Security of Pckgr

All applications found on Pckgr are obtained using Microsoft Winget.

Microsoft Winget has measures in place to keep its repository of applications secure. These security measures will reduce the possibility of malicious software entering its database and by extension, to the target machine. Microsoft does this by vetting applications prior to becoming available on Winget with methods such as SHA256 Hash validation, static analysis and Smart Screen.

• Smart Screen provides screening and highly personalized background checks on the Winget repository to ensure only secure and compliant applications are available on the Winget platform.

• SHA256 Hash Validation provides a one way cryptographic signature, securing each Winget application, so as to minimise likelihood of malware occurrence.

• Static Analysis is used to debug the application source code before it becomes available on Winget. The application will be examined by analysing it with a set of coding rules.

An additional benefit of using Microsoft's Winget repository is that it is widely used and trusted, so a possible issue would be identified and rectified very quickly. Each application pushed to Winget Repository must complete the installer validation testing using the Azure pipelines.

We ensure a secure application packaging and upload process by hosting all applications on servers hosted in Microsoft Azure, which are closed off from external access. These servers are regularly patched and do not have any third-party software installed.

The packages are hosted using an Azure Storage account that is only accessible to the uploading servers and Azure Functions responsible for delivery. We utilize premium tier Azure Functions for delivering the package to your Intune Tenant. This approach helps ensure that our packages are uploaded securely and delivered to our Intune Tenant in a controlled and protected environment.

Pckgr is hosted via Amazon Web Services (AWS).

• AWS also has auditing capacity to monitor and detect activity and requests on the account.

• AWS provides server-side encryption (with three key management options: SSE-KMS, SSE-C, SSE-S3) and also client-side encryption for data uploads.

• AWS supports checksum algorithms (SHA-1, SHA-256, CRC32, or CRC32C) to examine data integrity on user uploads and downloads.

• AWS provides Trusted Advisor. It has three related checks:

  • Logging configuration of Amazon S3 buckets

  • Security checks for Amazon storage buckets that have open access permissions

  • Fault tolerance checks for Amazon S3 buckets that don't have versioning enabled, or have versioning suspended

• Amazon storage objects, buckets and related sub-resources are confidential, only the AWS account that created it can access it.

By using this premium database, Pckgr ensures security and maximum accessibility of the applications available.

Pckgr’s Private Repository ensures robust security by hosting all application installers on its private infrastructure within Microsoft Azure and AWS environments. These servers are isolated from external access, regularly patched, and protected with advanced encryption protocols, including server-side and client-side encryption, as well as integrity checks using SHA-1 and SHA-256 algorithms.

Each application undergoes comprehensive malware scanning and version validation during packaging to ensure the integrity and reliability of deployments. By removing dependencies on external vendor URLs, this repository mitigates risks associated with broken links or malicious updates.

Furthermore, access to hosted applications is controlled through secure delivery mechanisms like Azure Functions and Microsoft Delivery Optimization, providing a safe and efficient deployment experience while maintaining stringent compliance with data protection and privacy standards.

Pckgr does not collect or process any customer data beyond what is strictly necessary for the operation of its services. Specifically:

Application Management Only: Pckgr's core functionality is focused on deploying applications through Microsoft Intune and managing software updates. This process operates entirely within the customer's Intune environment, ensuring that Pckgr does not access, view, or store sensitive company data or end-user information.

No User Data Collection: Pckgr does not access employee or user data within the organizations using its platform. All operations are limited to managing application packages and deployment workflows, which are handled without requiring access to personal or sensitive information.

Pckgr leverages reputable third-party providers to handle ancillary functions such as billing, hosting, and analytics. These providers are independently GDPR-compliant, ensuring that all data processing on behalf of Pckgr adheres to regulatory standards:

Billing (Stripe): All payment data is securely processed by Stripe, a GDPR-compliant platform that employs advanced encryption and fraud monitoring. Pckgr does not store or access any payment details.

Hosting (Azure and AWS): Pckgr's application packages and infrastructure are hosted on Microsoft Azure and Amazon Web Services (AWS), both of which are GDPR-compliant and provide robust security measures, including encryption, access controls, and regular audits.

Analytics (Google Analytics): Website usage data is collected anonymously using cookies and is managed in compliance with GDPR requirements. Users have the option to control cookie settings directly from their browsers.

Pckgr emphasizes customer ownership and control over all data:

No Data Storage: Pckgr does not store any customer data in its systems, aside from operational metadata necessary for service delivery, such as telemetry data for error tracking and subscription information.

Self-Contained Environments: All deployments and configurations occur within the customer’s Microsoft Intune environment, ensuring complete isolation from Pckgr’s systems.

Because Pckgr does not handle personal or company data:

Data Subject Rights (Access, Deletion, Portability): GDPR rights, such as the right to access or delete personal data, are not typically applicable to Pckgr since no personal or sensitive customer data is processed or stored within its systems.

Data Breach Notifications: Pckgr’s limited data processing scope reduces the risk of data breaches. In the event of a breach affecting operational metadata (e.g., telemetry data), Pckgr would notify affected users within 72 hours, adhering to GDPR standards.

Pckgr’s systems are built with privacy at their core:

Minimal Permissions: Pckgr operates on the principle of least privilege, only requiring the permissions necessary to deploy and manage applications within Intune.

No Processing of User Data: By design, Pckgr avoids any interaction with personal or sensitive user data.

Secure Infrastructure: All hosted data and services are encrypted, patched regularly, and monitored for unauthorized access.

While Pckgr’s GDPR obligations are limited, the company maintains transparency and accountability by:

• Clearly communicating its data practices through a privacy policy.

• Leveraging GDPR-compliant third-party processors for all datahandling needs.

• Ensuring that any metadata collected, such as telemetry data, is processed securely and retained only as long as necessary for operational purposes.