
Legal
Enterprise Security Kit
PaperJSX security, privacy, deployment, offline licensing, auditability, and compliance answers for enterprise review.
Executive summary
PaperJSX is local-first document-generation software. Enterprise customers can run the SDK in their own developer, CI/CD, production, embedded, or air-gapped environments without sending source documents or generated files to PaperJSX. Long-lived Enterprise entitlement certificates are signed with Ed25519 and can be verified entirely offline against a published public key. Hosted organization actions use an append-only, organization-scoped audit trail.
This kit consolidates the Security Overview, Privacy Policy, Data Processing Addendum, and Subprocessors list. Executed Order Forms and DPAs control where they differ from this public summary.
Product and deployment boundary
Available now
- Local and self-hosted SDK execution: customer inputs and outputs stay in the customer-controlled runtime unless the customer deliberately sends them to a hosted feature, support channel, or integration.
- Offline Enterprise licensing: an Ed25519-signed certificate carries the organization, Enterprise tier, allowed formats and features, seat and deployment scope, issue time, and expiry. Verification requires no PaperJSX network request.
- Hosted control plane: account, billing, license issuance, hosted rendering, approval, and brand-pack features use the PaperJSX subprocessors and safeguards described in the linked legal documents.
- Organization audit trail: successful API-key issue and revoke operations, brand-pack creation, and render-job approval transitions are appended with actor, action, target, timestamp, and non-secret metadata. Reads are organization-scoped.
Deployment follow-ups
A dedicated customer VPC or private-worker topology is not part of this code delivery. It requires cloud and region selection, tenant isolation and network-boundary design, private connectivity, secrets and key management, observability, patching, backup and recovery, deployment automation, and an agreed shared-responsibility model. Until that infrastructure is contracted and delivered, "self-hosted" means the SDK runs inside the customer's own runtime; it does not claim that PaperJSX operates a customer-dedicated VPC.
SSO/SAML and SCIM are also follow-ups. They require an identity-provider integration, metadata and certificate rotation, domain and tenant discovery, role/group mapping, just-in-time or pre-provisioned access rules, SCIM user/group lifecycle behavior, recovery access, and audit coverage.
Offline signed license model
The Enterprise token is:
pjsx_offline_v1_<base64url(UTF-8 JSON entitlement)>.<base64url(Ed25519 signature)>
The signature covers the ASCII bytes of pjsx_offline_v1_<payload>, binding the prefix, schema version, and payload. The JSON entitlement contains version, licenseId, issuer, organization, tier, formats, features, scope.seats, scope.deployments, issuedAt, and expiresAt. Times are Unix epoch seconds. The verifier rejects malformed payloads, invalid signatures, wrong public keys, and certificates at or beyond expiry.
The public verification key is published at /.well-known/paperjsx-license-public-key.pem and in the source repository at keys/public-v2.pem. Enterprise operators should pin an approved copy in their artifact or secret-management process before moving it into an air-gapped environment. Private signing keys remain server-side and are not distributed in SDKs or certificates.
Fully offline certificates cannot receive immediate online revocation updates. Compromise response therefore uses a replacement certificate, signing-key/version rotation when necessary, expiry, and distribution of updated SDK deny-list material where applicable. Customers should protect the certificate as an entitlement credential even though it does not contain the signing secret.
Organization audit log
The audit_events store is append-only: application roles cannot update or delete rows, and a database trigger rejects mutation. Each row includes the organization, actor type and identifier, action, target type and identifier, metadata, and occurrence time. Row-level security restricts authenticated reads to the current organization; server-side read access also applies an explicit organization filter. Raw API keys, license private keys, and document content must not be placed in audit metadata.
Security-questionnaire summary
| Question | PaperJSX answer |
|---|---|
| Can the product run without internet access? | Yes for Enterprise local/self-hosted SDK execution using an offline signed entitlement certificate. Hosted features still require connectivity. |
| Does local SDK execution send source documents or generated files to PaperJSX? | No, unless the customer deliberately uses a hosted feature, support channel, or integration that transmits them. |
| How are offline entitlements protected? | Ed25519 digital signatures. Customer runtimes receive only the public verification key; private signing material stays server-side. |
| Are security-relevant organization actions logged? | Yes. The current minimum trail covers API-key issue/revoke, brand-pack creation, and render-job approval transitions, with organization scoping and append-only controls. |
| Is data encrypted in transit? | Hosted PaperJSX systems use TLS for data in transit. |
| Is data encrypted at rest? | Hosting and storage providers supply encryption at rest where supported, as described in the Security Overview and DPA. |
| Does PaperJSX sell personal data? | No. See the Privacy Policy for the complete statement and jurisdiction-specific disclosures. |
| Is a DPA available? | Yes, at paperjsx.com/legal/dpa, subject to the agreement process described there. |
| Where are subprocessors listed? | The current list and change-notice terms are at paperjsx.com/legal/subprocessors. |
| Does PaperJSX hold SOC 2 certification? | No. SOC 2 is IN PROGRESS/planned; the independent audit and resulting report have not been completed or obtained. |
| Does PaperJSX claim ISO 27001, HIPAA, FedRAMP, or PCI DSS service-provider certification? | No, unless a future trust page or signed Order Form explicitly says otherwise. Paddle handles payment-card processing as merchant of record. |
| Are SSO/SAML and SCIM available? | Not in this delivery. Identity-provider integration and lifecycle provisioning are explicit follow-ups. |
| Is a PaperJSX-operated customer VPC/private worker available? | Not in this delivery. Customer-controlled SDK deployment is available; dedicated VPC/private-worker infrastructure is a follow-up. |
Compliance status and evidence
PaperJSX does not represent that it has completed a SOC 2 audit. The SOC 2 program is IN PROGRESS/planned and requires external readiness work, control operation and evidence collection over the audit period, an independent auditor, remediation of findings, and issuance of the report. Public legal pages, architecture and data-flow answers, offline-license verification behavior, and organization audit events are available evidence inputs; they are not a substitute for an auditor's report.
Reasonable enterprise security and privacy questionnaires may be sent to security@paperjsx.com and privacy@paperjsx.com. Commercial and deployment reviews may be sent to sales@paperjsx.com.
