Security

What we do — and don't yet do — to protect your data

PaperAI is an early-stage product. We've built the technical controls below into the platform from day one. We have not yet completed any third-party compliance audits. This page lays out exactly what's in place, what's coming, and what you should not use PaperAI for today.

Compliance certifications: none yet

PaperAI does not currently hold SOC 2, HIPAA (no signed BAA), ISO 27001, PCI-DSS, GDPR attestation, HITRUST, FedRAMP, or any other formal compliance certification. We do not yet sign Business Associate Agreements. Do not upload Protected Health Information (PHI), Payment Card Industry (PCI) data, or any other regulated data that requires a vendor BAA or compliance attestation to handle.

SOC 2 Type II is on our long-term roadmap but is not yet in progress. We will update this page when that changes.

What's in place today

Technical controls built into the product.

Access controls

  • Email/password and Google OAuth sign-in.
  • Two-factor authentication (TOTP) with backup codes.
  • Session management with IP and user agent tracking.
  • CAPTCHA protection (Cloudflare Turnstile).
  • Email verification on every account.

Data boundaries

  • Multi-tenant architecture. Every query is scoped to the requesting organization.
  • Role-based access (owner, admin, member, reviewer).
  • Encryption in transit via TLS 1.2+.
  • Documents are sent to third-party AI providers (Anthropic, OpenAI, Google, Mistral, etc.) for inference. PaperAI contracts with providers for API-only inference with no model training on customer data.

Workflow traceability

  • Every document has an immutable version history.
  • Approval and rejection actions record the actor and timestamp.
  • Admin impersonation is logged.

Storage & delivery

  • Original files stored in managed cloud object storage with signed-URL access.
  • Secure download patterns for both originals and converted files.
  • Hosted on Microsoft Azure infrastructure.

Subprocessors

Documents you upload are processed by third-party AI providers to perform inference. We do not train models on customer data. Current subprocessors include Microsoft Azure (infrastructure), Anthropic, OpenAI, Google, Mistral, Cloudflare (CDN + Turnstile), and our payments processor. The full list is available in our Privacy Policy. Any of these subprocessors may handle your document content as part of normal operation.

Don't use PaperAI for

  • Documents containing Protected Health Information (PHI). PaperAI is not HIPAA-compliant and does not sign BAAs.
  • Documents containing payment card data subject to PCI-DSS.
  • Documents whose handling requires a signed vendor compliance attestation (SOC 2, ISO 27001, FedRAMP, HITRUST, etc.).
  • Anything where extraction errors could cause legal, medical, or financial harm without independent human review.

Have specific security questions?

Send us your security questionnaire or specific requirements and we'll respond with what we currently offer and what's on the roadmap. No marketing-speak.

Contact SalesGet Started Free
100 free credits to start50% off first month with LAUNCH50Cancel anytime