Security · plain English
How we handle your clients' papers
You're a financial institution under the FTC Safeguards Rule. You're required to pick vendors who can protect this data and to bind them by contract. This page is written to survive that reading — and it states clearly what's live in production today versus what's still roadmap.
Where documents live
- Live:every document is stored in an isolated per-firm workspace — your firm's files are keyed to your account, not a shared bucket — on encrypted volumes (AES-256 at rest), with TLS 1.2+ in transit, hosted in US data centers.
- Live: your data leaves whenever you want. One-click ZIP export of everything is in the product today, and deleting a document removes it from storage immediately, not on a batch schedule. Account-level deletion follows within 30 days of request (immediately on written request).
- Live:the shutdown promise (the Hubdoc clause) — if PapersIn ever closes, you get 90 days' notice and a working exporter, contractually. The exporter already exists in the product today, so this is a promise we can keep from day one, and our terms state it as a commitment, not an aspiration. We watched Hubdoc die too.
Who can see them
- Live:your firm's users, and no one else in the product — every query is scoped to your firm's account. Magic links are unguessable tokens and can be rotated per client at any time.
- Roadmap (before we accept your first real document): founder access to customer documents only with your written permission during support, logged. The policy holds today; the audit log that proves it isn't built yet, so we won't call it live.
Subprocessors (the honest list)
| Vendor | Job | Sees documents? |
|---|---|---|
| Cloud host (AWS or equivalent) | compute + encrypted storage | encrypted at rest |
| Anthropic (API) | document classification | yes, per-document at ingest; API traffic is not used to train models per vendor terms |
| Postmark (or equivalent) | reminder email | no — emails contain document names, never contents |
| Stripe | billing | no |
For your WISP file
Roadmap (before we accept your first real document): a signable DPA template and a security-practices summary you can attach to your Written Information Security Plan. The subprocessor list above is published now. Roadmap (first 12 months):SOC 2 Type I — we won't claim it before an auditor says it.
What we ask of you
Don't email us documents during evaluation; use test files. Use a password manager. Tell clients the drop link is for them alone. Security is a two-party sport and we'll say so even when it costs us a signup.
Final version, with the operating entity's legal name and postal address, publishes with the founding cohort opening. Questions or holes: hello@papersin.com — finding a hole in this page is the fastest way to get our attention and our gratitude. See also Privacy and Terms.