Built on trust, evidenced by practice.
PaxHub helps EU producers and brand owners meet PPWR readiness and national EPR reporting obligations. Our customers entrust us with packaging and supplier data — and the people behind it. This page sets out, in plain terms, how we protect that data and the framework we operate within.
Infrastructure & data residency
PaxHub runs exclusively on Amazon Web Services in the European Union. AWS provides the underlying infrastructure under its certified controls; we operate the platform layer.
EU-only hosting
Primary region: eu-west-1 (Ireland). Secondary region: eu-central-1 (Frankfurt) for residency requirements.
AWS attestations
ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, BSI C5 (Germany) — reviewable in AWS Artifact.
Multi-AZ resilience
Multi-AZ deployment by default. Cross-region disaster recovery available on request.
Data protection & encryption
- Encryption in transit
- Encryption at rest
- Backups
- Audit logging
- Recovery objectives
Identity & access
Role-based access control
Viewer · Editor · Admin · Super Admin, with per-tenant configurability and a least-privilege model.
Multi-factor authentication
TOTP enforced for administrative and privileged accounts. Recovery codes supported.
Single sign-on
SAML 2.0 SSO available within 2–4 weeks of contract signing. Tested against Entra ID, Okta, and ADFS.
Privileged access
Just-in-time elevated access. No standing production credentials held by individuals. Full audit trail.
Privacy & GDPR
We operate under a documented GDPR compliance framework. Personal data processed by PaxHub is limited to business-contact data for platform users.
- Records of Processing Activity
- Data Processing Agreement
- Data Subject Requests
- Breach notification
- Sub-processors
- Data deletion on exit
Application security
Continuous scanning
SAST, dependency scanning, container image scanning, and periodic DAST integrated into our SDLC.
Web application firewall
AWS WAF with managed OWASP rule sets. Rate-limiting and bot control configurable per tenant.
Patching SLAs
Critical < 7 days · High < 30 days · Medium < 90 days, from CVE publication.
Secure SDLC
Code review on every change. Three-environment deploy pipeline. Zero-downtime releases.
Compliance & assurance
We are transparent about where we are on the formal certification journey. PaxHub is a newer EU platform; we have invested in security architecture and documentation ahead of third-party attestation, with a costed roadmap to certification.
GDPR framework
ROPA, DPA, sub-processor register, DSR procedure, retention schedule.
Information Security Policy
ISMS documented against ISO 27001 Annex A. Reviewed annually by leadership.
Incident Response Plan
Detection, triage, containment, recovery, post-incident review. Named roles.
CSA STAR Registry
CAIQ self-assessment in finalisation. Submission to public registry imminent.
Independent pen test
Third-party penetration testing scheduled within the next 12 months.
SOC 2 & ISO 27001
SOC 2 Type I within ~12 months. ISO 27001 certification on the 12–18 month horizon.
Reporting a security concern
If you believe you have identified a security vulnerability or wish to report a suspected incident affecting PaxHub, please contact our security team. We acknowledge reports within one business day.
- Security contact
- Acknowledgement
- Customer notification of incidents
Need deeper assurance for procurement?
We share our full security pack — policies, architecture, DPA, sub-processor register — under NDA with prospective and active customers. We are also glad to host a security deep-dive with your team.
Last reviewed: [May 2026]. This page is reviewed at least quarterly and on material change. RegSurance B.V., established in the Netherlands. For data protection enquiries: [email protected].