Security & Trust

Built to be trusted with the ledger

Paprel is infrastructure teams build their financial system of record on. This page is a straight account of how we protect data, keep the ledger correct, and what our compliance posture is today — including what is in place and what is on the roadmap.

We keep this page current as our posture evolves.

What this protects

  • Your data

    Encrypted, exportable, and yours — CSV/JSON anytime, no lock-in.

  • The ledger

    Double-entry, immutable, and audit-ready by design.

  • Access

    OAuth-scoped, logged, and reviewable — for people and agents alike.

SOC 2

Type II· on roadmap

ISO 27001

Targeted· on roadmap

Auth

OAuth 2.0/2.1

Uptime

99.9% target

Regions

US · EU · APAC

Audit

7yr · CSV/JSON

Data protection

  • Data is encrypted in transit (TLS 1.2+) and at rest.
  • Credentials and signing secrets are isolated from application data.
  • Sandbox and production run as separate, isolated environments so evaluation never touches live data.

Ledger integrity

  • Postings are double-entry and balance-validated — unbalanced entries are rejected, not corrected silently.
  • Journal history is append-only: corrections are new entries, the original record is never overwritten.
  • Writes are idempotent via client-supplied keys, so retries cannot create duplicate entries.

Access control & auditability

  • Scoped API keys and token-based authentication, with role-based permissions per actor.
  • Requests can be signed and verified to confirm payload integrity.
  • Changes, approvals, and automation activity are captured in audit history for finance and review teams.

Availability & infrastructure

  • Runs on Google Cloud and Cloudflare — both independently SOC 2 and ISO 27001 certified at the infrastructure layer.
  • Cloud-native deployment with managed or self-hosted options depending on your model.
  • Regular backups of ledger data with documented recovery procedures.
  • We share environment, region, and uptime details with teams during evaluation.

Data ownership & privacy

  • Your data is yours. It is processed to provide the service, not sold or used for advertising.
  • Data can be exported in full at any time; we do not lock the ledger behind the product.
  • A Data Processing Agreement (DPA) and sub-processor list are available on request during evaluation.
Security architecture

Defense in structure, not in application code

The security model is structural: every request passes the same gates in the same order, and the properties reviewers care about — isolation, integrity, evidence — are enforced below the application layer, where a code change can't quietly remove them.

  1. Scoped entry

    OAuth 2.0 · per-route grants

    Every request enters with a tenant-scoped token. People, machine clients, and MCP agents all use the same access model — no side doors.

  2. Tenant boundary

    enforced at the data layer

    Reads and writes are scoped to the company below application code, so a missing filter in application logic cannot cross tenants.

  3. Immutable core

    append-only · balanced or rejected

    The ledger rejects unbalanced writes at the boundary and never edits history — corrections are new entries, originals stay walkable.

  4. Signed evidence

    audit history · exportable

    Changes, approvals, and automation activity land in signed audit history your finance and review teams can export as CSV/JSON.

Independent & founder-led

Trust you can verify, not take on faith

Paprel is bootstrapped and independent — no outside investors steering the roadmap, and no pressure to lock you in to hit someone else's return. That shapes how we earn trust: transparent published pricing, data you can export in full at any time, and direct access to the engineers who run the system. You're evaluating a company that intends to be here for the long term, on terms you can verify rather than take on faith.

  • Transparent, published pricing — no opaque enterprise-only quotes
  • Your data is always exportable as CSV / JSON — no lock-in
  • Talk directly to the engineers who built and operate the ledger
  • Production-proven: NewLedger, our own accounting product, runs on Paprel

Compliance posture — stated plainly

We design controls aligned with SOC 2 principles and the double-entry standards behind GAAP and IFRS reporting. We don't claim certifications we haven't earned: formal SOC 2 and ISO 27001 certifications are on our roadmap and a priority, and we'll publish them here the moment they're in place. In the meantime we share our current control posture, security overview, and a DPA directly with teams in evaluation. If a specific certification or control is a gate for you, tell us early and we'll be candid about exactly where we are.

Need it for a security review? Request our security overview.

Responsible disclosure

If you believe you have found a security issue, email us and we will respond to good-faith reports. We do not pursue researchers who report responsibly and give us reasonable time to address issues.

Security contact

security@paprel.com

Who you are dealing with

Paprel is operated by a registered legal entity with clear company and compliance contacts for diligence.

Legal entity

NEXARA GLOBAL PTE. LTD. (operating as Paprel)

Company registration

UEN: 202516221H

Registered address

68 Circular Road, #02-01 Singapore 049422

Legal & compliance

legal@paprel.com

Security review

Doing diligence on Paprel?

Bring your security and finance reviewers. We will walk through architecture, controls, and documentation in detail.