centralized object storage for organizational use.

The question that determines whether the protocol can carry regulated enterprise data falls outside the scope of what pinning addresses. That question is about control.

A range of compliance regimes, including the European Union's General Data Protection Regulation and the United States Health Insurance Portability and Accountability Act, presume that a data custodian can effect deletion, modification, and access restriction over time. Public IPFS was designed around the opposite premise, and the resulting tension shapes every subsequent compliance question that enterprise users encounter.

Sector-specific regimes, including those governing financial services and federal government contracting, layer additional retention and disposal obligations on top of the general regulatory framework.

Why pinning does not solve the compliance question

IPFS uses content-based addressing rather than location-based addressing. Each file uploaded to the network receives a content identifier derived cryptographically from the data itself, and other nodes locate that content through a Kademlia-based distributed hash table combined with a peer-to-peer transfer protocol called Bitswap, according to IPFS documentation. The architecture makes data verifiable, deduplicable, and resistant to single points of failure, and these properties are the source of the protocol's appeal.

Pinning is the mechanism by which a node commits to persistently storing a file's content, ensuring its retrievability through the network. Commercial pinning services now provide the kind of replication and uptime guarantees that early IPFS deployments lacked, with some operators replicating each content identifier across multiple geographic regions.

These services materially improve availability, which was the most visible weakness of the early protocol.

Pinning does nothing about deletion. Once a content identifier propagates and any node has fetched and re-pinned the underlying file, unpinning at the original publisher does not remove the data from the network. Any third party with a copy can continue to serve it indefinitely, and the original content identifier remains a valid retrieval address as long as a single node hosts the bytes.

This architectural property collides directly with Article 17 of the GDPR, the right to erasure, which obliges a data controller to delete personal data without undue delay when a valid request is received. The controller must also take reasonable steps to inform other controllers processing the data of that request, as described by GDPR-Info.

In a content-addressed network with no central operator and no enforceable propagation registry, that obligation cannot be met by technical means. The publisher can request deletion. The protocol cannot guarantee it.

The same difficulty surfaces under HIPAA's Security Rule, which according to guidance from the Department of Health and Human Services requires covered entities to implement policies for the final disposition of electronic protected health information.

Cryptographic erasure is an accepted method, but it presumes a custodial relationship with the encrypted bytes. A protocol whose nodes operate independently of any central authority does not provide that relationship, and a covered entity that publishes protected health information to public IPFS would face an effectively unsolvable disposal problem under the rule.

Encryption, metadata, and the post-quantum horizon

The most common rebuttal to the deletion problem is encryption. If the data on the network is encrypted, the argument runs, deletion is functionally achieved through key destruction, because the ciphertext becomes meaningless once the key no longer exists. The rebuttal is partially true and partially insufficient, in ways that compound across three separate dimensions.

The first dimension concerns metadata. According to IPFS documentation, while traffic between nodes is encrypted, the metadata nodes publish to the distributed hash table is public. This includes node identifiers and the content identifiers of data they are providing.

Academic research published on arXiv in 2021 documented that an adversary with modest monitoring infrastructure can determine which nodes are interested in a given content identifier. The research also showed which content identifiers were requested by a particular node, and with negligible deniability whether a node has retrieved a specific data item in the recent past.

Subsequent academic work published on SecuriTee in 2024 found that sensitive files such as exposed API keys remained accessible on IPFS even after the original repositories had patched the underlying secrets.

The study analyzed more than 24,000 compressed files and identified 647 unique files containing sensitive information, with Google API keys and OAuth credentials prominent among the categories of leak. The empirical finding illustrates that propagation persists beyond publisher control, and that residual content identifiers can outlive the security context that produced them.

The second dimension concerns the GDPR's treatment of encrypted personal data. The European Data Protection Board issued guidelines on pseudonymisation in January 2025, available through the EDPB, which state that pseudonymised data that could be re-identified through additional information such as a decryption key remains personal data subject to the full regulation.

