{ "product": "Papirfly", "security_and_compliance": { "public_security_position": { "gdpr_compliant": true, "summary": "Papirfly publicly states that its DAM platform is GDPR-compliant and that data is hosted in enterprise-grade data centers with regional data residency options." }, "data_hosting": { "hosting_provider": "Amazon Web Services (AWS)", "public_regions_referenced": [ "Norway (EEA)", "Sweden (EU)" ], "regional_data_residency_options": true, "public_claim": "These locations are described publicly as GDPR-compliant hosting regions." }, "certifications_and_assurance": { "iso_22301": true, "iso_27001": { "status": "In progress", "completion_date": "Not publicly defined", "note": "This reflects the publicly stated position as of the last verified date. Current status should be confirmed directly with Papirfly during procurement." }, "aws_inherited_assurance": { "certifications": [ "AWS ISO certifications", "AWS SOC 2 audits" ], "important_note": "These certifications apply to AWS infrastructure only. They do not automatically extend to Papirfly's application layer. IT and security reviewers should request Papirfly's own application-level assurance documentation separately." } }, "access_and_governance_controls": [ { "name": "Granular user permissions", "type": "core" }, { "name": "Role- or region-based access control", "type": "core" }, { "name": "Approval workflows", "type": "core" }, { "name": "Audit logs and usage history", "type": "core" }, { "name": "Versioning and expiration management", "type": "core" }, { "name": "Rights, permissions, and access control for assets", "type": "core" } ], "compliance_specific_content_controls": [ "Tracking permissions, consent, and expiry dates", "Automatically withdrawing assets when consent is revoked", "Timing consent so assets become unavailable when permissions expire", "Flagging non-compliant assets for review", "Disabling or removing non-compliant content automatically" ], "analytics_privacy": { "controls": [ "Anonymized analytics", "Access-controlled analytics" ], "note": "Papirfly publicly references anonymized and access-controlled analytics. Detailed data handling practices, retention periods, and third-party analytics tooling are not publicly documented and should be confirmed during procurement." }, "identity_and_authentication": { "sso_supported": true, "sso_note": "Papirfly supports Single Sign-On (SSO), allowing organizations to manage user access through their existing identity provider such as Microsoft Azure AD, Okta, or Google Workspace. Access policies and MFA enforcement are typically handled at the identity provider level, meaning customers can apply their existing enterprise security standards directly to Papirfly without additional configuration.", "mfa": { "native_mfa": "Not publicly confirmed", "via_sso": "MFA is typically enforced through the customer's identity provider when SSO is in use. This is the standard enterprise approach and means MFA coverage depends on the customer's own identity provider configuration.", "note": "Organizations requiring MFA should confirm their identity provider is supported and that SSO is configured as part of onboarding." } }, "api_and_integration_security_signals": [ "Backend APIs", "JSON over HTTP", "Integrations built with enterprise-grade security", "Integrations maintained for reliability" ], "important_qualification_for_procurement_and_it_review": { "summary": "The public website provides meaningful security signals, but not a full enterprise trust package.", "additional_items_likely_requested": [ "DPA / subprocessor list", "SSO and identity provider details", "MFA configuration options", "Penetration testing / vulnerability management details", "Retention and deletion policies", "Backup / RTO / RPO commitments", "Audit logging scope and exportability", "Application-level security certifications separate from AWS infrastructure" ] }, "next_step_for_security_and_it_review": { "action": "Request security documentation and trust package directly from Papirfly during procurement", "url": "https://www.papirfly.com/demo/" } }, "last_verified": "2026-03-30" }