Guidelines for configuring your faxing environment (including your XM Fax service and your own corporate environment) to help gain compliance with PII regulations such as GDPR.
If your organization is involved in the processing of Personally Identifiable Information (PII), you may need to configure your faxing environment (including your XM Fax account, local clients and other involved communication/infrastructure systems) to comply with PII regulations such as the European Union's General Data Protection Regulation (GDPR).
Identify your PII data
First of all, you should clearly identify the different types of PII data that your organization is processing, as well as the people within your organization who are intended to process this data, and finally, the context in which the PII data is processed.
This analysis should help you take careful decisions and implement the most appropriate corporate rules in order to meet your PII processing requirements while providing a proper faxing environment to all users of your organization.
Simplify the maintenance of your user accounts
In corporate environments with numerous employees using multiple and separate services, it is sometimes hard to efficiently synchronize the maintenance of user accounts and credentials over all the corresponding platforms (and among them, the XMedius cloud platform).
In a context of PII processing, this topic becomes critical and should be carefully addressed: you need to ensure at all times that the PII data is accessed only by the intended users, according to the security rules you have defined (for example, password policies).
- Centralize the management of your user accounts by enabling an automated synchronization from your Active Directory using the dedicated AD Sync tool – see: Synchronizing Users from Active Directory.
- Centralize the enforcement of your corporate password policy by activating the Single Sign-On functionality in your XMedius cloud enterprise account – see: Single Sign-On (SSO) Integration.
Isolate your PII users (if needed)
As XM Fax offers convenient options such as fax forwarding and fax box delegation, you may need to determine if some of your fax users may be allowed to share with some others the faxes they are processing, and if some of them must not be able to share these faxes.
To isolate your PII users, you may need to enforce the same restrictions for all users of your XMedius Cloud account, by disabling (for example, in the most restrictive scenario) the Allow Fax Box Delegation and Allow Fax Forwarding options within . Alternatively, if your corporate context requires it, you could consider to open multiple XMedius Cloud accounts.
Protect your fax data
For security reasons, according to PII regulations, the fax data that you process should be protected at all times – at rest and in transit.
Protect data in transit
PII fax data should be protected during its transmission within your corporate environment and through the Internet, to and from the XM Fax service.
As such, XMedius uses a secure telecommunication infrastructure, the Web applications used by XM Fax are configured to work in HTTPs only, and the XMedius Cloud mail servers are setup to support TLS (if your own mail servers are configured to use it – see below).
Encrypt data at rest
PII fax files should be encrypted on the server where the fax data is stored during the retention period.
As such, XMedius ensures that the file systems hosting your XM Fax data – including backup locations – are setup to use the highest encryption standards.
On your side, be aware that you should additionally encrypt any storage destination – not managed by the XM Fax service – that you may have included in your fax processing flow (for example, remote folder destinations or other systems/applications).
Plan and setup your data retention/deletion
At this step, you should review the data retention/deletion rules you may have established to meet your PII processing requirements. Note that two types of data are subject to data retention/deletion policies: the faxes themselves, but also all related metadata usable for audit purposes.
To have your fax retention/deletion set up according to your corporate requirements, you need to send a configuration request to the XMedius Cloud team. For more information on the subject, see Fax Retention.
Again, having multiple enterprise accounts for each type of processed PII data may offer you more flexibility, if the retention rules are different for each of the PII data types that your organization may process.
- System/administrative audit logs and fax service logs are retained for 90 days (fixed value according to XMedius policies) and remain available on-demand if you need them for audit purposes on your account according to your own corporate policies.
- Fax event logs
are part of the fax records (one event log per fax) and as such, are subject to
the same retention/deletion policy as the faxes themselves (see the above
section). Therefore, you may need to request an overall fax data retention
period that is short enough to meet the data deletion requirement, but that is
also long enough to allow the fax event logs to be consulted for audit purposes
according to your corporate policies.
Note: The minimum retention period that you can request for fax records is 7 days. For more details, see Fax Retention
Keep your systems up to date
In the context of PII processing, the security of systems is a critical topic to monitor carefully.
As such, XMedius constantly maintains up to date the systems hosting the XMedius Cloud platform and services as per its policies, by always applying the latest security fixes and improvements produced by the software industry and by its own development team.
- By applying OS security updates as soon as they are released.
- By maintaining any of your XM Fax client software up to date – note that you can subscribe to receive email notifications when XMedius Cloud services and client tools are updated (go to https://support.xmedius.com/hc/en-us/sections/207217288-Change-History and use the Follow option at the top right of the page).