Security Policy

This Security Policy outlines Packwise's comprehensive measures to protect the confidentiality, integrity, and availability of all data processed by our IoT devices and cloud platform.

 

1. Introduction & commitment

Packwise operates IoT devices and the cloud-based Packwise Flow platform that process operational and personal data. Protecting the confidentiality, integrity and availability of this information is a core objective of our company.

We operate an information security management system (ISMS) aligned with the BSI "IT-Grundschutz" framework and integrated into our certified quality management system. Information security is the responsibility of top management and is supported by a designated Information Security Officer and defined roles and responsibilities.

All employees are required to follow our security policies and are regularly trained and made aware of security risks. Intentional or grossly negligent violations can result in disciplinary consequences.


2. Scope


This security policy describes how we protect:

  • Packwise Flow – our SaaS cloud platform and related APIs
  • Packwise IoT devices and firmware (Packwise Smart Cap)
  • Cloud services and infrastructure used to provide these products
  • Internal workplace IT systems and endpoints used by Packwise staff

It complements our contractual service description for the Packwise Flow platform and services.

3. Security practices & standards

3.1 Governance, roles & access control

  • Defined roles for cloud services
    Roles and responsibilities for employees, external staff, interns, team leads, administrators and the Information Security Officer are formally defined for cloud services. Access to cloud services is granted based on role requirements and reviewed at least every six months.
  • Least privilege
    For critical and non-critical third-party cloud services, a super-admin is designated for each service. This super-admin grants access strictly according to the "least necessary" principle, ensuring users only receive the permissions required to perform their tasks.
  • Onboarding and offboarding
    A structured onboarding checklist governs account creation, role assignment and training for new staff. Offboarding procedures ensure timely deactivation of accounts and documentation of removed access.
  • Workplace devices & private devices
    Workplace endpoints (laptops, PCs, mobile devices) may only be used in line with our endpoint security procedures. Private devices must not connect to the company network, except in limited cases as second factor authenticators using the guest network and approved authenticator apps.

3.2 Authentication & multi-factor authentication (MFA)

  • Access to endpoints, critical cloud services and proprietary services is protected by strong authentication and passwords with defined length and complexity requirements.
  • Multi-factor authentication is mandatory for systems and services that process sensitive data and for the Packwise Flow service.
  • MFA can be performed using approved authentication applications (e.g. Google Authenticator, Microsoft Authenticator, Authy) on private devices used only for this purpose. Loss or theft of such a device must be reported immediately so that MFA can be moved to a new device and accounts checked for misuse.

3.3 Encryption & secure communication

  • Data in transit and at rest
    Cryptographic controls for IoT devices and cloud-SaaS solutions require current algorithms with at least 128-bit key length. Weak or outdated algorithms (such as MD5, SHA-1, DES or 3DES) and weak authentication mechanisms are prohibited.
  • Encryption keys are handled using defined key-management practices, including protection against unauthorised access and regular key rotation.
  • Third-party cryptographic libraries must be kept patched and regularly checked for vulnerabilities.
  • Web & API communication
    Communication between endpoints and cloud services is performed over HTTPS. Only endpoints that support HTTPS and are approved in our internal cloud-service register may be used. Certificates are regularly checked for validity, and browsers must be kept up to date.
  • E-mail
    E-mail communication is secured using SMTPS and IMAPS with SSL/TLS. Incoming e-mails are scanned for malware on the mail server, and attachments may only be opened if the sender and content are considered trustworthy.
  • Platform transport security & perimeter protection
    All transmission paths outside Packwise internal private networks are protected by TLS/SSL. Sensitive network interfaces are protected by web application firewalls (WAF).

3.4 Endpoint, physical and environmental security

  • Workplace endpoints
    All endpoints must be protected by strong authentication, automatic screen locking after short periods of inactivity, up-to-date operating systems and applications, centrally managed antivirus software and active host firewalls. Use of removable media on workplace endpoints is prohibited.

Critical data on endpoints is continuously synchronised to the company's cloud storage to prevent data loss. Regular integrity checks and restore tests support reliable recovery.

  • Private devices
    Private devices may not be used for business purposes or to connect to internal networks. The only permitted exception is the use of private devices for MFA tokens under defined security conditions.
  • Office access
    Physical access to our offices is controlled through lockable doors and transponder-based access control. Transponders are personal, tracked in an access list and must be returned when employees leave. Visitors must identify themselves and be accompanied; they may not remain unsupervised in the office.

