Security & Privacy FAQ

Have a security/privacy question or disclosure? Contact [email protected].

What best practices does Paper follow?

  • TLS encryption in transit for internal and external communication with our backend and databases.
  • Required TLS encryption for third-party vendors.
  • Data backups and storage encrypted with AES-256.
  • GDPR and CCPA compliance within 90 days.
  • Granular data access for all Paper employees granted by business need.
  • Full audit logging on sensitive data access.
  • Security audit from HackerOne.
  • Bug bounty program for ethical hackers.
  • SOC-2 compliance certification (coming Q2 2023).

What user personally identifiable information (PII) is stored?

Paper stores user emails and only accesses them to send automated emails (e.g. after a completed purchase) or in rare cases to proactively reach out to resolve support issues. We don't store any other user PII.

How is credit card data stored?

Paper's payment provider(s) are certified to PCI Service Provider Level 1, the highest standard set by the payment card industry to ensure that credit card data is processed, stored or transmitted in a secure environment (source).

This data is never sent through Paper's servers.

How is password data stored?

Paper doesn't use passwords! Logging into a Paper Wallet and our Seller dashboard is done through password-less authentication tied to your email address. For this reason, please keep strong password hygiene and consider adding multi-factor authentication on your email account.

How is buyer identity verification data stored?

Buyer identification verification data (i.e. KYC) is transferred via TLS encrypted connections directly to our payment vendor(s) and uses AES-256 encryption at rest (source). This data is only accessible to employees whose job role may require reviewing KYC.

This data is never sent through Paper's servers.

How is seller identity verification data stored?

Seller identity verification data (i.e. KYB) that you upload in the dashboard is uploaded via TLS encrypted connections with a time-limited pre-signed URL to Paper's S3 AWS bucket. The S3 bucket is not exposed to the public internet, is encrypted with an AWS KMS-managed key, has all employee interactions logged, and is only accessible to key employees whose job role requires reviewing KYB.

This data is never sent through Paper's servers.

How does Paper handle GDPR data access or deletion requests?

A customer can contact us atΒ [email protected] to request their data to be provided or deleted. We will comply with the request within 90 calendar days.

Does Paper go through security audits?

Yes. Our architecture and codebase are currently undergoing a full code review audit performed by HackerOne, a leading cybersecurity company.

Estimated completion: March 2023

Does Paper offer rewards for responsible disclosures of security vulnerability?

Yes. At the team's discretion, Paper may offer monetary bounties for security vulnerabilities that are responsibly disclosed to [email protected] that are considered novel with high customer impact.

Paper's formal HackerOne bug bounty program is launching Q1 2023.