Papyrs is founded and run by a technical team of security nerds and privacy purists. Our founders and management have a strong background in software engineering with many years of experience in running B2B internet services, writing software and server administration. We work hard to keep your wiki/intranet data safe and secure. Our security mindset is at the core of everything we build, and not something we've decided to simply add on top or outsource at the last moment.Privacy
We understand the need for privacy regarding internal company information stored on Papyrs and take it very seriously. We will treat all information entered into Papyrs as confidential and have strict policies on accessing customer data, which we will only do at your request in order to assist with a support query. Only key personnel, required to treat the information as confidential, will be able to access this data and access to this data is logged.
Papyrs adheres to the European Union's General Data Protection Regulation (GDPR), which took effect in May 2018. This includes measures on confidentiality, permanent data erasure, data transfer restrictions, portability and more. Please see our Privacy & GDPR section of our Terms of Service for more details.Personnel
All key personnel understand computer security best practices and are required to treat all data as confidential.Secure work environments
Hard drives of staff workstations are encrypted at rest (full disk encryption) and auto-lock. Staging and development environments do not contain customer data. Use of strong passwords, password managers and MFA are enforced.Vendors
We work with multiple vendors (like datacenters) to reduce overall business continuity risks. We select our vendors based on high security standards and compliance. We have signed data processing agreements (DPAs) with all vendors to ensure the same level of data/privacy protection and GDPR compliance.Simple systems
Although no single system is perfect, larger and more complex systems can lead to larger attack surfaces. To reduce the risk of errors and exploits, we believe in simple designs for which it's easy to reason about safety. We prefer simple systems, "Off" and "closed" by default, network as little as possible (keep those Cylons out!). We don't use experimental new beta software just because it's the latest trend (boring=good).No external trackers/analytics
Our notion of privacy does not include shipping our app with dozens of external marketing and analytics scripts. This recent trend causes all your activity within an app to be sent to third party marketing services, which can include sensitive information like URLs. We don't use any of this marketing/tracking software. We don't see (tracking) data as an asset, but as a liability.
Administrative access to the Papyrs servers is restricted to key personnel with IP-filters and strong passwords/keys.Encryption at rest
Your data is encrypted at rest using AES-256 encryption. User passwords are hashed and salted. Passwords are never logged or stored in log files.Encryption in transit
All data in transit, both between our servers as well as between our servers and you, is encrypted by strong TLS encryption. Our certificates are signed by LetsEncrypt or Gandi.Audit logs
We keep logs of access to internal documents, dashboards and servers.Intrusion detection, logging and real-time monitoring
All our servers are monitored for unusual disk/software/network activity. Suspicious or automated connection attempts (other than allowed according to our API policy) are blocked automatically. A virus scanner monitors the integrity of the system software on the Papyrs servers.Firewall
All Papyrs servers and internal services are protected by firewalls.Redundancy & High Availability
Data is mirrored across multiple servers, as well as within a single server (redundant hardware). We have an excellent track record on our availability/uptime.Replication & Backups
Multiple sets of backups are kept in multiple locations. Data is continuously mirrored to servers in multiple datacenter locations to ensure geo-redundant replication. In addition, backups are made of all client data every night. All data is transferred over an encrypted connection and encrypted at rest.Best practices
We follow and keep up to date with the latest industry best practices and security policies (such as OWASP guidelines, CVE announcements, and so on).Patches and updates
We monitor security mailing lists, actively search for software flaws and follow security advisories. System software on the Papyrs servers is kept up-to-date and security patches are applied.Secure data centers
All Papyrs servers are located in modern data centers which are ISO 27001 certified. Server locations have redundant power systems, climate control, fire detection, are monitored 24/7 and have strict physical security and access restrictions. Datacenter certification and security details: Hetzner, TransIP, AWS.
Credit card information is processed and stored by Stripe, a PCI compliant payment processor. We do not store or process your credit card number.Log in and access permissions
Papyrs is built first and foremost to share data internally within an organization. By default, any information on your site is only accessible to members of your site after they log in. Papyrs also allows you to restrict access to certain sections of the site so staff can only access information on the site they are allowed to see.Version history
With built-in unlimited version history of any page, editors can always go back and compare/track or restore changes made to a page.Roles
With Papyrs you can grant additional Administrator rights to certain key staff members, and optionally restrict the use of features to others.Data export
Securing data includes the right to data portability. With Papyrs, site Administrators can use the site backup feature to download a data export in HTML format.Custom IP Filter
Enterprise plans allow organizations to restrict access to their Papyrs intranet site further by only allowing access from certain (ranges of) IP-addresses. This way access can be restricted to logins made from certain physical office locations or through a company VPN connection.Audit Log
The Audit Log feature on Enterprise plans allows site owners to view all activity (views, edits, downloads, logins) per page or user.Single Sign-On (SSO) and 2FA
Papyrs supports Single Sign-On (SSO) with SAML, Active Directory (LDAP), Slack or G Suite. By using SSO, your organization can ensure all users need to authenticate against a centralized credential store and according to a company-wide security policy (like password strength/expiration, requiring multi-factor authentication devices, and so on). When using email/password-based log in, we recommend using the built-in 2FA (Two-Factor Authentication) feature.
If you have any security questions or concerns, just send them to firstname.lastname@example.org. We're happy to help!Responsible disclosure
We welcome any feedback from security researchers on potential vulnerabilities. If you discover a security issue, please email us at email@example.com with subject "Security issue" and we'll investigate the issue right away.