// Trust & Security Report

    Cactus Communications (Paperpal) logo

    Cactus Communications (Paperpal)

    Paperpal - AI academic writing, research, citation, plagiarism/AI detection assistant (part of the CACTUS / Editage research platform)

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001:2022
    HELD

    Paperpal's Information Security Management System (ISMS) is certified to the ISO/IEC 27001:2022 international standard

    Verify on paperpal.com
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    Paperpal's Artificial Intelligence Management System (AIMS) is certified to the ISO/IEC 42001:2023 international standard. This certification applies across all CACTUS brands and solutions, including Paperpal.

    Verify on paperpal.com
    CSA STAR Level 1
    HELD

    Paperpal is listed at Level 1 in the Cloud Security Alliance's Security, Trust, Assurance, and Risk (STAR) Registry

    Verify on paperpal.com
    Penetration Testing (VAPT)
    HELD

    Automated scanners and third-party Vulnerability Assessment and Penetration Testing (VAPT) certifications ensure vulnerabilities are identified and addressed.

    Verify on paperpal.com
    SOC 2 / SOC 3 (Paperpal entity)
    HELD

    Trust center lists 'SOC 2 & 3 Reports - AWS, Google Cloud, Azure' (attributed to underlying cloud infrastructure providers, not a Paperpal-issued SOC 2 report). Data-security page separately states: 'Your data resides safely in SSAE 18/SOC1-certified facilities that are trusted globally.' No evidence of a Paperpal-scoped SOC 2 Type II report on the vendor's own domain.

    Verify on trust.editage.com
    HIPAA (conditional, BAA-gated)
    HELD

    Use of the Services does not involve the collection, access, use, or processing of Protected Health Information (PHI) unless a duly executed Business Associate Addendum (BAA) is in place. ... CACTUS is committed to providing a secure, compliance-ready platform ... designed to support compliance with HIPAA, where required, subject to the execution of a formal Business Associate Addendum (BAA) process.

    Verify on trust.editage.com
    GDPR (regulatory posture, not a certification)
    HELD

    GDPR-compliant, we process data as per law, allowing PII removal. PECR-compliant for 3rd-party cookies and tracking. We meet global standards like PIPA/LGPD.

    Verify on trust.editage.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    Multi-region cloud (AWS, Google Cloud, Azure); backups across multiple regions. No customer-selectable single-region residency documented. Legal entity is Cactus Communications Services Pte Ltd (Singapore); regional sites for China, Korea, Japan exist. Encryption: 256-bit in transit, KMS-key encryption at rest.

    Paperpal repeatedly and explicitly states it does not train AI on customer content. Homepage: 'your data is never used to train AI systems' and 'We don't train AI models on your data. Ever.' Data-security page, in answer to whether they train on user data: 'Never! Our AI models are trained on independent datasets safeguarded by a strict privacy policy.' Paperpal uses a mix of best-fit third-party models plus proprietary generative AI trained on scholarly (published research) data, not user manuscripts. HIPAA/PHI processing is supported only under a signed BAA; standard service does not process PHI by default.

    // Security controls

    Encryption in transit

    256-bit encryption in transit

    paperpal.com

    Encryption at rest

    Encrypted at rest, secured with KMS keys

    paperpal.com

    Multi-factor authentication

    MFA offered when logging into devices and data repositories; access limited to authorized personnel on a need-to-know basis

    trust.editage.com

    Penetration testing

    Third-party VAPT plus automated vulnerability scanners; 'Penetration Testing Certificate' listed in accreditations

    trust.editage.com

    Bug bounty

    No public HackerOne or Bugcrowd bug-bounty program found on vendor domain or via search (none disclosed)

    trust.editage.com

    Data center compliance

    Data resides in SSAE 18 / SOC 1-certified facilities; underlying cloud providers (AWS, Google Cloud, Azure) hold SOC 2 & 3

    paperpal.com

    Data ownership / deletion

    Users own their data and can request manuscript deletion via privacy@cactusglobal.com; vendor states data is never sold to third parties

    trust.editage.com

    // Products & data scope

    Paperpal (Web + MS Word / Google Docs / Chrome / Overleaf plugins)AI academic writing & editing assistant

    data: User-authored manuscripts and documents; grammar/paraphrase/rewrite/translation processing. Free tier (monthly limits) and Prime paid tier. Not trained on user content.

    Core consumer/researcher product. Same no-training and ISO 27001/42001 posture applies.

    Paperpal Research & Cite / Chat PDFResearch discovery + citation

    data: Queries against 250M+ research articles; user-uploaded PDFs for reading/comparison. Citation generation in 10,000+ styles.

    Uploaded PDFs processed for the user; vendor states research belongs to the user.

    Paperpal Plagiarism Checker / AI Detector / Preflight (publisher submission checks)Integrity & submission-readiness checks

    data: Manuscript text scanned for plagiarism, AI-content detection, reference and journal-readiness checks. Used by journals/publishers (Preflight).

    B2B/publisher-facing workflow (1,500+ journals). Higher-touch institutional data handling; same encryption and access controls.

    Editage / CACTUS expert services & enterprise (For Universities / Publishers)Human + AI editing and institutional licensing

    data: Manuscript editing handled by human editors plus AI; enterprise/institutional contracts. HIPAA-capable only under a signed standardized BAA (no client-drafted BAAs accepted).

    Enterprise scope is broader; BAA required for any PHI, otherwise no PHI by default.

    // What to watch

    • SOC 2/3 on the trust center is attributed to the underlying cloud providers (AWS/GCP/Azure), not a Paperpal-scoped SOC 2 Type II report; data centers are SSAE 18/SOC 1. Do not list Paperpal as holding its own SOC 2.
    • HIPAA is conditional and BAA-gated, not a default certification; standard service processes no PHI.
    • Trust center is operated under the parent brand (Editage / CACTUS) at trust.editage.com and trust.paperpal.com - both render the same Editage-branded content, which may confuse users expecting a Paperpal-only page.
    • No public bug-bounty program (HackerOne/Bugcrowd) disclosed.
    • DPA availability not explicitly documented on public pages; likely available for enterprise but unconfirmed.

    // At a glance

    Pricing model

    Freemium - free tier with monthly feature limits, paid Prime subscription for higher usage; enterprise/institutional licensing for universities and publishers

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Cactus Communications (Paperpal)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.paperpal.com

    > Browse all vendor trust reports