Trust & Governance Center

Learn how PackC Systems, Inc. guarantees security compliance, software licensing integrity, and data sovereignty.

Security Architecture

Last updated: July 15, 2026
Air-Gapped CoreRuns offline inside Kubernetes/Docker.
Data IsolationResides entirely on your host nodes.
Encrypted KeysCredentials are fully encrypted locally.
SOC 2 Type II Compliance: All containerized distributions align with SOC 2 Type II guidelines. Security controls are audited regularly on our build nodes.

1. The Self-Hosted Paradigm

PackCPQ is engineered to address the critical vulnerability of modern SaaS tools: pricing and margins leakage. By forcing the entire quotation runtime to live inside your firewalls, we ensure that:

  • No telemetry contains customer PII or raw fabrication cost data.
  • Database ports are closed to the public internet.
  • You manage your own backups, disaster recovery, and server keys.

2. Container Isolation & Blueprints

Our containerized engine conforms to strict security benchmarks:

  • Minimalist Base Images: PackCPQ container images are built on distroless or Alpine Linux baselines, reducing the threat vector by eliminating unnecessary tools.
  • Non-Root Execution: Containers run exclusively as non-root users (`UID 10001`), protecting the host node from runtime escalations.
  • Network Policies: We provide default Kubernetes NetworkPolicy templates to block all outbound traffic except for your local ERP DB connections and licensing checks.

3. API & Communications Security

Integrations are protected using robust cryptographic standards:

  • Mutual TLS (mTLS): Local gRPC connections between PackCPQ and your ERP system support mutual TLS to validate nodes on both ends.
  • Bearer Token Authorization: Rest webhooks require cryptographically signed Bearer tokens to confirm authenticity.
  • Licensing Validation Check: Our licensing checkin API runs via outbound HTTPS connection utilizing TLS 1.3. It transmits ONLY license keys and plant counts; no customer data is ever sent.

4. Role-Based Access Control (RBAC)

Administrators can define permissions profiles natively to separate user roles:

  • Sales Representative: Read-only access to custom quotes; cannot view board cost pricing models or modify margins.
  • Cost Estimator: Read-write access to pricing models and folding configurations; cannot access billing profiles.
  • Administrator: Full root access to configurations, audit logs, and integrations.

5. Vulnerability Disclosures

We are committed to rapid response for security findings. If you discover a vulnerability in our container builds or core engine, please contact us immediately:

Security Incident Team[email protected]