Configuring your XM Fax service for PII regulation compliance

Administrator -

Guidelines for configuring your faxing environment (including your XM Fax service and your own corporate environment) to help gain compliance with PII regulations such as GDPR.


If your organization is involved in the processing of Personally Identifiable Information (PII), you may need to configure your faxing environment (including your XM Fax account, local clients and other involved communication/infrastructure systems) to comply with PII regulations such as the European Union's General Data Protection Regulation (GDPR).

The following list of recommendations intends to be a basic set of guidelines to help your XM Fax account administrators and corporate IT administrators to take the appropriate actions in their respective fields in the context of PII regulation compliance process.
Note: For more details and instructions on XM Fax settings involved in the configurations described in this article, please see the XM Fax service online help (Help > XM Fax Administration Help).

Identify your PII data

First of all, you should clearly identify the different types of PII data that your organization is processing, as well as the people within your organization who are intended to process this data, and finally, the context in which the PII data is processed.

This analysis should help you take careful decisions and implement the most appropriate corporate rules in order to meet your PII processing requirements while providing a proper faxing environment to all users of your organization.

Simplify the maintenance of your user accounts

In corporate environments with numerous employees using multiple and separate services, it is sometimes hard to efficiently synchronize the maintenance of user accounts and credentials over all the corresponding platforms (and among them, the XMedius cloud platform).

In a context of PII processing, this topic becomes critical and should be carefully addressed: you need to ensure at all times that the PII data is accessed only by the intended users, according to the security rules you have defined (for example, password policies).

As such, to simplify the maintenance of your XM Fax user accounts and better control their access, it is recommended (as much as possible) to consider the following:
  • Centralize the management of your user accounts by enabling an automated synchronization from your Active Directory using the dedicated AD Sync tool – see: Synchronizing Users from Active Directory.
  • Centralize the enforcement of your corporate password policy by activating the Single Sign-On functionality in your XMedius cloud enterprise account – see: Single Sign-On (SSO) Integration.

Isolate your PII users (if needed)

As XM Fax offers convenient options such as fax forwarding and fax box delegation, you may need to determine if some of your fax users may be allowed to share with some others the faxes they are processing, and if some of them must not be able to share these faxes.

To isolate your PII users, you may need to enforce the same restrictions for all users of your XMedius Cloud account, by disabling (for example, in the most restrictive scenario) the Allow Fax Box Delegation and Allow Fax Forwarding options within XM Fax > Settings > General Settings. Alternatively, if your corporate context requires it, you could consider to open multiple XMedius Cloud accounts.

Protect your fax data

For security reasons, according to PII regulations, the fax data that you process should be protected at all times – at rest and in transit.

Protect data in transit

PII fax data should be protected during its transmission within your corporate environment and through the Internet, to and from the XM Fax service.

As such, XMedius uses a secure telecommunication infrastructure, the Web applications used by XM Fax are configured to work in HTTPs only, and the XMedius Cloud mail servers are setup to support TLS (if your own mail servers are configured to use it – see below).

On your side, this may additionally imply the following:
  • Setup email transport to TLS to protect any email flow involved in your fax processing.
  • Use SFTP, FTPS or SCP if you have to setup fax flows using FTP locations as folder destinations (external to the XM Fax service).

Encrypt data at rest

PII fax files should be encrypted on the server where the fax data is stored during the retention period.

As such, XMedius ensures that the file systems hosting your XM Fax data – including backup locations – are setup to use the highest encryption standards.

On your side, be aware that you should additionally encrypt any storage destination – not managed by the XM Fax service – that you may have included in your fax processing flow (for example, remote folder destinations or other systems/applications).

Note: If you have a backup mechanism involving local fax data folders, do not forget to include the backup locations in your encryption process.

Plan and setup your data retention/deletion

At this step, you should review the data retention/deletion rules you may have established to meet your PII processing requirements. Note that two types of data are subject to data retention/deletion policies: the faxes themselves, but also all related metadata usable for audit purposes.


To have your fax retention/deletion set up according to your corporate requirements, you need to send a configuration request to the XMedius Cloud team. For more information on the subject, see Fax Retention.

Again, having multiple enterprise accounts for each type of processed PII data may offer you more flexibility, if the retention rules are different for each of the PII data types that your organization may process.

Important: The retention rules defined according to PII regulations apply to the whole life cycle of your faxes (i.e. not only XM Fax). That said, to properly calculate the retention periods, you must take into account any other system to which the fax data may have been transmitted after being processed by the XM Fax service. For example, this may include mail boxes, folders or any other application.

Audit data

For audit and troubleshooting purposes, XMedius ensures the tracking of all fax transmission/processing information, administrative configurations/actions and system events:
  • System/administrative audit logs and fax service logs are retained for 90 days (fixed value according to XMedius policies) and remain available on-demand if you need them for audit purposes on your account according to your own corporate policies.
  • Fax event logs are part of the fax records (one event log per fax) and as such, are subject to the same retention/deletion policy as the faxes themselves (see the above section). Therefore, you may need to request an overall fax data retention period that is short enough to meet the data deletion requirement, but that is also long enough to allow the fax event logs to be consulted for audit purposes according to your corporate policies.
    Note: The minimum retention period that you can request for fax records is 7 days. For more details, see Fax Retention

Keep your systems up to date

In the context of PII processing, the security of systems is a critical topic to monitor carefully.

As such, XMedius constantly maintains up to date the systems hosting the XMedius Cloud platform and services as per its policies, by always applying the latest security fixes and improvements produced by the software industry and by its own development team.

On your side, it is always recommended to additionally maintain all your user workstations up to date:
  • By applying OS security updates as soon as they are released.
  • By maintaining any of your XM Fax client software up to date – note that you can subscribe to receive email notifications when XMedius Cloud services and client tools are updated (go to and use the Follow option at the top right of the page).
Have more questions? Submit a request


Powered by Zendesk