1.5. Security and data protection

In order to allow you to manage your printers and offer our Printix Cloud Print Management Service, we register necessary information. This is typically the information you can see either directly or in a processed format in Printix Administrator. Tungsten Automation has ISO/IEC 27001 certification, the internationally recognized standard for information security management systems (ISMS).

*Printix meets the exacting compliance requirements of General Data Protection Regulation (GDPR).
White paper: Meeting Data Security and Compliance Requirements Using a Smart Cloud Print Infrastructure (PDF, 12 pages)
Guide: Printix Security and Privacy Guide (PDF, 11 pages)

• What data is registered in the Printix Cloud?
  • Personally Identifiable Information
• Data centers
• Documents
• Communication
• Printing
• Capture and workflow
• Printix Client
• Authorization
• Authentication
  • Authentication flows
    Microsoft Entra ID, Google Workspace, Chromebook

What data is registered in the Printix Cloud?

• Printers: Address, Vendor, Model name, Name, MAC address, Serial number, Properties, Page counters, Consumables data, and statistics.
• Computers: Address, Hostname, Type (Laptop, Desktop, Server), System (Windows, macOS).
• Networks: Gateway IP and MAC addresses.
• Documents: Name, Number of pages, Color, 2-sided, and where and when it was submitted, printed, and deleted.
• Users:
  • Name (As for passwords, please see Authentication below)
  • Email
  • Role (User / System manager)
  • Department (Microsoft Entra ID only, and can be used to post process data for subsequent departmental billing)
  • Groups (Only the group membership relevant to Printix functionality is recorded)

Personally Identifiable Information

• Personally Identifiable Information (PII) in the form of a users’ name, email and document names are stored in the Printix Cloud. Here document names are kept as part of job history for 90 days to allow troubleshooting by Printix. In Printix App and Printix Administrator users (and system managers) can only see the document names of their own documents, and only while the document is pending (typically 1 day and maximum 7 days).
• Enabling Cloud storage will for the duration of the pending documents, store the document name and the name of the user as part of the document’s metadata.
• Set up of Analytics with an own Azure SQL database will also populate users’ name and email into this. Document names are only populated if Include document name in data extract is checked.

	Default setup	Custom setup
Printix Cloud	+ User name and email + Document name (90 days) + Document files, transit only, no storage (see Note 1)	+ User name and email + Document name (90 days) – Document files, no transit, no storage
Cloud storage	N/A	+ User name (max 7 days) + Document name (max 7 days) + Document files (max 7 days)
Analytics Own SQL database	N/A	+ User name and email + Document name (Optional)

Note 1: Mobile printed and Chrome printed documents to be released (anywhere and later) are stored in the Printix Cloud.

Data centers

Printix is hosted in the EU.

• Secure Microsoft Azure Data Center in the Netherlands [West Europe].
  • Configuration data and micro services:
    • https://api.printix.net
    • https://auth.printix.net
    • https://airprint.printix.net
    • wss://websocket.proxyendpoint.printix.net

• Secure Amazon Web Services Data Center in Ireland [AWS EU-West-1]. Content Delivery Network (CDN) is enabled.
  • Captions and graphics
    • https://assets.printix.net
  • Driver store
    • https://drivers.printix.net
  • Software packages
    • https://software.printix.net
  • Web servers for Printix Administrator and Printix App.
    Example: acme.printix.net. Alias for:
    • https://app.printix.net
  • Web servers for sign in
    • https://sign-in.printix.net

Documents

• Documents are encrypted and stored until they expire and/or get deleted.
• Documents do not leave your network, unless you enable additional functionality or printing via the cloud. See also: Which documents go via the cloud?
• Documents that go via an own Cloud storage are protected by time- and session-restricted credentials issued by the Printix Cloud. Printix Client does not store cloud storage credentials/keys.
• Advanced Encryption Standard (AES) with a key length of 256 bits is used to encrypt documents.

Communication

• All Printix communication inside and outside the network is secured with encryption and the use of HTTPS. TLS 1.2 is used.
• SNMP is used to collect information from printers. Both SNMPv1 and SNMPv3 are supported.
• Print data is sent unencrypted to the printer, but with secure IPPS it can be sent encrypted to printers that support secure IPPS.

Printing

• Printing directly to the printer is just as secure as compared to traditional network printing.
• With Secure print (Print later and Print anywhere), you have the option to wait until you have arrived at the printer, and only then release the documents via your phone. No more stressful “print and sprint” to prevent others from collecting your documents from the output bin of the printer.
• With Printix Go, you can sign in at the printer with your card or ID code and release documents. Increase security with PIN code (4-digit) for two-factor authentication.
  • PIN code disabled is shown after three consecutive failed sign in attempts. User must open Printix App and Reset PIN code and choose a new and different value, otherwise Printix App will show The new PIN code must be different from the previous one.

Capture and workflow

• Documents scanned with Printix Capture are encrypted while they are transferred to and from the Printix Client over HTTPS and also while they are stored.
• Optical Character Recognition (OCR) and conversion to searchable PDF or Microsoft Word file happens in the Printix Cloud.
• If an own cloud storage is used captured documents are sent via your cloud storage. After processing (OCR) in the Printix Cloud the document is written to your cloud storage, and from there it is read by the Printix Cloud destination service and delivered to the destination. Capture with mobile requires that you set up Azure Blob Storage for CORS (Cross-origin Resource Sharing).
• Captured documents are automatically deleted from cloud storage after 7 days (168 hours) as the defined time-to-live.

Printix Client

• The user interface of Printix Client (PrintixClient.exe) runs under the signed in user’s account.
• Printix Service (PrintixService.exe) runs under the local system account and handles the printing and printer installation.
• Both applications write log files.
• Printix Client will silently update itself to the latest approved version.
• Documents scanned with Printix Capture are encrypted while they are transferred to and from the Printix Client over HTTPS and also while they are stored.

Authorization

• Printix uses Roles to control what functions a user can perform.
• Users are notified by email when their role is changed.

Authentication

• Users are required to register and sign in to use Printix.
• With Microsoft Entra authentication enabled, users’ passwords are handled entirely by Microsoft Entra ID.
  • Printix will read the users’ basic profile (display name and email address).
• With Google authentication enabled, users’ passwords are handled entirely by Google.
  • Printix will read the users’ basic profile (display name and email address).
• With Okta authentication enabled, users’ passwords are handled entirely by Okta.
  • Printix will read the users’ basic profile (display name and email address).
• With OneLogin authentication enabled, users’ passwords are handled entirely by OneLogin.
  • Printix will read the users’ basic profile (display name and email address).
• With Active Directory authentication enabled, users’ passwords are not stored by Printix, but can be transferred securely via LDAPS to the local Active Directory server for authentication.
• For users who authenticate directly with Printix, passwords are protected through salted password hashing. Users can reset a password themselves. Their email address is required for this to work. Passwords must be minimum 6 characters in length and contain uppercase letters, lowercase letters, and digits.
• For sign in at the printer scenarios, the registered card numbers and PIN codes are protected through salted hashing. ID codes are written as plain text.

Authentication flows

• Microsoft Entra ID
• Google Workspace
• Chromebook

Microsoft Entra ID

Google Workspace

Authentication flow Google (HTTPS:443)

Chromebook

Authentication flow Chromebook (HTTPS:443)