Maximum data protection and data security.
Paperless is made and hosted in Germany. Our top priority is to protect the data of European businesses.
Fully GDPR-compliant
All Paperless servers are located in Germany
Hosted in Germany: Paperless is one of the few providers hosted exclusively on German servers.
Server location: Our servers are located in Nuremberg and Falkenstein in Vogtland, Germany within the European Union. This guarantees that our customers’ and users’ data will never leave the EU.
Data center security: The technical facilities are ISO/IEC 27001 certified. The ISO/IEC 27001 is an internationally recognized standard for evaluating the security of information and IT environments.
Solely European subcontractors
EU-privacy laws: Data never leaving the EU is crucial for “Schrems II”-compliant data-processing and -protection. Paperless therefore only uses subcontractors, e.g. for the server infrastructure, which are based in the EU and over which no control can be exercised from outside the EU.
Legally binding eSignatures
Electronic signatures are legally recognized in most countries (including the US and the European Union). In the EU, they are provided for in eIDAS Regulation No. 910/2014 and implemented via county-specific local laws. E.g. in Germany the so-called Trust Services Act (Vertrauensdienstegesetz - VDG) aims to facilitate the use of electronic trust services.
Paperless Audit Trail: Legally compliant and sealed
All Paperless documents come with a detailed, complete, and traceable description of all operations that are carried out during the document’s lifecycle (e.g. dispatch, data submission, signing, completion, sealing). It contains the date and time of the operation, the type of operation, all data captured with the operation, and identification of the person who performed the operation.
Non-repudiation
The audit trail includes a digital certificate that provides non-repudiation for all documents generated and signed using Paperless.
Integrity
A cryptographic seal included in the audit trail prevents any type of alteration of the completed document by encoding a file-specific hash. Paperless verifies the integrity of a given document by comparing the document’s hash with the one stored securely on Paperless’ servers.
Authenticity
The Paperless audit trail additionally includes a visual certificate of the document’s origin and means of verification of the authenticity of a given document.
How document recipients & signees use Paperless
Authentication
Paperless offers multiple authentication options for signers including a secure link via email or direct integration into existing secure applications.
Documentation
Everything that is sent to Paperless’ servers is documented unalterable and systematic. All metadata like User-Agents, IP addresses and timestamps down to the millisecond are logged.
Data Validation
All data entered by recipients and signees is checked both on the client-side and on the server-side for completeness, integrity and correctness.
SSL encryption
All data and personal information sent to or from Paperless is encrypted in transit using an industry-standard 256-bit encryption with a 2.048 bit RSA key.
Enterprise ready
Identity Management: Automatic user (de-)provisioning via SCIM and user authentication via Single Sign-On (OAuth / OpenID Connect / AD FS) for excellent security compliance.
Access Management: With Role-Based Access Control (RBAC) you can rest assured that only the authorized people within your organization and approved integrations can access your information in Paperless.
Password Policies: Precise rules on the strength of password provide a high level of protection against unauthorized access.
SLA: Service level agreements regarding availability: Paperless is extremely committed to a high availability of the platform and assures this through a service level agreement.
How we build Paperless
Access Control: All system access is limited to a minimal group of people based on the least-privilege principle, with multiple layers of secured authentication required for all critical systems.
Physical Security: Around-the-clock onsite security with strict physical access control such as badge access and manned public entrances that complies with industry standards.
Training: All Paperless employees are trained regularly in security and data protection topics like data handling and storage, GDPR compliance or social engineering attack vectors.
Code Review: We enforce formal code reviews for all application code to minimize chances of bugs with possible security implications.
Monitoring and constant improving
Logging: All access to Paperless is logged and stored for six months after which it is automatically deleted. Document submission activities are stored indefinitely and included in the audit trail.
Testing: Thousands of automated software tests are run continuously to detect bugs and minimize the risk of software regressions.
Monitoring: Active monitoring of all hardware, network, platform applications, and tooling ensures the high availability and performance of Paperless. With extensive error reporting and tracing any occurring problem will be reported automatically to our tech team. Automated 24/7 alerting guarantees that in the event of a problem, we will start to work on a mitigation immediately.
Pentesting: Testing and validation of Paperless Security by a third-party penetration tester to further protect the platform from attacks and security breaches is planned for Q1/24.