Maximum data protection and data security.

Paperless is made and hosted in Germany. Our top priority is to protect the data of European businesses.

Ein Ordner, der ein Dokument enthält. Darüber liegt ein blaues Schild mit Sicherheitsschloss.
Fully GDPR compliant.
Servers & Hosting

All Paperless Servers are located in Germany.

Hosted in Germany: Paperless is one of the few providers hosted exclusively on German servers.

Server Location: Our servers are located in Nuremberg and Falkenstein in Vogtland, Germany within the European Union. This guarantees that our customers’ and users’ data will never leave the EU.

Data center security: The technical facilities are ISO/IEC 27001 certified. The ISO/IEC 27001 is an internationally recognized standard for evaluating the security of information and IT environments.

Map of germany showing three different locations along side a certificate stating all servers are hosted in Germany.
An abstract display of a signed document being protected by GDPR standards.
EU REGULATIONS

Solely European subcontractors.

EU-privacy laws: Data never leaving the EU is crucial for “Schrems II”-compliant data-processing and -protection. Paperless therefore only uses subcontractors, e.g. for the server infrastructure, which are based in the EU and over which no control can be exercised from outside the EU.

Request list of subcontractors

Legally-Binding eSignatures.

Electronic signatures are legally recognized in most countries (including the US and the European Union). In the EU, they are provided for in eIDAS Regulation No. 910/2014 and implemented via county-specific local laws. E.g. in Germany the so-called Trust Services Act (Vertrauensdienstegesetz - VDG) aims to facilitate the use of electronic trust services.

A signature field accompanied by the certificates for eIDAS and GDPR.
An icon for a certificated with a checkmark.

Paperless Audit Trail: Legally secure and sealed

All Paperless documents come with a detailed, complete, and traceable description of all operations that are carried out during the document’s lifecycle (e.g. dispatch, data submission, signing, completion, sealing). It contains the date and time of the operation, the type of operation, all data captured with the operation, and identification of the person who performed the operation.

A document that contains details of the signatory
Icon of a squared box from which 3 circles emerge.

Non-repudiation

The audit trail includes a digital certificate that provides non-repudiation for all documents generated and signed using Paperless.

Icon of a document sheet that is being successfully copied indicated by a second sheet and a checkmark.

Integrity

A cryptographic seal included in the audit trail prevents any type of alteration of the completed document by encoding a file-specific hash. Paperless verifies the integrity of a given document by comparing the document’s hash with the one stored securely on Paperless’ servers.

Icon of a shield with a lock inside.

Authenticity

The Paperless audit trail additionally includes a visual certificate of the document’s origin and means of verification of the authenticity of a given document.

How document recipients & signees use Paperless
A digital finger print.

Authentication

Paperless offers multiple authentication options for signers including a secure link via email or direct integration into existing secure applications.

Three squared shapes in isometric perspective layered on top of each other.

Documentation

Everything that is sent to Paperless’ servers is documented unalterable and systematic. All metadata like User-Agents, IP addresses and timestamps down to the millisecond are logged.

Two layered boxed with a checkmark.

Data Validation

All data entered by recipients and signees is checked both on the client-side and on the server-side for completeness, integrity and correctness.

A folder with password access.

SSL encryption

All data and personal information sent to or from Paperless is encrypted in transit using an industry-standard 256-bit encryption with a 2.048 bit RSA key.

A sign in field for users along with a corresponding password field. A key is layered over a fortress tower.

Enterprise ready

Identity Management: Automatic user (de-)provisioning via SCIM and user authentication via Single Sign-On (OAuth / OpenID Connect / AD FS) for excellent security compliance.

Access Management: With Role-Based Access Control (RBAC) you can rest assured that only the authorized people within your organization and approved integrations can access your information in Paperless.

Password Policies: Precise rules on the strength of password provide a high level of protection against unauthorized access.

SLA: Service level agreements regarding availability: Paperless is extremely committed to a high availability of the platform and assures this through a service level agreement.

Technology

How we build Paperless

Access Control: All system access is limited to a minimal group of people based on the least-privilege principle, with multiple layers of secured authentication required for all critical systems.

Physical Security: Around-the-clock onsite security with strict physical access control such as badge access and manned public entrances that complies with industry standards.

Training: All Paperless employees are trained regularly in security and data protection topics like data handling and storage, GDPR compliance or social engineering attack vectors.

Code Review: We enforce formal code reviews for all application code to minimize chances of bugs with possible security implications.

A stylized crane moving parts onto an interface that appears to be in a web browser. The crane is currently moving a block containing the Paperless.io logo
Eine Anwendung die das Erfassen und Prüfen von Daten zeigt. Die Daten erinnern an Code. Eine Lupe zeigt einen Abschnitt vergrößert im Detail.
Bulletproof Security

Monitoring and constant improving

Logging: All access to Paperless is logged and stored for six months after which it is automatically deleted. Document submission activities are stored indefinitely and included in the audit trail.

Testing: Thousands of automated software tests are run continuously to detect bugs and minimize the risk of software regressions.

Monitoring: Active monitoring of all hardware, network, platform applications, and tooling ensures the high availability and performance of Paperless. With extensive error reporting and tracing any occurring problem will be reported automatically to our tech team. Automated 24/7 alerting guarantees that in the event of a problem, we will start to work on a mitigation immediately.

Pentesting: Testing and validation of Paperless Security by a third-party penetration tester to further protect the platform from attacks and security breaches is planned for Q1/24.

Report a security or privacy vulnerability: All forms of responsible disclosure are welcomed. This includes any vulnerabilities found in Paperless products. Depending on the severity of the issue, we may award a bug bounty (please understand that we are still a young company with limited resources). You can submit your finding or any other product security related query to security@paperless.io.

Ready to go Paperless?

We'll help you turn your paper-based processes into easy digital experiences.