Security & trust

Packaging compliance data deserves infrastructure-grade security.

PackR8 hosts Customer Data in the European Union, encrypts it in transit and at rest, enforces role-based access with MFA, and keeps an immutable 5-year audit trail — the baseline European producers need to pass EPR scheme audits and PPWR Article 26 verification.

Talk to security

Built for EU-regulated workloads

Primary hosting in Frankfurt / Amsterdam. Customer Data never leaves the EU in the default tenancy. Sub-processor list published and change-notified.

Encryption everywhere

TLS 1.2+ in transit (HSTS enforced). AES-256 at rest. Encrypted database backups, daily snapshots, 30-day retention.

Audit trail by default

Every packaging-record change captures who, when, and what — retained ≥5 years, immutable, exportable for regulator audits.

Infrastructure

Where the data lives and how it's protected.

A complete snapshot of the technical controls in place today. If you need a deeper dive (HLD, pen-test summary, sub-processor DPAs), email security and we'll share under NDA.

EU data residency

Primary hosting region: Frankfurt (EU Central), Amsterdam (EU West) for failover. Optional single-region pinning on request.

Encryption in transit

TLS 1.2+ enforced across all endpoints. HSTS + HTTP/2. Weak cipher suites disabled. SSL Labs A+ rating maintained.

Encryption at rest

AES-256 for databases, object storage, and backups. Envelope encryption with regional KMS. Keys rotated annually.

Network isolation

Private VPC, application tier has no public ingress. Database access via private networking only. WAF on public edges.

Identity & access

SSO via Google Workspace, Microsoft Entra, Okta. MFA required for admin access. RBAC with four built-in roles + custom roles.

Administrator access

Circular Vision staff access to production requires MFA + time-bound approval. All access is logged and reviewed quarterly.

Audit log

Append-only log of every packaging-record change, user sign-in, configuration change, and regulatory submission. Retained ≥5 years. Export as CSV / JSON.

Backups

Encrypted daily backups, 30-day rolling retention. Quarterly restore drills. RPO ≤24h, RTO ≤8h for tier-1 incidents.

Secrets management

All secrets (API keys, DB credentials, signing keys) in a managed vault. No secrets in code, config files, or env variables accessible to application code.

Vulnerability management

Automated dependency scanning on every build. Critical CVEs patched within 7 days. Annual third-party pen-test (report available under NDA).

Endpoint security

All Circular Vision work devices: full-disk encryption, MDM-managed, password manager mandatory, quarterly security training.

Change management

All production changes via pull request + peer review + CI checks. Migrations reviewed against data-loss impact. Rollback plan documented.

Sub-processors

Who processes Customer Data alongside us.

Sub-processors are notified 30 days in advance via email before any change takes effect. Customers may object, in which case Circular Vision will work to find a mutually acceptable alternative.

Sub-processor	Purpose	Location	Safeguard
[Hosting provider]	Application & database hosting	Frankfurt, DE (EU)	DPA + EU residency
[Object storage]	Customer file uploads, evidence vault	EU (same region as hosting)	DPA + encryption
[Email delivery]	Transactional + marketing email	EU (or SCCs where outside)	DPA + SCCs
[Error monitoring]	Error tracking, performance APM	EU	DPA + PII scrubbing
[Analytics]	Website analytics (privacy-friendly, no cookies)	EU	DPA, no personal data processed
Calendly	Demo scheduling	US (EU–US DPF)	DPF certified + SCCs
[Payment processor]	Billing & invoicing	EU (primary) / US (fallback)	DPA + PCI DSS
[Customer support]	Support ticketing & knowledge base	EU	DPA

Bracketed entries are finalised before public launch and will be notified. Current customers receive notice of any change via the designated DPA contact.

Certifications roadmap

Where PackR8 is going.

We're building toward full enterprise certifications on the schedule below. Customers who need earlier attestation can request the current control inventory under NDA.

2026 Q2 — in progress

ISO 27001 readiness assessment

External gap assessment against ISO 27001:2022 controls. Remediation roadmap documented.

2026 Q3

SOC 2 Type I (initial scope)

SOC 2 Type I on the primary production environment. Trust Services Criteria: Security, Availability, Confidentiality.

2026 Q4

Annual independent penetration test

Third-party pen-test (black-box + grey-box). Report available to enterprise customers under NDA.

2027 Q1

SOC 2 Type II

12-month observation period concluding in first Type II report. Continuous monitoring instrumentation live.

2027 Q4

ISO 27001 certification

Accredited certification audit. Ongoing surveillance audits annually thereafter.

Incident response

If something goes wrong.

We run a documented incident response playbook covering detection, triage, containment, eradication, customer notification, and post-incident review.

Reportable GDPR breaches are notified to the Dutch Data Protection Authority within 72 hours of Circular Vision becoming aware, as required by GDPR Art. 33. Affected customers are notified in parallel via the designated DPA contact.

Customers can request the full incident response policy and the most recent tabletop-exercise summary under NDA.

Report a security issue

If you discover a vulnerability, misconfiguration, or suspicious behaviour, please email us — we respond within 24 hours on business days.

Please include: affected URL/endpoint, steps to reproduce, your assessment of severity, and whether you've shared the finding with anyone else.

We commit to a safe-harbour approach: responsible disclosure will not trigger legal action, provided you do not exploit the vulnerability or access Customer Data beyond what is necessary to demonstrate the issue.

security@packr8.com