Trust and security

Posture at a glance

• EU-only data residency

  Hosted in the European Union on Hetzner (Nuremberg). Backups stay in the EU on Cubbit.

• Encrypted end to end

  TLS in transit across the stack, and AES-256 encryption for all data at rest.

• GDPR, privacy by default

  Cookieless analytics, no advertising trackers, and session recordings only with consent.

• A small, fully-EU supply chain

  A short list of subprocessors, all named, every one incorporated and hosted in the EU.

How we protect your data

• EU data residency

  Your product data is hosted only in the European Union, on Hetzner in Nuremberg.

  Read more

• Encryption

  Encrypted in transit with TLS, and at rest with AES-256, for every service in the stack.

  Read more

• Access and authentication

  Least-privilege access, multi-factor authentication, and no public access to the control plane.

  Read more

• Reliability and backups

  Daily backups to EU storage, with restore drills that prove recovery works.

  Read more

• Vulnerability management

  Dependency and container scanning on every change, plus periodic penetration testing.

  Read more

• Privacy and your rights

  We are GDPR controller and processor, publish our DPA, and let you export or delete data on demand.

  Read more

• Incident response

  A documented breach process with notification to affected customers within 72 hours.

  Read more

• Compliance and certifications

  GDPR as both controller and processor. SOC2 and ISO 27001 are not yet held.

  Read more

Documents

• Privacy policy

  What we collect, legal bases, retention, and your rights.

• Subprocessors

  The full list, with location and safeguard for each.

• Data processing agreement

  Our processor commitments, security measures, and SCCs.

Security contact

Report a vulnerability or ask a security question at security@paperclip.inc. We welcome good-faith security research. Our disclosure details are published at /.well-known/security.txt.