Security and compliance

Already read Why should I trust you? and wondering about specifics? Read on.

Does Papertrail have a SOC2 report we can review?

Papertrail isn’t itself SOC2 compliant, but our datacenter provider is. To review their report, please contact us and we’ll work with you. Including contact information and the reason for the request (for example, a requirement of a certification process) will speed things up.

Is Papertrail PCI compliant?

Because PCI compliance is based on what’s being logged and how it’s used, there’s no one answer to this question. Papertrail log intake and storage isn’t designed or implemented specifically to meet PCI standards, but it can be a tool that makes it easier to meet the log-related portions of PCI DSS. For example, Papertrail’s archives can often be used to satisfy the log retention requirements, and since it’s a hosted service, it may also satisfy the untrusted third-party/log mutability requirements. For both general security and enhancing compliance, we always recommend obscuring identifiable information before logging so that it’s not recoverable without access to another system.

Is Papertrail HIPAA compliant?

Papertrail was designed for functionality and security, but not for compliance with a specific regulation. There’s some overlap between “security” and HIPAA’s requirements, but not complete overlap. Since Papertrail has no way to determine what data is or isn’t PII, we’d have to treat all log data differently, including adding encryption at rest, which we haven’t yet found a good solution for.

Additionally:

  • HIPAA puts a huge amount of responsibility on the provider.
  • There’s no way to craft a custom BAA that mitigates that. Normally we’d try to come up with something that thoughtfully explains each party’s responsibilities, but HIPAA makes that impossible. One party or the other is responsible and the wording of the BAA doesn’t matter much.
  • Because it’s not feasible for us to take complete legal responsibility for your PII, it’s also not feasible to sign a BAA.

If HIPAA compliance is a requirement, Papertrail may not be a good fit, but we’re happy to continue the conversation in more detail if you have more questions about the possibility of logging safely from a HIPAA-covered environment. Notably, if the focus is on server behavior and performance, and data is de-identified or anonymized, HIPAA compliance may not be required and Papertrail could serve those logging needs.

Is Papertrail ISO 27001 certified?

Not specifically. We opted to spend our time and collective years of experience and knowledge making the product secure and useful, rather than doing a certain set of tasks to check off boxes to get a certification like ISO 27001.

Where is log data stored?

The entirety of Papertrail’s systems are located inside the United States. Log data will only be stored outside the United States if a customer attaches an S3 bucket from a non-US region to their Papertrail account. This bucket would be used to store copies of log archives that can be retained for a potentially indefinite amount of time by the customer.

Are logs encrypted?

Archives are AES-256 encrypted using AWS’s built-in S3 encryption. Searchable logs are not encrypted at rest for two reasons:

  1. We haven’t found a solution that adds real value - that is, all of the solutions we’ve seen involve the key being nearly as accessible as the data is. It wouldn’t be solving the real problem, in that someone who rooted our infrastructure would be able to get the key.
  2. It would impair realtime search, though we’d try to work through that if there was a good solution.

Privacy Shield

Papertrail is a wholly-owned entity of SolarWinds which is Privacy Shield certified. More information can be found here.

General Data Protection Regulation (GDPR)

Papertrail is committed to helping customers address the new requirements of the upcoming EU General Data Protection Regulation (GDPR). For the most current information regarding Papertrail’s GDPR compliance and position, refer to the SolarWinds Privacy Policy. While GDPR readiness is still being finalized, we can sign a Data Processing Agreement (DPA) and have more information about it in the next section.

Data Protection Directive (DPD)

We are able to sign a Data Processing Agreement (DPA) for compliance with the European Union’s Data Protection Directive (EU DPD–sometimes called “model clauses”). We’ve aimed to make this as self-service as possible and have provided a pre-signed DPA for download here. If it meets your company’s needs, please fill in the five places that require input: pages 2 and 3 (“Attachment 1 to the Addendum”), page 9 (below Clause 12), page 11 (“Appendix 1”), and page 12 (“Appendix 2”). Send the completed form as a PDF to eu-dpa@solarwinds.cloud.

Australia’s Privacy Act

Papertrail isn’t compliant with Australia’s Privacy Act requirements for cloud providers, so if your systems need to log personal information from Australia, Papertrail is likely not the best solution. For questions on any other countries, please reach out - we’re always happy to talk about setting up logging safely.

Does Papertrail offer bug bounties?

We’re interested in actual security, so if someone reported what we felt was both:

  • A serious vulnerability (and not just a low/zero-risk XSS), and
  • Discovered during routine use of the service as an actual user – not via a pen test, which would have been unauthorized

…we’d look kindly on that and might consider sending a thank-you bonus.

Does Papertrail run security checks and scans?

We run regular security scans via a third-party service, and source code is automatically checked as it’s committed. We also subscribe to various security mailing lists for the software we use. The latter ensures we’re always aware of recently discovered vulnerabilities and can either put workarounds in place or apply patches if available.

Can Papertrail staff see our data?

Access to the datastore is restricted to a very small number of people, and there’s no way for us to “impersonate” or view customer log data via an account switcher interface or see it through the admin UI (see It’s your information). In cases where we need log data for troubleshooting purposes, we’ll either request a couple of sample lines or get your explicit permission for account access (generally by having you manually invite our support account as a member of your account, which can be removed at any time). Access to our own infrastructure is logged and we get notified when password changes take place.

When and how is stored data deleted?

On account closure, data is deleted, automatically. Archives are removed from Papertrail’s bucket after 7 days (free accounts) or 1 year (paid accounts). Searchable log data is removed when the retention period has passed. If sensitive data was inadvertently logged, it can be deleted by account members or, on request, by Papertrail staff. Ask us for help.

Other questions?

Please get in touch - discussing these issues and helping set up and configure secure logging is something we love to do. This document is meant as a starting point, not an ending point, to our conversation.