Data Security

1. How do you retain my data?

  • Paperless Parts uses end-to-end encryption to store files in Amazon’s ITAR-compliant “GovCloud” data center. Only the supplier and a small team of support personnel at Paperless Parts (all of whom are US persons) can access filed uploaded to a quote. Files cannot be downloaded via the digital quote link emailed to a customer. However, limited information about these parts is available, such as the basic dimensions presented in a 3D view of that file. 

2. Can I upload ITAR data to Paperless Parts?
  • Paperless Parts can support ITAR data after your shop has shared your DDTC registration and executed our ITAR agreement. Once your company registers as an ITAR supplier in our system, you will have the option to mark every part as "export-controlled". The 3D viewer and basic dimensional information are not shown on the Digital Quote for export-controlled parts. 

3. Is Paperless Parts NIST compliant?

  • Paperless Parts understands information security is mission-critical for American manufacturers. We have built our company with ITAR in mind from the beginning. We host our application on Amazon GovCloud and built an organizational structure to ensure all system administrators are US persons. DFARS now mandates NIST SP800-171. We are working toward full compliance with all 110 controls. We have completed an assessment and have instituted a formal System Security Plan (SSP) and Plan of Action and Milestones (PoAM). Manufacturers trust us with their data. We are a core part of their compliance programs, particularly in offering assess control, ensuring secure storage, and securing the transmission of Controlled Unclassified Information (CUI). 

4. How do I know that I am not getting scammed?

  • We strongly encourage you to reach out to us! Please don't hesitate to ask for any documents you feel are necessary for us to prove we are here to help you grow your manufacturing operations. Also, check us out online or on places like LinkedIn, Capterra, and Glassdoor

5. I don’t think that cloud-based software is for me…

  • Protecting customer information will be a constant issue in the 21st century. We empathize with this concern. The thing is, we also recognize how critical it is to meet customers where they expect to find suppliers. This presents a big challenge. We have taken extreme measures to protect our customers:
  1. Ensuring out platform is completely secure on Amazon's ITAR-compliant GovCloud,
  2. Hiring a superbly skilled team of software engineers with over 10+ years of experience in the web security sector

6. Why does a customer show up on our login? Does he have access to our database?

  • No, they do not, this is your browser's auto-fill. Here are instructions on how to remove that login from your browser: To delete specific autofill entries:

      1. Click the Chrome menu on the browser toolbar and select Settings.
      2. Click “Show advanced settings” and find the “Passwords and forms” section.
      3. Select Manage Autofill settings.
      4. In the dialog that appears, select the entry you’d like to delete from the list. Click the “x” that appears at the end of the row.
      5. The user will be removed from that auto-fill list.

7. If I upload engineering and models to our Paperless Parts part library that are ITAR controlled, but do not mark them as such (click the ITAR box), are they still located on ITAR secure servers in the USA?

  • Yes. All of the data held within Paperless Parts is hosted on Amazon (US) Government Cloud Servers regardless of whether or not said data is a part file, and if that part is marked as ITAR.

“AWS GovCloud (US) gives government customers and their partners the flexibility to architect secure cloud solutions that comply with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.

8. What does the ITAR box do differently? If I send a quote back to the same customer that provided the ITAR engineering, why would it matter if they could see the model or engineering in the Paperless Parts viewer?

  • First, the checkbox enables you to mark data as export-controlled. DFARS requires you to mark Controlled Unclassified Information (and NOT mark data that isn’t). When a quote contains export-controlled data, it is clearly labeled.
  • Second, when a part has been marked as export-controlled, the thumbnail, 3D model, and part dimensions (if available) are redacted from the Digital Quote. We redact this data because Digital Quotes are shared via email and do not require Paperless Parts login to view. Generally, information in email messages is not adequately protected without taking additional measures (like requiring login or encrypting attachments).

9. What if I wanted an ITAR registered supplier to look at an ITAR part model located in our Paperless Parts library? Can they see the engineering if I have it marked as ITAR data?

  • Yes, you can safely and securely share this part with an external party through Paperless Part’s External collaboration tool. When you share a part externally, you are inviting the external party to create a secure login to view the file. When you share export-controlled information on Paperless Parts, it is your responsibility to ensure the recipient is authorized to receive that data. You can choose which attached files to share and whether to allow one-click downloading of the file(s).

To learn more about how Paperless Parts tackles cloud-based threats and protects its customers, please reach out to us at

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.