Trust

Our compliance status — the honest version

PaperAI is an early-stage product. This page is the single source of truth for which compliance certifications we hold (none yet), which we are working toward, and what you should not use the product for today. If anything on this site implies otherwise, tell us and we will fix it.

PaperAI does not currently hold any formal compliance certifications.

No SOC 2, no HIPAA BAA, no ISO 27001, no PCI-DSS, no FedRAMP, no HITRUST. If your workflow requires any of those to handle the documents you process, choose a vendor that holds the relevant certification today.

Certification status

FrameworkStatusNotes
SOC 2 Type INot heldLong-term goal — not yet started
SOC 2 Type IINot heldLong-term goal — not yet started
HIPAA Business Associate Agreement (BAA)Not availableDo not upload PHI
ISO 27001Not heldNot on near-term roadmap
PCI-DSSNot heldDo not upload PCI / cardholder data
GDPR formal attestationNot heldPrivacy policy describes data handling
HITRUSTNot heldNot on near-term roadmap
FedRAMPNot heldNot on near-term roadmap
CCPA opt-outHonoredSee Privacy Policy for the request flow
What we have today
  • Multi-tenant data isolation — every query scoped to the requesting organization
  • Role-based access control (owner, admin, member, reviewer)
  • Two-factor authentication (TOTP) with backup codes
  • Session management with IP and user-agent tracking
  • Encryption in transit (TLS 1.2+)
  • Email verification on every account
  • Cloudflare Turnstile CAPTCHA on auth flows
  • Immutable version history per document
  • Hosted on Microsoft Azure infrastructure
  • Contractual commitment from AI subprocessors not to train on customer data
What we don't do today
  • Process Protected Health Information (PHI). Do not upload patient names, MRNs, DOBs, or any of the 18 HIPAA identifiers.
  • Process Payment Card Industry (PCI) data — cardholder numbers, CVV, magnetic stripe data.
  • Sign Business Associate Agreements.
  • Provide SOC 2, ISO 27001, HITRUST, or FedRAMP audit reports.
  • Provide legal, medical, tax, accounting, or financial advice. Output requires qualified human review.
  • Guarantee extraction accuracy. All output must be verified before use.

Subprocessors

Documents you upload pass through these third parties as part of normal operation. Each is bound by its own terms; PaperAI contracts with AI providers for API-only inference with no model training on customer data.

SubprocessorPurpose
Microsoft AzureInfrastructure hosting, Azure OpenAI inference
AnthropicAI inference (Claude models)
OpenAIAI inference (GPT models)
GoogleAI inference (Gemini models)
MistralAI inference
CloudflareCDN, DDoS protection, Turnstile CAPTCHA
StripePayments processing
Security questions, incident reports, or compliance follow-ups

Send security questionnaires, vulnerability reports, or specific compliance questions to hello@paperaiapp.com. We respond with what we currently offer and what's on the roadmap — no marketing puffery.

This page last reviewed: 2026-05-26

Privacy PolicyTerms of ServiceSecurity controls