IntroductionSecurity and data protection

Security and data protection

While you manage your printers and use our Printix Cloud Print Management Service, we register necessary information. This is typically the information you can see either directly or in a processed format in Printix Administrator.

Tungsten has ISO/IEC 27001 certification, the internationally recognized standard for information security management systems (ISMS).

Printix meets the exacting compliance requirements of General Data Protection Regulation (GDPR).

White paper: Meeting Data Security and Compliance Requirements Using a Smart Cloud Print Infrastructure (PDF, 12 pages)

Guide: Printix Security and Privacy Guide (PDF, 11 pages)

What data is registered in the Printix Cloud?

  • Printers: Address, vendor, model name, name, MAC address, serial number, properties, page counters, consumables data, and statistics.

  • Computers: Address, host name, type (laptop, desktop, or server), system (Windows or macOS).

  • Networks: Gateway IP and MAC addresses.

  • Documents: Name, number of pages, color, 2-sided, and where and when it was submitted, printed, and deleted.

  • Users:

    • Name (for passwords, see Authentication below)

    • Email

    • Role (user or system manager)

    • Department (Microsoft Entra ID only, and can be used to post process data for subsequent departmental billing)

    • Groups (only the group memberships relevant to Printix functionality are recorded)

Personally Identifiable Information

  • Personally Identifiable Information (PII) in the form of a users' name, email, and document names are stored in the Printix Cloud. The job history keeps document names for 90 days to facilitate Printix troubleshooting. In Printix App and Printix Administrator, users (and system managers) can only see the document names of their own documents, and only while the document is pending to be released (typically 1 day and maximum 7 days).

  • If you enable Cloud storage, the name of pending documents and their users are stored as part of the documents' metadata.

  • Setting up Analytics with your own Azure SQL database also populates users' name and email into the database. Document names are only populated if "Include document name in data extract" is selected.

Default setup Custom setup
Printix Cloud

+ User name and email

+ Document name (90 days)

+ Document files, transit only, no storage [1]

+ User name and email

+ Document name (90 days)

- Document files, no transit, no storage

Cloud storage

N/A

+ User name (max 7 days)

+ Document name (max 7 days)

+ Document files (max 7 days)

Analytics

Own SQL database

N/A

+ User name and email

+ Document name (Optional)

[1] Mobile-printed and Chrome-printed documents to be released (with Print Anywhere or Print Later) are stored in the Printix Cloud.

Data centers

Printix is hosted in the EU.

  • Secure Microsoft Azure Data Center in the Netherlands [West Europe].

    • Configuration data and micro services:

      • https://api.printix.net

      • https://auth.printix.net

      • https://airprint.printix.net

      • wss://websocket.proxyendpoint.printix.net

  • Secure Amazon Web Services Data Center in Ireland [AWS EU-West-1]. Content Delivery Network (CDN) is enabled.

    • Captions and graphics

      • https://assets.printix.net

    • Driver store

      • https://drivers.printix.net

    • Software packages

      • https://software.printix.net

    • Web servers for Printix Administrator and Printix App

      Example: acme.printix.net. Alias for:

      • https://app.printix.net

    • Web servers for signing in

      • https://sign-in.printix.net

Documents

  • Documents are encrypted and stored until they expire and/or get deleted.

  • Documents do not leave your network, unless you enable additional functionality or print through the cloud.

  • Documents that go through your own Cloud storage are protected by time- and session-restricted credentials issued by Printix Cloud. The Printix Client does not store cloud storage credentials/keys.

  • Advanced Encryption Standard (AES) with a key length of 256 bits is used to encrypt documents.

Communication

  • All Printix communication inside and outside the network is secured with encryption and the use of HTTPS. TLS 1.2 is used.

  • SNMP is used to collect information from printers. Both SNMPv1 and SNMPv3 are supported.

  • Print data is sent unencrypted to the printer, but with secure IPPS, it can be sent encrypted to printers that support secure IPPS.

Printing

  • Printing directly to the printer is just as secure as traditional network printing.

  • With secure print (Print Later or Print Anywhere), you can wait until you arrive at the printer, then release the documents using your phone. That way, you prevent others from collecting your confidential and sensitive documents.

  • With Printix Go, you can sign in at the printer with your card or ID code to release documents. Increase security with a 4-digit PIN code for two-factor authentication.

    • The message "PIN code disabled" appears after three consecutive, failed sign-in attempts. In this case, the user must open the Printix App, reset the PIN code, and enter a new and different value. Otherwise, the Printix App displays "The new PIN code must be different from the previous one".

Capture and workflow

  • Documents scanned with Printix Capture are encrypted while they are transferred to and from the Printix Client over HTTPS and also while they are stored.

  • Optical Character Recognition (OCR) and conversion to searchable PDF or Microsoft Word file happens in the Printix Cloud.

  • If an own cloud storage is used, captured documents are sent through your cloud storage. After processing (OCR) in the Printix Cloud, the document is written to your cloud storage, and from there, it is read by the Printix Cloud destination service and delivered to the destination. Capture with mobile requires that you set up Azure Blob Storage for CORS (Cross-origin Resource Sharing).

  • Captured documents are automatically deleted from cloud storage after 7 days (168 hours).

Printix Client

  • The user interface of the Printix Client (PrintixClient.exe) runs under the signed in user's account.

  • Printix Service (PrintixService.exe) runs under the local system account and handles the printing and the printer installation.

  • Both applications write log files.

  • The Printix Client silently updates itself to the latest approved version.

  • Documents scanned with Printix Capture are encrypted while they are transferred to and from the Printix Client over HTTPS and also while they are stored.

Authorization

  • Printix uses roles to control what functions a user can perform.

  • Users are notified by email when their role is changed.

Authentication

  • Users are required to register and sign in to use Printix.

  • With Microsoft Entra authentication enabled, users' passwords are handled entirely by Microsoft Entra ID.

    • Printix reads the users' basic profile (displayed name and email address).

  • With Google authentication enabled, users' passwords are handled entirely by Google.

    • Printix reads the users' basic profile (displayed name and email address).

  • With OIDC authentication enabled, users' passwords are handled entirely by OIDC.

    • Printix reads the users' basic profile (displayed name and email address).

  • With Okta authentication enabled, users' passwords are handled entirely by Okta.

    • Printix reads the users' basic profile (displayed name and email address).

  • With OneLogin authentication enabled, users' passwords are handled entirely by OneLogin.

    • Printix reads the users' basic profile (displayed name and email address).

  • With Active Directory authentication enabled, users' passwords are not stored by Printix, but can be transferred securely with LDAPS to the local Active Directory server for authentication.

  • For users who authenticate directly with Printix, passwords are protected through salted password hashing. Users can reset their passwords for themselves if they have an email address. Passwords must be minimum 6 characters in length and contain uppercase letters, lowercase letters, and digits.

  • When signing in at the printer is involved (with card or ID code), the registered card numbers and PIN codes are protected through salted hashing. ID codes are written as plain text.

Authentication flows

  • Microsoft Entra ID

    Authentication flow Microsoft Entra ID (HTTPS:443)

  • Google Workspace

    Authentication flow Google (HTTPS:443)

  • Chromebook

    Authentication flow Chromebook (HTTPS:443)