Paperless is made and hosted in Germany. Our top priority is to protect the data of European businesses.
Hosted in Germany: Paperless is one of the few providers hosted exclusively on German servers.
Server Location: Our servers are located in Nuremberg and Falkenstein in Vogtland, Germany within the European Union. This guarantees that our customers’ and users’ data will never leave the EU.
Data center security: The technical facilities are ISO/IEC 27001 certified. The ISO/IEC 27001 is an internationally recognized standard for evaluating the security of information and IT environments.
EU-privacy laws: Data never leaving the EU is crucial for “Schrems II”-compliant data-processing and -protection. Paperless therefore only uses subcontractors, e.g. for the server infrastructure, which are based in the EU and over which no control can be exercised from outside the EU.
Electronic signatures are legally recognized in most countries (including the US and the European Union). In the EU, they are provided for in eIDAS Regulation No. 910/2014 and implemented via county-specific local laws. E.g. in Germany the so-called Trust Services Act (Vertrauensdienstegesetz - VDG) aims to facilitate the use of electronic trust services.
All Paperless documents come with a detailed, complete, and traceable description of all operations that are carried out during the document’s lifecycle (e.g. dispatch, data submission, signing, completion, sealing). It contains the date and time of the operation, the type of operation, all data captured with the operation, and identification of the person who performed the operation.
The audit trail includes a digital certificate that provides non-repudiation for all documents generated and signed using Paperless.
A cryptographic seal included in the audit trail prevents any type of alteration of the completed document by encoding a file-specific hash. Paperless verifies the integrity of a given document by comparing the document’s hash with the one stored securely on Paperless’ servers.
The Paperless audit trail additionally includes a visual certificate of the document’s origin and means of verification of the authenticity of a given document.
Paperless offers multiple authentication options for signers including a secure link via email or direct integration into existing secure applications.
Everything that is sent to Paperless’ servers is documented unalterable and systematic. All metadata like User-Agents, IP addresses and timestamps down to the millisecond are logged.
All data entered by recipients and signees is checked both on the client-side and on the server-side for completeness, integrity and correctness.
All data and personal information sent to or from Paperless is encrypted in transit using an industry-standard 256-bit encryption with a 2.048 bit RSA key.
Identity Management: Automatic user (de-)provisioning via SCIM and user authentication via Single Sign-On (OAuth / OpenID Connect / AD FS) for excellent security compliance.
Access Management: With Role-Based Access Control (RBAC) you can rest assured that only the authorized people within your organization and approved integrations can access your information in Paperless.
Password Policies: Precise rules on the strength of password provide a high level of protection against unauthorized access.
SLA: Service level agreements regarding availability: Paperless is extremely committed to a high availability of the platform and assures this through a service level agreement.
Access Control: All system access is limited to a minimal group of people based on the least-privilege principle, with multiple layers of secured authentication required for all critical systems.
Physical Security: Around-the-clock onsite security with strict physical access control such as badge access and manned public entrances that complies with industry standards.
Training: All Paperless employees are trained regularly in security and data protection topics like data handling and storage, GDPR compliance or social engineering attack vectors.
Code Review: We enforce formal code reviews for all application code to minimize chances of bugs with possible security implications.
Logging: All access to Paperless is logged and stored for six months after which it is automatically deleted. Document submission activities are stored indefinitely and included in the audit trail.
Testing: Thousands of automated software tests are run continuously to detect bugs and minimize the risk of software regressions.
Monitoring: Active monitoring of all hardware, network, platform applications, and tooling ensures the high availability and performance of Paperless. With extensive error reporting and tracing any occurring problem will be reported automatically to our tech team. Automated 24/7 alerting guarantees that in the event of a problem, we will start to work on a mitigation immediately.
Pentesting: Testing and validation of Paperless Security by a third-party penetration tester to further protect the platform from attacks and security breaches is planned for Q1/24.
Report a security or privacy vulnerability: All forms of responsible disclosure are welcomed. This includes any vulnerabilities found in Paperless products. Depending on the severity of the issue, we may award a bug bounty (please understand that we are still a young company with limited resources). You can submit your finding or any other product security related query to security@paperless.io.