Security

How we keep your material secure.

Unbroadcast interviews are confidential material. Here is exactly how Paper Edit App handles yours — in plain English, with nothing asserted that we haven't built.

Your footage never leaves your machine

The Paper Edit Bridge sends only the transcript text and clip references (names, timecodes, IDs) from Premiere Pro to your project. No video or audio is ever uploaded, streamed, or stored by us — when you build, the sequence is assembled inside Premiere from the media already on your system.

Your projects are private by default

Every table in our database is protected by row-level security, enforced by the database itself — not just by application code. A project is visible to exactly two kinds of people: you, and collaborators you explicitly invite by email who accept the invitation. Invite links expire after 7 days. Live-collaboration channels (realtime editing, comments, presence) are authenticated per project with the same membership rules.

Deleting a project deletes everything

When you delete a project, its transcripts, paper edits, comments, suggestions, saved versions, and topic maps are removed with it — the relationships cascade at the database level, so nothing is left orphaned. If you'd like your whole account and its data removed, contact us and we'll do it promptly.

AI is opt-in, and runs on your own account

Nothing is sent to an AI provider unless you click an AI feature (search, Refine, topic maps). When you do, the transcript text goes directly to the provider you chose — Claude, OpenAI, or Gemini — using your own API key, under your own account and their API terms. We add no middleman, keep no copy of the exchange beyond the results shown to you, and never use your material to train anything.

Keys are stored the safe way round

AI provider keys are encrypted with AES-256-GCM before they're stored, and are never sent to your browser — the app only ever tells you whether a key is saved. Bridge keys are never stored at all: we keep only a SHA-256 hash, and the key itself is shown to you exactly once when you generate it.

Infrastructure you already trust

The app runs on Vercel with HTTPS everywhere; data lives in Supabase (PostgreSQL) and is encrypted at rest. Payments are handled entirely by Stripe — your card details never touch our servers.

Questions, or a security concern to report? Contact us — security reports are read first. See also our Privacy Policy and Terms.