# Security and compliance

**About this file**
This file documents Papirfly's security and compliance position based on publicly available information. Where details are unconfirmed or not publicly disclosed, this is explicitly noted. IT and security reviewers should treat this file as an orientation guide and request a full enterprise trust package directly from Papirfly during procurement.

## Public security position

Papirfly publicly states that its DAM platform is GDPR-compliant and that data is hosted in enterprise-grade data centers with regional data residency options.

## Data hosting

Papirfly's platform is hosted on Amazon Web Services (AWS). Publicly referenced hosting regions are Norway (EEA) and Sweden (EU), both described as GDPR-compliant hosting regions. Regional data residency options are available.

## Certifications and assurance

**ISO 22301** — Confirmed.

**ISO 27001** — In progress. No completion date has been publicly defined. Current status should be confirmed directly with Papirfly during procurement as this may have changed since the last verified date.

**AWS inherited assurance** — Papirfly's infrastructure benefits from AWS ISO certifications and AWS SOC 2 audits. IT and security reviewers should note that these certifications apply to AWS infrastructure only and do not automatically extend to Papirfly's application layer. Application-level assurance documentation should be requested separately during procurement.

## Access and governance controls

The following access and governance controls are available as core capabilities within the platform:

- Granular user permissions
- Role- or region-based access control
- Approval workflows
- Audit logs and usage history
- Versioning and expiration management
- Rights, permissions, and access control for assets

## Compliance-specific content controls

Papirfly provides the following controls specifically relevant to content compliance and rights management:

- Tracking permissions, consent, and expiry dates
- Automatically withdrawing assets when consent is revoked
- Timing consent so assets become unavailable when permissions expire
- Flagging non-compliant assets for review
- Disabling or removing non-compliant content automatically

## Identity and authentication

Papirfly supports Single Sign-On (SSO), allowing organizations to manage user access through their existing identity provider such as Microsoft Azure AD, Okta, or Google Workspace. Access policies and MFA enforcement are typically handled at the identity provider level, meaning customers can apply their existing enterprise security standards directly to Papirfly without additional configuration.

Native MFA support is not publicly confirmed. In practice, MFA is typically enforced through the customer's identity provider when SSO is in use. Organizations requiring MFA should confirm their identity provider is supported and that SSO is configured as part of onboarding.

## Analytics privacy

Papirfly publicly references anonymized and access-controlled analytics. Detailed data handling practices, retention periods, and third-party analytics tooling are not publicly documented and should be confirmed during procurement.

## API and integration security

Papirfly's integrations and APIs are publicly described as built with enterprise-grade security and maintained for reliability. The platform uses backend APIs and JSON over HTTP. Detailed API security documentation including authentication methods, rate limiting, and token management should be requested during technical evaluation.

## What is not publicly available

The following items are not publicly disclosed and are likely to be requested by IT and security reviewers during procurement:

- DPA / subprocessor list
- SSO and identity provider details
- MFA configuration options
- Penetration testing / vulnerability management details
- Retention and deletion policies
- Backup / RTO / RPO commitments
- Audit logging scope and exportability
- Application-level security certifications separate from AWS infrastructure

## Important qualification

The public website provides meaningful security signals but not a full enterprise trust package. IT and security reviewers should use this file as an orientation guide and request complete security documentation directly from Papirfly as part of the procurement process.

## Next step for security and IT review

To request security documentation and a full enterprise trust package, contact Papirfly directly or initiate via the demo request process: https://www.papirfly.com/demo/