Security
Your client list, your deals, your conversations — all of it stays yours. We treat your data with the same care we'd expect of anyone holding ours.
All data in transit is protected by TLS 1.3. All data at rest is encrypted with AES-256, including OAuth tokens and credentials. Database connections require mutual TLS.
Every query against your data is enforced by row-level security policies in Postgres. Even if our application layer had a bug, the database itself would not return another tenant's data.
Paper is SOC 2 Type II compliant, with annual third-party audits covering security, availability, and confidentiality. The full report is available under NDA.
Paper runs on Vercel's edge network and Supabase's managed Postgres with automatic failover, point-in-time recovery, and continuous backups every 5 minutes.
You can export every contact, note, deal, and message at any time as a single CSV bundle. Cancel and your account is deleted in 30 days; full data wipes available on request.
Email content sent to AI providers for follow-up generation is processed ephemerally and never used for model training. We use providers contractually bound by Google's Limited Use policy.
We pay competitive bounties for verified security issues and credit reporters in our public hall of fame. Send a detailed report — including reproduction steps and any proof-of-concept — to security@usepapercrm.com.
Please don't test against accounts that aren't yours, exfiltrate data, or run automated scanning. We'll respond within one business day.
Read our privacy policy, request our SOC 2 report, or just try Paper for 14 days and see for yourself.