A reaction plan defines immediate reporting (including to police where appropriate), securing affected areas, incident analysis and improvements to physical security after incidents.

3.5 Software development, firmware & updates

  • Software in products and customer projects
    Software used in products and projects is selected based on objective criteria including security, compatibility, functionality, cost efficiency and licence requirements. It must be tested and validated before use, documented appropriately and maintained with updates, bug fixes and security patches throughout its lifecycle. Legal and ethical requirements, including data protection and software licensing, must be observed.
  • Software on workplace systems
    Software for workplace computers is selected and approved centrally. Users are responsible for keeping installed software up to date; security policies for workplace endpoints are monitored by the Information Security Officer.
  • Firmware release process
    Firmware updates follow a documented multi-phase process including development, structured testing based on a formal test plan, internal test devices, controlled rollout to internal and external device pools and detailed monitoring over defined periods before full rollout. In urgent cases, the controlled rollout phase can be shortened while still ensuring testing in internal and external test pools.
  • Packwise Flow service
    The proprietary Packwise Flow service is accessible only to authorised users. Admin access is limited to specific support and development roles. Strong passwords, mandatory two-factor authentication, automatic logout and defined account management processes apply. The development department is responsible for service data backups and operational monitoring.

3.6 Backups, availability & business continuity

  • The Packwise Flow platform is operated as a SaaS cloud solution on infrastructure provided by specialised partners. A cloud database service certified to ISO 27001 is used for data storage.
  • Database backups are performed every six hours, with additional weekly and monthly backups, stored redundantly and geographically distributed. In case of data corruption, data is restored from the most recent backup.
  • Critical data on endpoints is mirrored to the company cloud storage, with regular integrity checks and restore tests.
  • For critical third-party cloud services, the provider must implement adequate backup measures, which are assessed by the Information Security Officer. For less critical services, backup is handled by the provider.

The Packwise Flow platform is operated with a defined availability target of 98.74% per month for the platform itself, with defined service credits if this target is not reached.

3.7 Data protection & compliance

Our information security measures are designed to support compliance with applicable laws, regulations and contractual obligations. The ISMS is integrated into our quality management system and references, among others, EU data protection law (GDPR), BSI IT-Grundschutz and relevant ISO standards.

3.8 Training, audits & incident handling

Employees receive regular training and awareness sessions on information security and the secure use of endpoints and services. New employees are briefed as part of their onboarding.

For endpoints, e-mail, internet communication, third-party services and proprietary services, standard action plans define how to react to suspected incidents: immediate disconnection of affected devices, prompt notification of the Information Security Officer, incident analysis, remediation steps (such as isolation, restoring from backups, applying patches) and post-incident improvements.

For cryptographic incidents, additional procedures ensure investigation, containment and remediation.

4. Vulnerability reporting (responsible disclosure)

We welcome responsible reports of potential security vulnerabilities in our systems.

Please send reports to: info@packwise.de (subject: "Security issue").

To help us investigate, please include:

  • A description of the affected system or endpoint (e.g. Packwise Flow, API, device)
  • Technical details and steps to reproduce
  • Any available logs or screenshots, if safe to share

Our handling of reports

  • We acknowledge receipt of vulnerability reports within 72 hours.
  • We aim to provide an initial assessment within 7 days and will keep you informed about progress and remediation where appropriate.

What we ask from you

When researching and reporting vulnerabilities, please:

  • Do not perform actions that could disrupt services (e.g. DDoS, mass scanning).
  • Do not access, modify or download data belonging to third parties.
  • Do not use social engineering, phishing or physical intrusion.
  • Use only accounts and data that you are authorised to use.

We do not share the identity of researchers without their explicit consent. If desired, we may acknowledge your contribution on our security acknowledgments page once the issue is resolved.

5. Acknowledgments


We are grateful to all security researchers and partners who help us improve the security of our products and services by reporting vulnerabilities responsibly.

Acknowledgments, where applicable and agreed with the reporter, are published at:
https://packwise.de/security-acknowledgments

6. Version history

  • Version: 1.0
  • Last updated: 24 November 2025