Request Demo Free Trial
Request Demo Free Trial
Request Demo Free Trial

Print Security That Starts With the Architecture

Print servers, local spoolers, and inbound firewall paths are where print attacks happen. ezeep doesn't harden them. It removes them. Cloud rendering runs on Microsoft Azure, independently audited under ISO 27001 and SOC 2, with jobs released only after user authentication at the device and no document data retained after printing. Built on ThinPrint technology, trusted by Fortune 500 organizations.

Start Free Trial TodayTalk to an Expert
cloud-based-printing-dashboard
Security

Security Controls for Modern Print Environments

Encryption, identity-based access, and audit-ready logging built into every print job.

Encrypted End-to-End, Retained Only When Necessary

Document data is encrypted in transit over HTTPS (TLS 1.3 supported, TLS 1.2 minimum) and at rest with AES-256 through Azure Storage Service Encryption. Pull Printing jobs are discarded after 72 hours if not released. Released jobs are deleted as soon as the print completes.

Identity Governs Every Step of the Way

Users authenticate through your identity provider before printing. Printer access is policy-driven, so a user only sees the devices they're entitled to. Pull Printing holds every job until the user authenticates at the deviceNobody prints or picks up a print without going through identity first.

No Path In, No Path Around

The ezeep Hub connects outbound only. No inbound firewall ports. No print server inside your network. No spooler exposed on endpoints. And no direct network path from user to printer, so no one bypasses ezeep to talk to hardware. The traditional attack surface for print is gone.

GDPR Compliant

GDPR and International Data Trasnfers

ezeepCampus is our standalone campus add-on for pay-to-print scenarios. It connects ezeeezeep operates under GDPR principles, including data minimization, defined retention, and lawful processing. For data leaving the EEA, UK, or Switzerland, ezeep Inc. is self-certified under the EU–U.S., Swiss–U.S., and UK Data Privacy Frameworks, with Standard Contractual Clauses in place as a fallback. ThinPrint GmbH (Berlin) is the data controller for EEA, UK, and Swiss customers; ezeep Inc. (Denver) is the controller for all other regions. 

Contact Data Protection Officer
ezeep-campus
Security

Compliance You Can Document

Contractual terms and governance controls for your security questionnaire.

Data Processing Addendum

A DPA is part of the standard contract terms and covers technical and organizational measures, breach notification, sub-processor commitments, and SCCs for international transfers. The DPA and Privacy Policy are both published at ezeep.com/legal.
Data Processing Addendum

ISO/IEC 27001

ezeep operates an Information Security Management System aligned with ISO/IEC 27001. Certification is in progress with an accredited body; scope and certificate details will be published here once issued. In the meantime, the Microsoft Azure platform ezeep runs on is already independently audited under ISO 27001, SOC 2, and GDPR.
ISO/IEC 27001

Security Governance

Production access is role-based and least-privileged. Production and non-production environments are separated. Logging and monitoring are centralized on the Azure platform. Incident response procedures are documented and exercised.
Security Governance

Document content isn't used to train AI

Customer document content is not used to train AI or machine learning models, and is not reused for product analytics. Operational telemetry, such as error rates and service performance data, is used to monitor reliability and improve the product.
Document content isn't used to train AI
Sub-Processors

Sub-Processors for ezeep

ezeep relies on a short, maintained list of sub-processors to deliver the service:

  • Microsoft Corporation - Azure hosting in the North Europe region (Ireland)
  • HubSpot Inc. - website, marketing, and customer relationship management
  • Freshworks Inc. - customer support (Freshdesk) and CRM (Freshworks CRM)
  • Cortado Holding AG - ezeep's parent company, for shared group business administration

Changes are notified to customers before they take effect, as specified in the DPA.

ezeep-campus
Security & Compliance

How We Think About Print Security

ezeep is built for to be secure for how your company prints.

Visibility Without Exposure

Every print job creates an audit record: user, printer, document name, page count, timestamp, and outcome. Records are available through the admin console for review, export, and reporting. Logs capture metadata, not content. The document name and routing details are recorded. The document itself never is. Compliance teams get the visibility they need, and the audit trail never becomes a place sensitive content could leak from.

