Security

Data residency and sovereignty

Your product data is hosted only in the European Union, on Hetzner Cloud in Nuremberg, Germany. Backups stay in the EU on Cubbit, an Italian company that fragments and stores data across EU nodes. We do not move your content outside the European Economic Area, except to a self-hosted model endpoint you choose to configure.

Encryption

In transit, traffic is protected with TLS 1.2 and above across the stack, with HSTS on the public site. At rest, the database is encrypted with AES-256, and backup storage on Cubbit is encrypted and fragmented across EU nodes.

Access control and authentication

Access follows least privilege, and multi-factor authentication is enforced on every staff account. The production control plane is not exposed to the public internet, and access to it is restricted by network allowlisting. Application secrets are held in a dedicated secrets manager and are never committed to source control.

Your environment runs as a single-tenant, hardened Kubernetes cluster. The network is isolated, and the database is reachable only from inside the cluster, never from the public internet.

Backups and disaster recovery

The database is protected by continuous write-ahead-log archiving plus daily base backups to EU storage, kept for 30 days. We run restore drills that recover the database into an isolated environment and confirm it reaches a healthy state, so recovery is proven rather than assumed.

Logging and monitoring

We continuously monitor the platform with centralised logging, metrics, and dashboards covering system health and capacity, so problems surface early.

Vulnerability management and secure development

Infrastructure is managed as code, and every change ships through a pull request and continuous integration. Dependency and container-image vulnerability scanning runs automatically on every change, and we conduct periodic third-party penetration testing.

Model routing

When an agent runs, only the prompt and required context are sent for inference, never billing data or unrelated organization content. Inference is routed through Tensorix, an Irish provider that keeps the request inside the EU, or to a self-hosted endpoint you control. The privacy policy covers this in full.

Incident response

We run a documented breach-response process. If a personal data breach affects your data, we notify you without undue delay and within 72 hours of becoming aware, with the nature of the breach, the likely consequences, and the steps taken, as set out in our data processing agreement.

Compliance and certifications

We comply with the GDPR as both a data controller (for our own account, billing, and telemetry) and a data processor (for the content your agents act on). We publish a data processing agreement, keep records of processing, and our lead supervisory authority is the Estonian Data Protection Inspectorate. Paperclip provides an AI system and meets the transparency duties under Article 50 of the EU AI Act; it is not a high-risk system, and we do not make solely automated decisions with legal effect about people.

We do not currently hold SOC2 or ISO 27001. We are glad to share our security documentation and complete your security questionnaire, and if your procurement process requires a specific certification, contact us at security@paperclip.inc to discuss scope and timelines.