Encrypted personal data published to IPFS is therefore not exempt from Article 17 obligations on the basis of being encrypted. The data controller's obligations follow the data wherever it propagates.

The third dimension concerns the post-quantum migration timeline. The United States National Institute of Standards and Technology finalized its first post-quantum cryptography standards in August 2024, and the federal government has directed agencies to migrate to post-quantum cryptography by 2035, as described in a working paper from the Federal Reserve.

That paper also notes survey data indicating one in three cybersecurity experts forecast a cryptographically relevant quantum computer before 2032. The migration is driven by the harvest-now-decrypt-later threat, in which adversaries collect encrypted ciphertext today for decryption once quantum hardware becomes sufficiently capable.

Harvest-now-decrypt-later is managed in conventional architectures partly through cryptographic agility, meaning the ability to rotate to stronger algorithms as older ones are deprecated. Cryptographic agility requires the custodian to control the ciphertext.

Content-addressed publication removes that control: the original ciphertext, addressed by hash of the ciphertext, remains resolvable and pinnable by every node that ever cached it. Re-encryption produces a new content identifier rather than replacing the old one.

For data with multi-decade confidentiality requirements, including healthcare records, classified information, and genetic data, the combined effect is incompatible with conventional risk management.

Comparable networks and the Akash counterpoint

The broader category of decentralized storage networks has evolved different tradeoffs around the same fundamental tensions. Filecoin uses on-chain proofs of storage and proofs of spacetime, with provider collateral slashed for failed proofs, creating economic incentives for verifiable archival-grade storage, according to industry analysis published on Medium.

Enterprises can negotiate custom storage deals through the Filecoin market, balancing cost, duration, and geographic diversity in ways that resemble conventional cloud procurement. The mechanism addresses the storage-integrity dimension well but does not by itself solve the confidentiality or deletion problems described above.

Storj has taken a different approach focused on the confidentiality side. The same Medium analysis describes a model in which files are encrypted client-side with user-controlled keys, then erasure-coded into roughly 80 pieces distributed across thousands of independent nodes, with only 29 pieces required to reconstruct the original file.

No individual node holds a meaningful fragment, and the architecture forces an attacker to compromise dozens of nodes across jurisdictions without the encryption key to reconstruct anything. The deletion question remains harder to enforce, since requests against independently operated global nodes are contractual rather than technical guarantees.

Arweave occupies the opposite end of the design spectrum. According to a 2026 analysis on Securities.io, the protocol operates on a pay-once-store-forever model, with each fee contributing to an endowment that funds miners to retain data over centuries.

The marketing emphasis on permanence is precisely the property that conflicts with retention-limited compliance regimes and right-to-erasure obligations, and the protocol provides no mechanism for redaction or opt-out once data has been written.

Private IPFS networks operate on yet another premise and deserve to be distinguished from public IPFS in any enterprise analysis. According to IPFS documentation, private networks use the same protocol mechanics as the public network but limit access to permissioned nodes, restoring federation and jurisdictional control at the cost of public-network scale.

Enterprise interest in IPFS as a private content-addressed cluster is a coherent and often defensible position, distinct from enthusiasm for IPFS as a public storage substrate.

Akash Network represents a different decomposition of decentralization for regulated contexts. Akash operates as a decentralized compute marketplace rather than a storage network, and its path into compliance-bounded deployments has run through the deliberate reintroduction of attestation.

Moultrie Audits, composed of former Department of Defense engineers, architects, and penetration testers, has developed provider-auditing programs aligned with PCI DSS, GDPR, and HIPAA frameworks, according to a 2022 case study published by Akash. The audit program operates in tiers from Bronze through Gold, with the Gold Audit requiring 99.999 percent uptime and allowing tenants to select providers whose attested service levels match operational and regulatory requirements.

Akash itself does not hold FedRAMP authorization as of mid-2026, and the enterprise compliance gap is acknowledged in industry analysis. A 2026 research report on the network published by Coinclear notes that enterprises require service-level agreements, compliance certifications, and support that a decentralized network struggles to provide directly.