What the Endpoint Doesn't Hold

The ezeep client installs one virtual driver. Every printer the user has access to prints through it, regardless of make or model. There are no per-printer driver packages, no spool files queued on disk, no cached documents waiting to be cleaned up. Once the application hands the job to ezeep, the document moves to the cloud and the endpoint is done with it. A lost or compromised device doesn't hold the document, because the device never held it in the first place.

No Print Spooler to Exploit

Every Windows admin remembers PrintNightmare (CVE-2021-34527). Most don't realize more than fifty more Print Spooler vulnerabilities have followed it since 2021. That's not a coincidence. The Windows Print Spooler runs as SYSTEM, accepts remote procedure calls, and loads third-party driver code at install. A service with that profile can be patched, but it can't be made safe. ezeep removes it. No spooler on the endpoint, no print server in the network, no driver to install. The attack class is gone, not just the bug.

No Vendor Driver to Exploit

Printer drivers ship with vulnerabilities. Canon disclosed CVE-2025-1268 in early 2025, and similar advisories from other printer makers land on a regular cadence. The pattern persists because the architecture does: every printer vendor ships their own driver code that runs with elevated trust on every endpoint that wants to print to that device. ezeep removes that layer. A single virtual driver hands jobs to the cloud, where rendering happens for the destination printer. The endpoint never installs a vendor-specific printer driver, and vendor driver CVEs stop being your problem.

Frequently Asked Questions

How does ezeep protect print data in transit and at rest?

Print data is encrypted in transit over HTTPS, with TLS 1.3 supported and TLS 1.2 enforced as the minimum across all public endpoints. Data at rest is encrypted with AES-256 through Microsoft Azure Storage Service Encryption, and key management is handled by the Azure platform under independently audited controls. Both protections apply to every print job throughout its lifecycle in the ezeep cloud.

How does ezeep authenticate users, control printer access, and protect the network?

Users authenticate through the customer's identity provider, either Microsoft Entra ID or Google Workspace, before printing is possible. Printer access is policy-driven, so each user only sees the printers they are entitled to, and Pull Printing re-verifies the user at the device through QR code or RFID/NFC card before releasing any document. The ezeep Hub uses outbound-only connections to the cloud, so no inbound firewall ports need to be opened inside the customer network and there is no print server or spooler exposed for attackers to reach.

Is ezeep affected by PrintNightmare or Windows Print Spooler vulnerabilities?

No. ezeep does not run a Windows Print Spooler on endpoints or operate a print server inside the customer network, so the spooler attack surface that PrintNightmare (CVE-2021-34527) and the more than fifty subsequent Print Spooler vulnerabilities have exploited does not exist in an ezeep deployment. The Windows Print Spooler runs as SYSTEM, accepts remote procedure calls, and loads third-party driver code at install. ezeep removes that whole layer rather than patching it.

What compliance frameworks and contractual safeguards does ezeep support?

ezeep operates under GDPR principles, including data minimization, defined retention, and lawful processing. For data leaving the EEA, UK, or Switzerland, ezeep Inc. is self-certified under the EU–U.S., Swiss–U.S., and UK Data Privacy Frameworks, with Standard Contractual Clauses in place as a fallback. A Data Processing Addendum covering technical and organizational measures, breach notification, and sub-processor commitments is part of the standard contract terms, available alongside the Privacy Policy at ezeep.com/legal. ezeep operates an Information Security Management System aligned with ISO/IEC 27001 with certification in progress; the underlying Microsoft Azure platform is already independently audited under ISO 27001, SOC 2, and GDPR.

What audit trails and reporting does ezeep provide?

Every print job creates an audit record that captures user, printer, document name, page count, timestamp, and outcome. Records are accessible through the ezeep admin console for review and reporting, and can be exported as CSV through the ezeep API or streamed in real time to external systems via webhooks. Audit logs hold metadata only. Document content is never written to them, so the audit trail itself never becomes a place sensitive information could leak from.

Back to top

Print Security Without the Print Server

ezeep replaces the legacy print stack with cloud-native architecture that holds up under the questions enterprise security teams actually ask. Get the security documentation, or talk to the team that built it.

ezeep-chart (1)