PackNet Online Documentation

This document details how Packsize complies with General Data Protection Regulation (GDPR) and protects customer data. This document also outlines how Packsize processes PackNet Software Platform data.

The processing of data is necessary to perform contractual obligations in support of our packaging solutions. PackNet has implemented redundant hosting in Azure regions in North America. A table of Packsize's cloud vendors and the location of data they host can be found below in section 6.4 Location of Data.

Data can only be inducted into the PackNet Software Platform through the predefined integration methods. See the PackNet Integration Requirements for more information around the integration into the PackNet Software Platform.

PackNet requires information to create a right-sized packaging solution based on customer configurations and priority settings. The data consumed can differ based on the solution but typically includes:

If PackNet requires the ingestion of label data in order to print and apply a label, the following information may be collected:

In order to provide its services, Packsize has engaged with third party cloud infrastructure providers which will allow access to personal data. These organizations are identified below with their locations and the types of services they provide to Packsize.

Processing Activities:

Job production data that is stored in a cloud environment is encrypted at rest by Packsize's cloud vendors. This data is available for 30 days in order to triage jobs that have been sent to the PackNet environment. Following this time period, the data it automatically removed through a secure deletion process. Depending on the timing of backup snapshots, the data may be retained within MongoDB backup for one year if the snapshot was taken before auto-delete. This data retention period may be shortened by adjusting the settings in Secure Print.

Packsize captures metadata around quality and efficiency to support PackNet reporting which provides metrics and dashboards for customers. This data is captured and stored in an encrypted format indefinitely.

All data transmitted between PackNet Software Platform environments and Packsize customers is protected by Transport Layer Security (TLS), which is enabled by default and cannot be disabled. Communication between the PackNet Software Platform and IoT edge device requires TLS 1.2 encryption and a minimum key length of 64 bits for the initial connection. Subsequent traffic is encrypted with a 2048 bit certificate. For integration points, PackNet Software Platform TLS 1.3 is required for encryption of data flowing into the environment.

Encryption at rest serves as a safeguard, ensuring that any stored files or data can only be accessed by an authorized process or application through decryption. Encryption for data at rest is automated using Azure's transparent disk encryption, which uses industry-standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by Azure (see Azure Transparent Encryption).

The PackNet Software Platform leverages Atlas Mongo DB for cloud data storage to support the PackNet Software Platform. Customer data is encrypted at rest by default using AES-256 to secure all volume (disk) data. The process is automated by the transparent disk encryption of the customer's selected cloud provider, and the cloud provider fully manages the encryption keys.

Regular reviews are conducted through the PackNet Software Platform by both internal and external security teams. Internally, the platform undergoes periodic risk assessments and threat modeling, which involves technical vulnerability discovery and evaluation of business risks and concerns. Third parties are engaged on at least an annual basis to conduct application penetration tests and cloud security reviews.

Packsize Information Security and PackNet Product teams work proactively together on security initiatives in their Software Development Lifecycle (SDLC). Packsize has implemented tooling and practices to ensure operational security within the PackNet Software Platform. Packsize leverages third-party security tools to conduct source code scans, detecting and addressing known security vulnerabilities and preventing unsecure code from being pushed to production. Additionally, Packsize tests its code against government benchmarks, including Common Vulnerability and Exposure (CVE) and Common Weakness Enumeration (CWE).

In general, Packsize personnel do not have access to customer production data. Only a small group of privileged users have the authority to access production infrastructure.

Packsize adheres to the principle of least privilege for these users, ensuring that access is limited to the minimum scope necessary for resolving the critical issue. The access process for privileged users requires MFA. Additionally, Packsize revokes a privileged user's access when leaving the company.

Packsize is continuously monitoring, auditing, and improving the design and operating effectiveness of all security controls. Packsize has an established process for the identification and closure of configuration issues or vulnerabilities within defined SLAs.

Packsize has established multiple availability zones for redundancy of critical resources in case of outages.

Incremental backups are performed daily using an automated system and replicated to an offsite location. Backups are monitored for failure using an automated system. Details on providers and resiliency control documentation for our vendors can be found in the PackNet Cloud Security Guide [GUIDE-00006].

Packsize has an established incident response plan that outlines steps to notify stakeholders and customers within agreed time frames in the event of a data breach of other security incidents. The incident response plan is reviewed annually.

Packsize team members undergo annual training to ensure ongoing compliance with GDPR standards. Packsize has established internal policies and procedures to maintain accountability and adhere to GDPR standards.