Security

Papereg uses schema-based multi-tenancy for workspace data isolation. Each workspace gets its own PostgreSQL schema, providing database-level separation of data between organizations.

• Every database query is scoped to the tenant's schema using PostgreSQL's SET search_path
• Workspace data (forms, submissions, files) cannot be accessed across schemas
• Schema names are validated against a strict allowlist pattern before any DDL execution
• Tenant schema creation and deletion are controlled through dedicated administration functions

Passwords

All user passwords are hashed using bcrypt before storage. Plaintext passwords are never stored or logged.

Session Tokens

User session tokens are hashed with SHA-256 before database storage. Sessions are invalidated on logout and password change.

API Tokens

• API tokens are hashed with SHA-256 — raw tokens are shown once at creation and never stored
• Tokens are revocable and support configurable expiration (30d, 90d, 1 year, or unlimited)
• Scoped permissions restrict what each token can access
• Tokens are automatically invalidated when the creator loses workspace membership

Role-Based Access Control

Each workspace has four roles: Owner, Manager, Supervisor, and User. Permissions are configurable per workspace and per role. Owners always have full access.

• 26 configurable permission keys across workspace, forms, registry, pages, reports, and apps
• Field-level access control restricts individual form fields by role
• Permissions are loaded once per session and cached for fast template checks

Encryption in Transit

• HTTPS enforced in production via force_ssl
• HTTP Strict Transport Security (HSTS) enabled
• Database connections use SSL

Encryption at Rest

• Sensitive integration secrets (OAuth tokens, API keys, signing secrets) are encrypted at the application layer using AES-GCM
• Encryption keys are derived from the application's secret key base
• Non-sensitive configuration values remain as plaintext for debuggability

Input Validation

• Form submissions are validated against a server-side allowlist of visible, non-display fields
• All user-generated HTML (markdown content, embedded media) is sanitized through an allowlist-based scrubber
• File uploads are validated by content type and size before processing

Papereg maintains audit logs for key data access and modification events:

• Submission views, edits, and status changes
• Data exports (CSV, Excel, PDF)
• API access to submissions
• Report generation

Audit logs capture the user, action, timestamp, and relevant metadata. Logs are stored in the tenant's schema and are accessible through compliance reports (e.g., HIPAA Access Log).

Papereg uses Anthropic Claude for two features:

• Form Extraction: PDF documents are analyzed to automatically generate form fields matching the document structure
• Submission Extraction: Scanned filled documents (PDF, images) are analyzed to extract field values for pre-filling submission data

Papereg relies on the following third-party services to deliver its functionality:

Customer-enabled integrations: When a workspace connects to external apps (e.g., Zoho Bigin), submission data is sent to those services as configured by the workspace administrator. These integrations only activate when explicitly set up by the customer.

Papereg is a hosted web application deployed on managed infrastructure.

If you discover a security vulnerability or have concerns about the security of your data, please contact us immediately: