// Trust & Security Report

    Paperspace, dba DigitalOcean (legal entity: DigitalOcean, LLC / DigitalOcean Holdings, Inc.) logo

    Paperspace, dba DigitalOcean (legal entity: DigitalOcean, LLC / DigitalOcean Holdings, Inc.)

    Cloud GPU / compute platform for AI/ML: Notebooks (development), Machines (training), and Deployments (model-to-API). Acquired by DigitalOcean in July 2023; by 2026 the Paperspace brand and paperspace.com have been folded into DigitalOcean's product line ('GPU Droplets' / 'Paperspace' business unit), with the site footer reading 'Paperspace dba DigitalOcean'.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    DigitalOcean maintains a SOC 2 Type II and SOC 3 Type II certification, issued by our independent auditor, Schellman & Company.

    Verify on digitalocean.com
    SOC 3 Type II
    HELD

    DigitalOcean maintains a SOC 2 Type II and SOC 3 Type II certification, issued by our independent auditor, Schellman & Company.

    Verify on digitalocean.com
    ISO 27001
    HELD

    ISO 27001 listed as an active certification covering DigitalOcean's data center facilities (AMS2, AMS3, ATL1, BLR1, FRA1, LON1, NYC1, NYC2, NYC3, SFO1, SFO2, SFO3, SGP1, SYD1, TOR1, RIC1).

    Verify on digitalocean.com
    PCI DSS
    HELD

    DigitalOcean maintains a Zero-Footprint data policy by way of our PCI-DSS SAQ-A validation.

    Verify on digitalocean.com
    CSA STAR (Level 1)
    HELD

    DigitalOcean has achieved Cloud Security Alliance (CSA) STAR Level 1 which addresses fundamental security principles across 16 domains...

    Verify on digitalocean.com
    GDPR (posture)
    HELD

    DigitalOcean supports the GDPR and all DigitalOcean services comply with its provisions.

    Verify on digitalocean.com
    > Show 4 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    DigitalOcean's own trust page states only 'eligibility to process HIPAA... workloads' (self-attested eligibility, not a HIPAA certification -- no such thing as 'HIPAA certified' exists, but no BAA availability or attestation letter was found on the vendor domain). No paperspace.com or DigitalOcean page found offering a signed Business Associate Agreement (BAA) for the Paperspace/GPU product line specifically.

    source: digitalocean.com
    ISO/IEC 42001 (AI governance)
    NOT CONFIRMED

    No public evidence of ISO/IEC 42001 or any AI-governance-specific certification on digitalocean.com or paperspace.com.

    source: digitalocean.com
    CSA STAR AI (AI-specific)
    NOT CONFIRMED

    No public evidence of a CSA STAR AI or equivalent AI-specific trust registry entry on the vendor's own domain.

    source: digitalocean.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on digitalocean.com or paperspace.com.

    source: digitalocean.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Not specified with certainty for the Paperspace product specifically; DigitalOcean operates data centers in North America, Europe (Amsterdam, Frankfurt, London), and Asia-Pacific (Singapore, Bangalore, Sydney), per the ISO 27001 facility list. Cross-border transfer to the U.S. is explicitly contemplated in the Paperspace privacy policy.

    Paperspace is an IaaS/GPU-compute and notebook platform, not itself a hosted model that trains on customer prompts by default. Neither the Paperspace privacy policy nor DigitalOcean's DPA/GDPR pages make any statement about training AI/ML models on customer content; DigitalOcean's DPA states 'DigitalOcean does not and will not access or use Customer Content except as necessary to maintain or provide the Services, or as may be necessary to comply with the law or a binding order of a governmental body.' No explicit opt-out toggle for AI training was found because no AI-training-on-customer-data claim exists to opt out of. Marked null (not applicable / not addressed) rather than false, since customer notebook/model code and training data on the platform is not represented anywhere as being used to train DigitalOcean's or a third party's models.

    // Security controls

    Encryption in transit

    All Paperspace traffic is secured over SSL/TLS across web, desktop, and mobile; internal traffic (DB, web servers, API) is also SSL/TLS encrypted per the legacy Paperspace security page.

    paperspace.com

    Encryption at rest

    Databases secured with 256-bit AES or higher, per the legacy Paperspace security page (unverified independently; no named audit report).

    paperspace.com

    24/7 monitoring

    Paperspace states a cloud operations team monitors security 24/7/365 (legacy page, no third-party attestation referenced).

    paperspace.com

    Corporate SOC 2 / ISO 27001 program

    Parent company DigitalOcean maintains SOC 2 Type II / SOC 3 Type II (auditor: Schellman & Company), ISO 27001 across its data center fleet, PCI-DSS SAQ-A, and CSA STAR Level 1.

    digitalocean.com

    // Products & data scope

    Paperspace NotebooksAI/ML development environment (hosted Jupyter-style notebooks)

    data: User code, datasets, and model artifacts uploaded/created within the notebook workspace.

    Now offered as a DigitalOcean product; billed and administered through DigitalOcean accounts.

    Paperspace Machines / GPU DropletsGPU cloud compute (IaaS)

    data: Whatever workloads/data the customer runs on the provisioned GPU/CPU instance; DigitalOcean does not access Customer Content except as necessary to operate the service.

    Core infrastructure is now integrated into DigitalOcean's broader compute fleet (per ISO 27001 facility list).

    Paperspace DeploymentsModel serving / inference endpoints

    data: Model weights and inference request/response payloads routed through customer-deployed endpoints.

    No separate compliance documentation found specific to this sub-product; inherits DigitalOcean's platform-level certifications.

    // What to watch

    • IDENTITY / BRAND MERGER: 'Paperspace' is no longer an independent legal entity for compliance purposes. AIFOXX should list this vendor as 'Paperspace (a DigitalOcean product)' to avoid implying an independent audit trail.
    • STALE/OVER-CLAIM ON LEGACY SECURITY PAGE: paperspace.com/security still carries old copy claiming 'data centers that have been accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate, Sarbanes-Oxley (SOX)' -- this describes the accreditation of the physical colocation FACILITY (and separately name-drops AWS for 'auxiliary services'), not an independent audit of Paperspace the company. This is a textbook host-vs-vendor conflation and appears to be unmaintained pre-acquisition (circa 2016-2017 era) marketing copy; FISMA Moderate and SOX claims in particular have no current corroboration anywhere on digitalocean.com and were NOT graded held=true for that reason.
    • HIPAA claim is soft: DigitalOcean's trust page says only 'eligibility to process HIPAA... workloads,' which is short of a formal HIPAA certification or a documented BAA process for the Paperspace product line; graded held=false pending clearer evidence.
    • No AI-training-on-customer-data disclosure was found anywhere (privacy policy, DPA, or trust pages) despite Paperspace/DigitalOcean actively marketing AI/ML fine-tuning workloads -- this is a documentation gap, not a positive assurance, and should be flagged to the vendor before listing them under 'AI training: no.'
    • No ISO/IEC 42001 or CSA STAR AI (AI-governance-specific) evidence found; unsurprising for a compute/IaaS vendor but worth noting as AIFOXX increasingly compares AI-governance posture across listings.

    // At a glance

    Pricing model

    Usage-based / per-second GPU billing, on-demand, no long-term commitment required (per home page copy: 'Low-cost GPUs with per-second billing', 'No commitments').

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Paperspace, dba DigitalOcean (legal entity: DigitalOcean, LLC / DigitalOcean Holdings, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    digitalocean.com

    > Browse all vendor trust reports