Data protection
- Data is encrypted in transit (TLS 1.2+) and at rest.
- Credentials and signing secrets are isolated from application data.
- Sandbox and production run as separate, isolated environments so evaluation never touches live data.
Security & Trust
Paprel is infrastructure teams build their financial system of record on. This page is a straight account of how we protect data, keep the ledger correct, and what our compliance posture is today — including what is in place and what is on the roadmap.
We keep this page current as our posture evolves.
What this protects
Your data
Encrypted, exportable, and yours — CSV/JSON anytime, no lock-in.
The ledger
Double-entry, immutable, and audit-ready by design.
Access
OAuth-scoped, logged, and reviewable — for people and agents alike.
SOC 2
Type II· on roadmap
ISO 27001
Targeted· on roadmap
Auth
OAuth 2.0/2.1
Uptime
99.9% target
Regions
US · EU · APAC
Audit
7yr · CSV/JSON
The security model is structural: every request passes the same gates in the same order, and the properties reviewers care about — isolation, integrity, evidence — are enforced below the application layer, where a code change can't quietly remove them.
Scoped entry
OAuth 2.0 · per-route grants
Every request enters with a tenant-scoped token. People, machine clients, and MCP agents all use the same access model — no side doors.
Tenant boundary
enforced at the data layer
Reads and writes are scoped to the company below application code, so a missing filter in application logic cannot cross tenants.
Immutable core
append-only · balanced or rejected
The ledger rejects unbalanced writes at the boundary and never edits history — corrections are new entries, originals stay walkable.
Signed evidence
audit history · exportable
Changes, approvals, and automation activity land in signed audit history your finance and review teams can export as CSV/JSON.
Independent & founder-led
Paprel is bootstrapped and independent — no outside investors steering the roadmap, and no pressure to lock you in to hit someone else's return. That shapes how we earn trust: transparent published pricing, data you can export in full at any time, and direct access to the engineers who run the system. You're evaluating a company that intends to be here for the long term, on terms you can verify rather than take on faith.
Compliance posture — stated plainly
We design controls aligned with SOC 2 principles and the double-entry standards behind GAAP and IFRS reporting. We don't claim certifications we haven't earned: formal SOC 2 and ISO 27001 certifications are on our roadmap and a priority, and we'll publish them here the moment they're in place. In the meantime we share our current control posture, security overview, and a DPA directly with teams in evaluation. If a specific certification or control is a gate for you, tell us early and we'll be candid about exactly where we are.
Need it for a security review? Request our security overview.
Responsible disclosure
If you believe you have found a security issue, email us and we will respond to good-faith reports. We do not pursue researchers who report responsibly and give us reasonable time to address issues.
Security contact
security@paprel.comWho you are dealing with
Paprel is operated by a registered legal entity with clear company and compliance contacts for diligence.
Legal entity
NEXARA GLOBAL PTE. LTD. (operating as Paprel)
Company registration
UEN: 202516221H
Registered address
68 Circular Road, #02-01 Singapore 049422
Legal & compliance
legal@paprel.comSecurity review
Bring your security and finance reviewers. We will walk through architecture, controls, and documentation in detail.