Security and compliance

Already read Why should I trust you? and wondering about specifics? Read on.

Does Papertrail have a SOC2 report we can review?

Papertrail isn’t itself SOC2 compliant, but our datacenter provider is. To review their report, please contact us and we’ll work with you. Including contact information and the reason for the request (for example, a requirement of a certification process) will speed things up.

Is Papertrail PCI compliant?

Because PCI compliance is based on what’s being logged and how it’s used, there’s no one answer to this question. Papertrail log intake and storage isn’t designed or implemented specifically to meet PCI standards, but it can be a tool that makes it easier to meet the log-related portions of PCI DSS. For example, Papertrail’s archives can often be used to satisfy the log retention requirements, and since it’s a hosted service, it may also satisfy the untrusted third-party/log mutability requirements. For both general security and enhancing compliance, we always recommend obscuring identifiable information before logging so that it’s not recoverable without access to another system.

Is Papertrail HIPAA compliant?

Papertrail was designed for functionality and security, but not for compliance with a specific regulation. There’s some overlap between “security” and HIPAA’s requirements, but not complete overlap. Since Papertrail has no way to determine what data is or isn’t PII, we’d have to treat all log data differently, including adding encryption at rest, which we haven’t yet found a good solution for.

Additionally:

If HIPAA compliance is a requirement, Papertrail may not be a good fit, but we’re happy to continue the conversation in more detail if you have more questions about the possibility of logging safely from a HIPAA-covered environment. Notably, if the focus is on server behavior and performance, and data is de-identified or anonymized, HIPAA compliance may not be required and Papertrail could serve those logging needs.

Is Papertrail ISO 27001 certified?

Not specifically. We opted to spend our time and collective years of experience and knowledge making the product secure and useful, rather than doing a certain set of tasks to check off boxes to get a certification like ISO 27001.

Where is log data stored?

The entirety of Papertrail’s systems are located inside the United States. Log data will only be stored outside the United States if a customer attaches an S3 bucket from a non-US region to their Papertrail account. This bucket would be used to store copies of log archives that can be retained for a potentially indefinite amount of time by the customer. Archives are AES-256 encrypted using AWS’s built-in S3 encryption, although searchable logs are not encrypted at rest, for two reasons:

Papertrail was compliant with Safe Harbour when Safe Harbour was valid, and has been working to become compliant with the EU DPD through a successor mechanism. We may be able to work with you on this; please email us to discuss it.

Papertrail is also committed to helping customers address the new requirements of the upcoming EU General Data Protection Regulation (GDPR).

Papertrail isn’t compliant with Australia’s Privacy Act requirements for cloud providers, so if your systems need to log personal information from Australia, Papertrail is likely not the best solution. For questions on any other countries, please reach out - we’re always happy to talk about setting up logging safely.

Does Papertrail offer bug bounties?

We’re interested in actual security, so if someone reported what we felt was both:

…we’d look kindly on that and might consider sending a thank-you bonus.

Does Papertrail run security checks and scans?

We run regular security scans via a third-party service, and source code is automatically checked as it’s committed. We also subscribe to various security mailing lists for the software we use. The latter ensures we’re always aware of recently discovered vulnerabilities and can either put workarounds in place or apply patches if available.

Can Papertrail staff see our data?

Access to the datastore is restricted to a very small number of people, and there’s no way for us to “impersonate” or view customer log data via an account switcher interface or see it through the admin UI (see It’s your information). In cases where we need log data for troubleshooting purposes, we’ll either request a couple of sample lines or get your explicit permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time). Access to our own infrastructure is logged and we get notified when password changes take place.

When and how is stored data deleted?

On account closure, data is deleted, automatically. Archives are removed from Papertrail’s bucket after 7 days (free accounts) or 1 year (paid accounts). Searchable log data is removed when the retention period has passed. If sensitive data was inadvertently logged, it can be deleted by account members or, on request, by Papertrail staff. Ask us for help.

Other questions?

Please get in touch - discussing these issues and helping set up and configure secure logging is something we love to do. This document is meant as a starting point, not an ending point, to our conversation.