How is compliance/WORM functionality ensured?

The API and iFSG only allow authorized access to data. The combination of hash values, which change when data changes, as well as the log and the history, guarantee tamper-proof archiving of the data.
Access to the underlying file system is limited to a small number of people, who are fully aware about the consequences of manipulation.
Even when a user gets write access (by obtaining the admin password), data manipulation is not possible. A forged document will have a different SHA512 fingerprint and will not be visible to the DMS anymore. Deletion of entire containers becomes apparent through inconsistencies in the iCAS log file. In this case, the DMS would also mark the relevant documents as missing.