๐ฉบ Vitals
- ๐ฆ Version: @papra/app@26.4.0 (Released 2026-04-02)
- ๐ Velocity: Active (Last commit 2026-04-28)
- ๐ Community: 4.4k Stars ยท 211 Forks
- ๐ Backlog: 129 Open Issues
๐๏ธ Profile
- Official: papra.app
- Source: github.com/papra-hq/papra
- License: AGPL-3.0
- Deployment: Docker
- Data Model: SQLite (libSQL)
- Jurisdiction: France ๐ซ๐ท / EU ๐ช๐บ (Sole Developer)
- Compliance (SaaS): N/A (Undisclosed)
- Compliance (Self-Hosted): GDPR Ready
- Complexity: Low (1/5) - Single lightweight Docker container, minimal configuration
- Maintenance: Low (1/5) - SQLite-backed, no external database to manage
- Enterprise Ready: Low (2/5) - Native encryption and multi-user support; no SSO or enterprise identity features
1. The Executive Summary
What is it? Papra is a minimalist, open-source document management and archiving platform built for simplicity and privacy. Where tools like Paperless-ngx optimise for power and automation, Papra optimises for ease of deployment and native document encryption โ its AES-256-GCM encryption is built into the core architecture, not an afterthought. It is maintained by a sole developer based in France, with no VC backing and no enterprise upsell: the full feature set is available to any self-hoster with no license required.
The Strategic Verdict:
- ๐ด For Teams Needing Advanced Automation: Caution. Papra does not offer automated email consumption, advanced ML classification pipelines, or complex multi-user permission trees. For those workflows, Paperless-ngx is the stronger fit.
- ๐ข For Privacy-First Teams Wanting Encrypted Document Storage: Strong Buy. Native AES-256-GCM encryption, EU jurisdiction, no CLOUD Act exposure, and a <200MB Docker footprint make Papra the lowest-friction path to a sovereign, encrypted document archive.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Evernote (SaaS) | Papra (Self-Hosted) |
|---|---|---|
| Subscription | ~$15/mo floor | $0 (AGPL-3.0) |
| Storage Limits | Tiered GB caps | Unlimited (Disk limit only) |
| Encryption at Rest | Vendor-managed | Native AES-256-GCM (User-managed KEK) |
| Data Sovereignty | Evernote Cloud | 100% Self-Owned |
3. The "Day 2" Reality Check
๐ Deployment & Operations
- Installation: Papra ships as a single Docker container under 200MB, backed by SQLite via libSQL โ no external PostgreSQL or S3 dependencies required. Most teams are operational within minutes on a modest VPS.
- Data Exit: There is no one-click UI export button. Self-hosters have direct access to the underlying SQLite database and filesystem, and an API is available โ but data migration requires manual intervention rather than a guided export flow.
๐ก๏ธ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics (France ๐ซ๐ท / EU ๐ช๐บ): The project is operated by a sole developer in France, placing all commercial and data operations under EU/GDPR jurisdiction. No US entity, no US CLOUD Act exposure. For teams replacing Evernote (US, Bending Spoons) or Google Drive (US, Alphabet), this is a meaningful sovereignty upgrade โ document data stays within EU jurisdiction when self-hosted.
- The Compliance Shift (Key Encryption Key Management): Papra implements AES-256-GCM document encryption natively, which is a meaningful architectural advantage over clear-text alternatives. The compliance responsibility that shifts to the operator is KEK (Key Encryption Key) management โ securing, rotating, and backing up the encryption keys is entirely the operator's burden. Losing the KEK means permanent loss of access to all encrypted documents. Infrastructure security, network policies, and backup procedures remain the operator's responsibility.
- License Risk (AGPL-3.0 โ Network Copyleft): AGPL-3.0 is clean for internal self-hosted deployment. The network copyleft clause activates only if you modify the source code and offer the modified version as a service over a network โ at which point you must release those modifications under AGPL-3.0. Internal enterprise use carries no license risk. There is no enterprise tax, no proprietary tier, and no paywalled features for self-hosters.
4. Market Landscape
๐ข Proprietary Incumbents
- Evernote: The established personal knowledge and document organiser; teams evaluate Papra to eliminate subscription fees and remove document data from Evernote's US-jurisdiction cloud.
- Google Drive: The dominant cloud file storage platform; organisations evaluate Papra when they need a structured, searchable document archive with native encryption rather than a generic file store subject to Google's US CLOUD Act exposure.
๐ค Open Source Ecosystem
- Paperless-ngx: The feature-rich alternative for teams needing advanced OCR pipelines, ML classification, and email consumption โ at the cost of more infrastructure complexity and no built-in encryption at rest.
- DocuSeal: Often paired with Papra to provide the document signing and workflow layer for documents that require formal sign-off before archiving.