> For the complete documentation index, see [llms.txt](https://docs.intunepckgr.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.intunepckgr.com/about-pckgr/security-of-pckgr.md). # Security of Pckgr ## Security of Pckgr Pckgr is a Software-as-a-Service (SaaS) platform designed to simplify application deployment and lifecycle management through Microsoft Intune. Security, privacy, and operational reliability are key design principles of the platform. Pckgr is designed to maintain a minimal data footprint and focuses on application deployment management rather than customer business data processing. Pckgr operates using a least-privilege access model, cloud-hosted infrastructure, secure package distribution, role-based access controls, code signing, and monitoring processes to support the secure delivery of applications to customer environments. ### Download Pckgr's Security Overview for Onboarding {% file src="/files/ekY81Eo1aiM8IPjRmpdH" %} *** ## Security Compliance Program Pckgr was designed with security, privacy, and operational governance principles as foundational requirements of the platform. These principles continue to guide the development, operation, and ongoing improvement of the service. Pckgr currently operates under a third-party Information Security Management System (ISMS) platform and maintains documented policies, procedures, risk management processes, access controls, incident response processes, supplier management practices, and security governance activities as part of its ongoing security program. Pckgr is currently undergoing an ISO 27001 certification audit. As part of this process, security controls, policies, procedures, and operational practices are being independently assessed against the ISO 27001 standard. Independent security testing, including penetration testing, forms part of the overall certification program. In addition to ISO 27001 certification activities, Pckgr aligns elements of its security and privacy program with selected SOC 2 and GDPR principles where appropriate. These alignment activities are intended to support continuous improvement of security, privacy, risk management, and operational governance practices and do not currently form part of a formal certification or attestation program. Pckgr regularly reviews and improves its policies, procedures, and technical controls to support the ongoing security, reliability, and resilience of the platform. Upon successful completion of the ISO 27001 certification process, certification details will be made available to customers. *** ## Customer Tenant Access and Permissions Pckgr follows the principle of least privilege when requesting permissions to connect to a customer's Microsoft Intune environment. Customers approve permissions based on the Pckgr features they choose to enable. For general Pckgr application deployment functionality, customers grant permissions through an enterprise application registration. These permissions allow Pckgr to publish and update applications into the customer's Microsoft Intune tenant for deployment to managed devices. Pckgr is a browser-based SaaS platform and does not install or operate an agent on customer devices. ### Policy Manager If enabled, Pckgr requires permission to read Intune policy information so the feature can display and manage policy-related data. ### Security Dashboard If enabled, Pckgr requires permission to read Microsoft Defender vulnerability data so the feature can display relevant security and exposure information. Pckgr does not have read or write access to: * Customer business documents * Customer email content * End-user files * Device-local files * Customer-managed business content Application deployment activities occur within the customer's Microsoft Intune environment, ensuring customer business data remains under the customer's control. *** ## Authentication and Access Control Pckgr implements authentication, authorization, and access control mechanisms designed to protect customer environments, customer information, and administrative functions. Customers can manage access to their Pckgr environment through Single Sign-On (SSO), two-factor authentication (2FA), and role-based access controls. ### Customer Authentication Pckgr supports Single Sign-On (SSO) through Microsoft Entra ID (Azure AD), allowing customers to authenticate using their existing identity provider and associated security controls. For customers using native Pckgr authentication, two-factor authentication (2FA) is supported through phone-based verification, providing an additional layer of protection for user accounts. Customers using Microsoft Entra ID SSO may enforce Multi-Factor Authentication (MFA) through their organisation's Microsoft Entra ID policies, including Conditional Access and other identity governance controls. ### Role-Based Access Control (RBAC) Pckgr uses Role-Based Access Control (RBAC) to manage permissions within the platform. Customer administrators can control user access by assigning roles and restricting access to specific company tenants. Access can be restricted based on: * Company (tenant) * User role These controls help customers ensure users only have access to the environments and functionality required for their responsibilities. ### Least Privilege Access Pckgr applies the principle of least privilege across both customer-facing and internal administrative functions. Users are only granted access to the information and functionality required to perform their responsibilities. ### Internal Employee Access Controls Pckgr applies the same security principles internally that it provides to customers. Access to customer information, operational systems, administrative tools, and supporting infrastructure is restricted to authorised personnel whose roles require such access. Access is granted on a least-privilege basis and reviewed as part of ongoing operational and security processes. Pckgr enforces Multi-Factor Authentication (MFA) for internal access to company systems, administrative platforms, and security-sensitive resources. ### Billing and Payment Security Pckgr utilises Stripe as its payment processing provider. Payment card information is processed and stored directly by Stripe and is not stored, processed, or accessible within Pckgr systems. By leveraging a specialist payment processor, Pckgr minimises its exposure to sensitive financial information while benefiting from Stripe's established security controls and compliance programs. *** ## Application Security ### Private Repository Pckgr maintains a private repository used to host and distribute application packages through controlled infrastructure. By hosting application installers within its own repository, Pckgr reduces reliance on third-party vendor download locations and helps ensure package availability, consistency, and integrity throughout the application lifecycle. ### Package Validation and Malware Scanning Before applications are published to the repository, packages undergo validation processes designed to verify package integrity and deployment readiness. These processes include: * Malware scanning * Version validation * Installation validation * Package verification These controls help ensure the integrity, reliability, and consistency of distributed application packages. ### Code Signing Pckgr digitally signs distributed packages to provide authenticity and integrity validation. Code signing helps customers verify that: * Packages originate from a trusted source * Packages have not been modified after publication * Package integrity