Configuring your XMediusFAX service and your faxing environment for PII regulation compliance

Administrator -

Guidelines for configuring your faxing environment (including your XMediusFAX Cloud service and your own corporate environment) to help gain compliance with PII regulations such as GDPR.

Purpose

If your organization is involved in the processing of Personally Identifiable Information (PII), you may need to configure your faxing environment (including your XMediusFAX Cloud account, local clients and other involved communication/infrastructure systems) to comply with PII regulations such as the European Union's General Data Protection Regulation (GDPR).

The following list of recommendations intends to be a basic set of guidelines to help your XMediusFAX Cloud account administrators and corporate IT administrators to take the appropriate actions in their respective fields in the context of PII regulation compliance process.
Note: For more details and instructions on XMediusFAX Cloud settings involved in the configurations described in this article, please see the XMediusFAX service online help (Help > Fax Administration Help).

Identify your PII data

First of all, you should clearly identify the different types of PII data that your organization is processing, as well as the people within your organization who are intended to process this data, and finally, the context in which the PII data is processed.

This analysis should help you take careful decisions and implement the most appropriate corporate rules in order to meet your PII processing requirements while providing a proper faxing environment to all users of your organization.

Isolate your PII users (if needed)

As XMediusFAX Cloud offers convenient options such as fax forwarding and fax box delegation, you may need to determine if some of your fax users may be allowed to share with some others the faxes they are processing, and if some of them must not be able to share these faxes.

To isolate your PII users, you may need to enforce the same restrictions for all users of your XMedius Cloud account, by disabling (for example, in the most restrictive scenario) the Allow Fax Box Delegation and Allow Fax Forwarding options within the Fax Settings > General Settings. Alternatively, if your corporate context requires it, you could consider to open multiple XMedius Cloud accounts.

Plan and request the configuration of your fax retention/deletion

At this step, you should review the data retention/deletion rules you may have established to meet your PII processing requirements, in order to request for the appropriate fax data retention to be setup by the XMedius Cloud team (for more information on the subject, see Fax Retention).

Again, having multiple enterprise accounts for each type of processed PII data may offer you more flexibility, if the retention rules are different for each of the PII data types that your organization may process.

Important: The retention rules defined according to PII regulations apply to the whole life cycle of your faxes (i.e. not only XMediusFAX Cloud). That said, to properly calculate the retention periods, you must take into account any other system to which the fax data may have been transmitted after being processed by the XMediusFAX Cloud service. For example, this may include mail boxes, folders or any other application.

Protect your fax data

For security reasons, according to PII regulations, the fax data that you process should be protected at all times – at rest and in transit.

Protect data in transit

PII fax data should be protected during its transmission within your corporate environment and through the Internet, to and from the XMediusFAX Cloud service.

As such, XMedius ensures that the Web applications used by XMediusFAX Cloud are configured to work in HTTPs, and the XMedius Cloud mail servers are setup to support TLS (if your own mail servers are configured to use it – see below).

On your side, this may additionally imply the following:
  • Setup email transport to TLS to protect any email flow involved in your fax processing.
  • Use SFTP, FTPS or SCP if you have to setup fax flows using FTP locations as folder destinations (external to the XMediusFAX Cloud service).

Encrypt data at rest

PII fax files should be encrypted on the server where the fax data is stored during the retention period.

As such, XMedius ensures that the file systems hosting your XMediusFAX Cloud data – including backup locations – are setup to use the highest encryption standards.

On your side, be aware that you should additionally encrypt any storage destination – not managed by the XMediusFAX service – that you may have included in your fax processing flow (for example, remote folder destinations or other systems/applications).

Note: If you have a backup mechanism involving local fax data folders, do not forget to include the backup locations in your encryption process.

Keep your systems up to date

In the context of PII processing, the security of systems is a critical topic to monitor carefully.

As such, XMedius constantly maintains up to date the systems hosting the XMedius Cloud platform and services as per its policies, by always applying the latest security fixes and improvements produced by the software industry and by its own development team.

On your side, it is always recommended to additionally maintain all your user workstations up to date:
  • By applying OS security updates as soon as they are released.
  • By maintaining any of your XMediusFAX client software up to date – note that you can subscribe to receive email notifications when XMedius Cloud services and client tools are updated (go to https://support.xmedius.com/hc/en-us/sections/207217288-Change-History and use the Follow option at the top right of the page).
Have more questions? Submit a request

Comments

Powered by Zendesk