Security at Paperpile

At Paperpile we take seriously our responsibility to safeguard your data. As the reference manager of choice for over 50,000 individuals and thousands of teams and organizations, we adhere to industry best practices in designing our technology, company and processes to protect your data.

Paperpile has undergone several dozen successful vendor security reviews for large customers, including penetration testing and in-depth security analysis. Our solution is trusted by leading university departments, academic medical centers, and technology companies.

Data protection

Paperpile takes measures to ensure your personal data is correctly controlled, available when you need it, and secure from external threats. Our operations include the following data-related practices:

• All data is encrypted at rest.
• Application data is backed up automatically on a regular schedule.
• Data recovery process is documented and exercised biannually.
• Data classification is reviewed annually.
• Use of robust, well-supported data stores including S3 and MongoDB.

Resilience and uptime

Paperpile is a mission-critical service for the tens of thousands of researchers who rely on our products to write grants and manuscripts. We have a ten-year track record of providing a robust, stable service to our users. We adopt the following reliability practices:

• System architecture with load balancers and application servers in the US and EU to reduce latency and increase availability.
• Automated uptime alerts and on-call engineers to respond to outages.
• Highly responsive support team to quickly learn of any customer-reported issues.

Incident management

We adopt the following incident-related practices:

• Annual security training for all developers.
• Regular penetration tests against our systems.
• Internal playbooks for incident management and credential revocation.

Integrations and Google Account permissions

Core to Paperpile’s utility is our integration with products widely-used by researchers to do their work. Wherever possible, we follow the principle of least privilege when requesting integration or extension permissions. In cases where the only available permission on a third-party platform is more broad than what Paperpile needs, we document clearly what Paperpile will and won’t do with the permissions granted.

See Permissions for third-party accounts and browser extensions for more information.

Compliance roadmap

See SOC 2 and HIPAA certifications for more information on Paperpile’s compliance certification progress and roadmap.

Security inquiries

We encourage concerned stakeholders to review the information above, and to contact security@paperpile.com if you have any questions or concerns.

Our support team will be happy to help answer your questions. We have executed several dozen vendor security reviews, including penetration tests and custom integration work for top-10 technology enterprises and life sciences organizations.