The network's response has been to make provider attributes attestable and to allow tenants to constrain workloads to specific audited providers, producing a federated solution layered atop a decentralized marketplace. The decentralization operates at the marketplace layer, and the federation operates at the workload layer.

Availability and control as separate axes

The pattern that consolidates these observations centers on the distinction between availability and control. Pinning services have meaningfully improved IPFS availability, which was the most visible weakness of the early protocol.

Control is the dimension that conventional enterprise compliance regimes presume and that public content-addressed storage does not provide by design.

The two axes can also be evaluated against each other in practical decisions. A network optimized for permanence produces different obligations than a network optimized for verifiable retrievability or for confidentiality, and decision-makers face a tradeoff matrix in which availability, durability, confidentiality, and controllability cannot all be maximized simultaneously.

The compliance regime applicable to a given dataset narrows that matrix substantially, often to the point of dictating the choice. Healthcare, financial services, and government-adjacent data tend to push toward private clusters or audited marketplaces, while public-facing artifacts such as NFT metadata or open governance documents remain natural fits for public content-addressed networks.

Decentralized infrastructure is most defensible in enterprise contexts when the decentralization operates at the marketplace or coordination layer while federation operates at the workload or data layer. The Akash audited-provider model and private IPFS clusters both fit this pattern, and Storj's client-encrypted, erasure-coded architecture partially fits subject to the caveats discussed above.

Public IPFS as an enterprise storage substrate departs from this pattern, because the decentralization extends to the data itself, beyond the reach of any custodial control.

The post-quantum migration timeline reframes the stakes of that distinction for regulated organizations. Ciphertext published in 2026 with the assumption of indefinite confidentiality faces a horizon in which encryption may be retroactively broken by hardware that does not yet exist, and the publisher has no mechanism to recall the ciphertext from a content-addressed network.

For organizations whose data retention obligations span decades, the architectural decision made today determines which compliance postures remain recoverable in 2035 and beyond. The custodial assumption baked into each major regulatory regime collides directly with the custodial absence baked into public content-addressed networks, and the collision has no purely technical resolution.

Sources

• IPFS Documentation. "How IPFS works." Protocol Labs, 2024.
• IPFS Documentation. "Privacy and encryption." Protocol Labs, 2024.
• IPFS Documentation. "Privacy and encryption best practices." Protocol Labs, 2024.
• European Union. "Article 17, Right to erasure (right to be forgotten)." GDPR-Info, 2018.
• U.S. Department of Health and Human Services. "Frequently Asked Questions About the Disposal of Protected Health Information." U.S. Department of Health and Human Services, 2018.
• European Data Protection Board. "EDPB adopts pseudonymisation guidelines and paves the way to improve cooperation with competition authorities." European Data Protection Board, 2025.
• Board of Governors of the Federal Reserve System. "Harvest Now, Decrypt Later: Examining Post-Quantum Cryptography Migration." Federal Reserve, 2025.
• Daniel Trautwein, Aravindh Raman, Gareth Tyson, Ignacio Castro, Will Scott, Moritz Schubotz, Bela Gipp, Yiannis Psaras. "Monitoring Data Requests in Decentralized Data Storage Systems: A Case Study of IPFS." arXiv, 2021.
• Nikolaos Balaskas et al. "Secrets are forever: Characterizing sensitive file leaks on IPFS." SecuriTee, 2024.
• IPFS Documentation. "Case study: Snapshot." Protocol Labs.
• Naeem ul Haq. "Decentralized cloud storage with blockchain: A technical comparison of Filecoin, Storj, and IPFS for enterprise use." Medium, 2025.
• Securities.io. "Decentralized Storage: Filecoin vs. Arweave vs. Storj (2026)." Securities.io, 2026.
• Alani Kuye. "From Deploying on Akash to Auditing the Network." Akash Network, 2022.
• Coinclear. "Akash Network: AI Research Report." Coinclear, 2026.