can be independently verified This provides an additional layer of protection against tampering and unauthorised modification. Pckgr uses a DigiCert-issued code signing certificate to sign distributed packages. Customers may download the public certificate to independently validate package signatures or add Pckgr as a trusted publisher within their environment. #### Downloading the Public Certificate {% file src="/files/7O6Asfdo58hWx9hAPxys" %} #### Trusted Publisher Configuration Customers may optionally add the public certificate to their Trusted Publishers certificate store to streamline signature validation and software deployment workflows. ### Controlled Distribution Applications are distributed through Pckgr-managed infrastructure rather than directly from external vendor URLs. This reduces risks associated with unavailable download locations, unexpected installer changes, or third-party distribution issues. ### Repository Security Access to repository infrastructure is restricted to authorised systems and personnel. Repository-hosted content is managed through controlled operational processes designed to support the confidentiality, integrity, and availability of application packages. *** ## Infrastructure Security Pckgr utilizes Microsoft Azure and Amazon Web Services (AWS) to support application hosting, storage, package delivery, and platform operations. These providers were selected based on their established security programs, operational maturity, and ability to support enterprise-grade security requirements. Pckgr leverages the security capabilities provided by these platforms as part of its overall security architecture. ### Hosting Locations Pckgr services and supporting infrastructure are hosted within Microsoft Azure and Amazon Web Services (AWS) environments located in the United States. Application hosting, storage, delivery infrastructure, and supporting platform services operate within US-based cloud environments provided by approved third-party hosting providers. ### Infrastructure Protection Pckgr applies security controls designed to protect hosted systems and services, including: * Restricted administrative access * Least-privilege access controls * Multi-Factor Authentication (MFA) for administrative access * Infrastructure monitoring and logging * Regular maintenance and patching activities * Controlled deployment and change management processes ### Third-Party Hosting Providers Pckgr evaluates third-party service providers based on their security posture, operational maturity, compliance programs, data protection practices, and ability to support enterprise-grade security requirements. Providers are selected only where they meet Pckgr's security and operational standards for hosting customer-facing services and supporting infrastructure. *** ## Data Protection and Privacy ### Data Minimisation Pckgr follows a data minimisation approach and only processes information required to deliver its services. ### Operational Data Stored Pckgr stores limited operational information including: * User email addresses * Company names * Company addresses * Tenant identifiers * Application deployment metadata * Platform activity logs * Subscription and operational service information ### Data Not Stored Pckgr does not store or process: * Customer business documents * End-user files * End-user content * Customer-managed business data * Payment card information Payment card information is processed directly by Stripe. ### Customer Environment Isolation Application deployments and configurations occur within the customer's Microsoft Intune environment. Pckgr is designed to avoid processing customer business data and end-user content as part of normal platform operations. *** ## GDPR Alignment Pckgr is an Australian-based company and recognises the importance of data protection and privacy obligations for customers operating within the European Union and United Kingdom. Pckgr is currently progressing GDPR alignment activities as part of its broader security and compliance program. Pckgr maintains a minimal data footprint approach and utilises GDPR-aligned service providers for infrastructure hosting and payment processing. In the event of a security incident affecting operational data, Pckgr maintains processes for assessing impact and notifying affected customers where appropriate. *** ## Logging and Monitoring Pckgr implements logging and monitoring across platform and infrastructure layers. Monitored activities include: * Authentication events * Access events * Administrative actions * Configuration changes * Infrastructure activity Monitoring and alerting processes are used to support the identification and investigation of unusual or unauthorised activity. *** ## Incident Response Pckgr maintains internal processes for identifying, assessing, containing, and remediating security incidents. Incident response activities include: 1. Assessment of scope and impact 2. Containment of the issue 3. Remediation activities 4. Recovery and validation 5. Customer notification where applicable These processes support the timely management of security events and continuous improvement of security practices. *** ## Use of Artificial Intelligence Pckgr uses Artificial Intelligence (AI) in a limited and controlled manner to support internal workflows such as application analysis and packaging activities. Pckgr's use of AI follows the following principles: * AI is only used on publicly available or internally generated information * AI is not used on customer environments * AI is not used on customer business data * AI-generated outputs are reviewed and validated prior to deployment Pckgr does not use customer data to train or improve AI models. *** ## Subprocessors Pckgr uses a limited number of trusted third-party service providers ("subprocessors") to support the delivery, hosting, operation, and billing of its services. Subprocessors are selected based on their security posture, operational maturity, reliability, and ability to support enterprise-grade security and data protection requirements. | Provider | Purpose | Data Processed | Location | | ------------------------- | --------------------------------------------------------- | --------------------------------------------------------------------------------- | ------------- | | Microsoft Azure | Application hosting, storage, and delivery infrastructure | Operational data including tenant identifiers and application deployment metadata | United States | | Amazon Web Services (AWS) | Website and platform hosting | Operational data and system logs | United States | | Stripe | Billing and payment processing | Billing and payment information processed directly by Stripe | United States | Pckgr follows a data minimisation approach and only shares information with subprocessors where required to support the delivery of services. Pckgr does not provide subprocessors with access to customer business content, end-user files, or customer-managed business data as part of its normal operations. Pckgr ensures subprocessors are subject to appropriate contractual obligations relating to confidentiality, security, privacy, and data protection requirements. Pckgr may update its list of subprocessors from time to time as operational requirements evolve. *** ## Contact Information For security-related questions, customer security reviews, or vendor assessment requests: **Support**\ --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.intunepckgr.com/about-pckgr/security-of-pckgr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.