// Trust & Security Report
Cactus Communications (Paperpal)
Paperpal - AI academic writing, research, citation, plagiarism/AI detection assistant (part of the CACTUS / Editage research platform)
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on paperpal.com“Paperpal's Information Security Management System (ISMS) is certified to the ISO/IEC 27001:2022 international standard”
Verify on paperpal.com“Paperpal's Artificial Intelligence Management System (AIMS) is certified to the ISO/IEC 42001:2023 international standard. This certification applies across all CACTUS brands and solutions, including Paperpal.”
Verify on paperpal.com“Paperpal is listed at Level 1 in the Cloud Security Alliance's Security, Trust, Assurance, and Risk (STAR) Registry”
Verify on paperpal.com“Automated scanners and third-party Vulnerability Assessment and Penetration Testing (VAPT) certifications ensure vulnerabilities are identified and addressed.”
Verify on trust.editage.com“Trust center lists 'SOC 2 & 3 Reports - AWS, Google Cloud, Azure' (attributed to underlying cloud infrastructure providers, not a Paperpal-issued SOC 2 report). Data-security page separately states: 'Your data resides safely in SSAE 18/SOC1-certified facilities that are trusted globally.' No evidence of a Paperpal-scoped SOC 2 Type II report on the vendor's own domain.”
Verify on trust.editage.com“Use of the Services does not involve the collection, access, use, or processing of Protected Health Information (PHI) unless a duly executed Business Associate Addendum (BAA) is in place. ... CACTUS is committed to providing a secure, compliance-ready platform ... designed to support compliance with HIPAA, where required, subject to the execution of a formal Business Associate Addendum (BAA) process.”
Verify on trust.editage.com“GDPR-compliant, we process data as per law, allowing PII removal. PECR-compliant for 3rd-party cookies and tracking. We meet global standards like PIPA/LGPD.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
Multi-region cloud (AWS, Google Cloud, Azure); backups across multiple regions. No customer-selectable single-region residency documented. Legal entity is Cactus Communications Services Pte Ltd (Singapore); regional sites for China, Korea, Japan exist. Encryption: 256-bit in transit, KMS-key encryption at rest.
Paperpal repeatedly and explicitly states it does not train AI on customer content. Homepage: 'your data is never used to train AI systems' and 'We don't train AI models on your data. Ever.' Data-security page, in answer to whether they train on user data: 'Never! Our AI models are trained on independent datasets safeguarded by a strict privacy policy.' Paperpal uses a mix of best-fit third-party models plus proprietary generative AI trained on scholarly (published research) data, not user manuscripts. HIPAA/PHI processing is supported only under a signed BAA; standard service does not process PHI by default.
// Security controls
Multi-factor authentication
MFA offered when logging into devices and data repositories; access limited to authorized personnel on a need-to-know basis
trust.editage.comPenetration testing
Third-party VAPT plus automated vulnerability scanners; 'Penetration Testing Certificate' listed in accreditations
trust.editage.comBug bounty
No public HackerOne or Bugcrowd bug-bounty program found on vendor domain or via search (none disclosed)
trust.editage.comData center compliance
Data resides in SSAE 18 / SOC 1-certified facilities; underlying cloud providers (AWS, Google Cloud, Azure) hold SOC 2 & 3
paperpal.comData ownership / deletion
Users own their data and can request manuscript deletion via privacy@cactusglobal.com; vendor states data is never sold to third parties
trust.editage.com// Products & data scope
data: User-authored manuscripts and documents; grammar/paraphrase/rewrite/translation processing. Free tier (monthly limits) and Prime paid tier. Not trained on user content.
Core consumer/researcher product. Same no-training and ISO 27001/42001 posture applies.
data: Queries against 250M+ research articles; user-uploaded PDFs for reading/comparison. Citation generation in 10,000+ styles.
Uploaded PDFs processed for the user; vendor states research belongs to the user.
data: Manuscript text scanned for plagiarism, AI-content detection, reference and journal-readiness checks. Used by journals/publishers (Preflight).
B2B/publisher-facing workflow (1,500+ journals). Higher-touch institutional data handling; same encryption and access controls.
data: Manuscript editing handled by human editors plus AI; enterprise/institutional contracts. HIPAA-capable only under a signed standardized BAA (no client-drafted BAAs accepted).
Enterprise scope is broader; BAA required for any PHI, otherwise no PHI by default.
// What to watch
- SOC 2/3 on the trust center is attributed to the underlying cloud providers (AWS/GCP/Azure), not a Paperpal-scoped SOC 2 Type II report; data centers are SSAE 18/SOC 1. Do not list Paperpal as holding its own SOC 2.
- HIPAA is conditional and BAA-gated, not a default certification; standard service processes no PHI.
- Trust center is operated under the parent brand (Editage / CACTUS) at trust.editage.com and trust.paperpal.com - both render the same Editage-branded content, which may confuse users expecting a Paperpal-only page.
- No public bug-bounty program (HackerOne/Bugcrowd) disclosed.
- DPA availability not explicitly documented on public pages; likely available for enterprise but unconfirmed.
// At a glance
Pricing model
Freemium - free tier with monthly feature limits, paid Prime subscription for higher usage; enterprise/institutional licensing for universities and publishers
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Cactus Communications (Paperpal)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.paperpal.com