Security

Built to pass your compliance review.

You handle nonpublic client information. So do we — which is why security isn't a feature of PapyrusVault. It's the architecture. This page is written for the person at your firm who has to say yes: the partner, the compliance officer, the IT reviewer.

Technical safeguards

Encrypted everywhere. Isolated always.

Encryption in transit

Every connection between your office and PapyrusVault runs over TLS. Documents never travel the internet unencrypted — not during upload, not during viewing, not ever.

Encryption at rest

Every stored document is encrypted with AWS Key Management Service (KMS). The underlying infrastructure — Amazon Web Services — is independently certified under SOC 2 and ISO 27001, the same infrastructure trusted by banks and federal agencies. All data remains in U.S. regions.

Complete customer isolation

Your firm's data lives in its own isolated partition — separate storage, separate database records. No other customer's staff can reach it, and neither can a programming mistake: isolation is enforced at the system level on every single request, not left to convention.

Controlled document access

Documents are viewed through secure links that expire within minutes. There are no permanent URLs to forward, bookmark, or leak. Access requires an authenticated session, every time.

Access control

Every person, verified. Every action, recorded.

  • Multi-factor authentication. A password alone is never enough. Every account requires a second verification step at login.
  • Role-based permissions. Administrators, staff, and view-only roles ensure each employee sees exactly what their job requires — nothing more.
  • Automatic session timeout. A workstation left unattended locks itself out of PapyrusVault after 30 minutes.
  • Instant offboarding. When an employee leaves, one click revokes their access completely.

Access control answers the question "who can get in?" The audit log answers the harder one: "who actually did what?"

Every login, search, document view, upload, and download is recorded with the user, timestamp, and IP address — including access by our own personnel. The log is write-once: no one, including us, can alter or delete an entry. If a question ever arises about who touched a record, the answer exists, permanently.

A live view of who touched what, when — available to your administrators at all times. Note the last line: our own support access is logged in the same immutable record as everyone else's.

Physical safeguards

Security starts before the scanner.

A document management provider that only thinks about servers has missed half the job. During your initial archive conversion, your paper originals are protected by a documented chain of custody:

Regulatory alignment

Designed for the rules you answer to.

Virginia insurance licensees are required by law to exercise due diligence over third-party service providers that hold nonpublic information. We built PapyrusVault so that your due-diligence review has clear answers, not vague assurances.

Virginia Insurance Data Security Act (Code of Virginia §38.2-621 et seq., effective July 1, 2020). As your third-party service provider, we implement the administrative, technical, and physical safeguards the Act requires licensees to demand — encryption of nonpublic information in transit and at rest, access controls, monitoring, and incident response procedures — following recognized frameworks such as NIST SP 800-53.

Accountability in writing. Our service agreement states it plainly: unauthorized access to your records by our personnel is a contractual breach carrying legal liability. Combined with the immutable audit log, this means our accountability isn't a promise — it's evidence plus contract.

Law firms. While attorneys answer to confidentiality rules rather than insurance statutes, the duty is no lighter. The same safeguards — encryption, isolation, logged access, and contractual accountability — are how we help you meet your obligation to protect client confidences held by a vendor.

Reviewing us for your firm? We'll gladly walk your compliance reviewer or IT consultant through the architecture and answer security questionnaires directly. Contact us to schedule a technical review.

Bring us your toughest question.

Security reviews are where we're strongest. Put your compliance officer on the demo call.

Request a Demo