
Legal
Security Overview
Security boundaries and safeguards for PaperJSX.
Summary
PaperJSX is designed around a local-first package model. Your source code, document definitions, and generated outputs stay in your environment unless you send them to a hosted PaperJSX feature, license service, support channel, or integration. Commercial licensing is designed to avoid embedding signing secrets in customer-side code; license certificates may be verified locally using public-key cryptography.
1. Security boundary
PaperJSX packages may run on your developer machine, build server, CI/CD system, or production environment. You control those environments. We do not receive your source code, generated documents, document contents, or build artifacts from local or CI package execution unless you transmit them to us.
Hosted PaperJSX features, account portals, license services, support channels, and enterprise services are PaperJSX-controlled systems and are covered by the Privacy Policy, DPA, and Subprocessors page.
2. License security
Commercial PaperJSX access may use license keys, private package tokens, or signed license certificates. The intended security model is:
- license certificates are signed by PaperJSX-controlled signing keys;
- customer-side verification uses public-key verification, not embedded signing secrets;
- private signing material is not distributed to customers;
- license status, revocation, or entitlement updates may be checked online where required;
- leaked or abused license keys may be revoked or rotated.
Customers are responsible for protecting license keys, package tokens, CI secrets, and deployment secrets. Do not commit them to public repositories or expose them in client-side code where unauthorized parties can reuse them.
3. Package and dependency security
PaperJSX may be distributed through npm, GitHub, private package access, or other registries. Customers should:
- pin versions or use lockfiles for reproducible builds;
- review dependency changes before upgrades;
- restrict package tokens and CI secrets to the minimum required scope;
- use trusted registries and verify package names to avoid typosquatting;
- monitor their own dependency and supply-chain risk.
Where feasible, we will document material package changes, security fixes, and migration guidance for Commercial Components.
4. Hosted systems safeguards
For PaperJSX hosted systems, we maintain safeguards designed to protect account, license, support, and hosted Customer Content data, including:
- TLS for data in transit;
- encryption at rest through hosting and storage providers where supported;
- role-based access controls;
- least-privilege administrative access;
- multi-factor authentication for administrative systems where supported;
- logging and monitoring of security-relevant events;
- Cloudflare or equivalent network protection where enabled;
- Sentry or equivalent error monitoring where enabled;
- vulnerability and dependency monitoring;
- incident response procedures;
- subprocessor contractual controls.
5. Customer responsibilities
You are responsible for:
- securing your repositories, package tokens, license keys, CI/CD systems, deployment environments, and generated outputs;
- deciding what source materials and personal data to process with PaperJSX;
- avoiding secrets and regulated data in support attachments unless necessary and authorized;
- reviewing generated outputs before use;
- managing access for employees, contractors, and collaborators;
- complying with applicable security, privacy, and export-control obligations.
6. Hosted feature data
If you use hosted rendering, cloud compilation, playgrounds, template hosting, or enterprise services, data you submit may be processed in PaperJSX systems and by subprocessors listed on the Subprocessors page. The product UI, Order Form, or documentation should identify retention and export behavior for each hosted feature.
7. Incident response
If we become aware of a security incident affecting your account, license, hosted Customer Content, or Customer Personal Data, we will investigate, contain, remediate, and notify affected customers as required by law and the DPA.
8. Vulnerability reporting
Send vulnerability reports to security@paperjsx.com. Include:
- affected URL, package, API, or system;
- reproduction steps;
- potential impact;
- whether any data was accessed;
- your contact information.
Do not access other customers’ data, degrade the Service, run destructive tests, or disclose vulnerabilities publicly before we have had a reasonable opportunity to remediate.
9. Compliance status
Unless a current trust page or signed Order Form says otherwise, PaperJSX does not claim SOC 2, ISO 27001, HIPAA, PCI DSS service-provider, FedRAMP, or similar certification. Paddle handles payment-card processing as merchant of record.
10. Contact
Security: security@paperjsx.com
Privacy: privacy@paperjsx.com
