Security & Privacy FAQ

What user personally identifiable information (PII) is stored?

Paper stores user emails and only accesses them to send automated emails (e.g. after a completed purchase) or in rare cases to proactively reach out to resolve support issues. We don't store any other user PII.

How is the Paper Wallet private key data stored?

Paper Wallets are generated on the client inside an iframe, inaccessible from Paper. The key is encrypted with the master key stored on AWS Hardware Security Module (HSM). When revealing their private key, a buyer's web client interacts directly with AWS HSM/KMS (source).

Wallet private keys are never sent through nor stored on Paper nor our vendor's servers. Data in AWS are encrypted at rest with AES-256.

How is credit card data stored?

Paper's payment provider(s) are certified to PCI Service Provider Level 1, the highest standard set by the payment card industry to ensure that credit card data is processed, stored or transmitted in a secure environment (source).

This data is never sent through Paper's servers.

How is password data stored?

Paper doesn't use passwords! Logging into a Paper Wallet and our Seller dashboard is done through password-less authentication tied to your email address. For this reason, please keep strong password hygiene and consider adding multi-factor authentication on your email account.

How is buyer identity verification data stored?

Buyer identification verification data (i.e. KYC) is transferred via TLS encrypted connections directly to our payment vendor(s) and uses AES-256 encryption at rest (source). This data is only accessible to employees whose job role may require reviewing KYC.

This data is never sent through Paper's servers.

How is seller identity verification data stored?

Seller identity verification data (i.e. KYB) that you upload in the dashboard is uploaded via TLS encrypted connections with a time-limited pre-signed URL to Paper's S3 AWS bucket. The S3 bucket is not exposed to the public internet, is encrypted with an AWS KMS-managed key, has all employee interactions logged, and is only accessible to key employees whose job role requires reviewing KYB.

This data is never sent through Paper's servers.

How do you handle GDPR data access or deletion requests?

A customer can contact us atΒ [email protected] to request their data to be provided or deleted. We will comply with the request within 90 calendar days.

Do you offer rewards for responsible disclosures of security vulnerability?

Yes. At the team's discretion, Paper may offer monetary bounties for security vulnerabilities that are responsibly disclosed to [email protected] that are considered novel with high customer impact.

Paper is also in the process of enrolling in a formal bug bounty program through a third party vendor (estimated Q2 2023).