Security & Content Protection
Publica.la provides a B2B2C digital publishing SaaS platform: branded ecommerce storefronts plus a secure reading and listening experience delivered through our web reader and our native applications for iOS, Android, macOS, and Windows. The service is fully cloud-based on AWS, fronted by Cloudflare, with no on-premise component required of you or your content partners.
This page documents how we protect publisher content and platform data. It is written for publishers, content distributors, and vendor-risk teams evaluating the platform. If you need deeper detail than this page provides (architecture, reports, policies), see Requesting security documentation.
Content Protection & DRM
Content on the platform is protected with our proprietary streaming-first DRM. The original file is never delivered to a device.
| Control | What it does |
|---|---|
| Encrypted delivery | Content is transformed and encrypted with AES-256-GCM before delivery. Readers never receive the source file. |
| Signed, time-limited access | Protected content is served only through signed, expiring requests, and decrypted only within the authorized reading experience, never persisted in clear. |
| Server-side entitlements | Access is governed by server-side entitlement checks, so it can be revoked immediately. Configurable concurrent device limits apply. |
| Protected offline reading | In the native apps, offline content stays encrypted in sandboxed storage inaccessible to the user, re-checks entitlements against the server, and is deleted automatically on expiry. |
| Device-level safeguards | The apps block screenshots on iOS and Android and will not run on rooted or jailbroken devices. |
| Extraction limits | Copy, print, and extraction limits deter bulk extraction. |
Content Ingestion
Content files (EPUB, PDF, MP3 audiobooks) and ONIX metadata are delivered into a dedicated, encrypted content-ingestion environment, isolated per client. Source content is stored encrypted and is not publicly reachable. Full transfer details are shared with content partners during onboarding.
Platform & Infrastructure Security
- Encryption everywhere: Data at rest is encrypted with AES-256 across object storage, database, and backups, and protected content is additionally encrypted with AES-256-GCM. All traffic uses TLS 1.2+ in transit.
- Hardened edge: The platform sits behind enterprise-grade WAF and DDoS protection at the edge, on a segmented network with restricted administrative access.
- Least-privilege access: Access follows least privilege with mandatory MFA, and production changes ship only through CI/CD.
- Managed endpoints: Staff devices are company-owned, centrally managed endpoints with enforced full-disk encryption and remote wipe.
- Continuous scanning: Security scanning runs in CI/CD with risk-based release gates, backed by 24/7 monitoring and on-call.
- External penetration testing: We run periodic external penetration testing. Our latest web, iOS, and Android penetration test and retest report is available on request under NDA.
Compliance & Certifications
ISO/IEC 27001 certification is actively in progress. We maintain PCI DSS SAQ-A and GDPR/LGPD compliance. No cardholder data is stored on our systems: payment card processing is fully outsourced to PCI-compliant providers via hosted checkout.
Infrastructure controls are inherited from certified providers. Our infrastructure providers hold ISO 27001 and SOC 2 attestations, and current attestations are shared during vendor review.
Data Protection & Subprocessors
We hold Data Processing Agreements with our core subprocessors, all attested to ISO 27001 or SOC 2. Subprocessors handling customer or end-user data must demonstrate GDPR/CCPA compliance as a condition of engagement. The current subprocessor list and our standard customer-facing DPA are available for review on request.
For AI-specific data handling (what is sent to AI providers and the controls you have), see AI Transparency & Data Handling.
Requesting Security Documentation
If you are running a vendor security assessment, we can provide:
| Artifact | How to get it |
|---|---|
| Standard customer-facing DPA | On request |
| Information Security Policy and related policies | On request |
| Penetration test and retest report | On request, under NDA |
| Subprocessor list and provider attestations | On request, during vendor review |
| Completed security questionnaires | Send yours to your account manager |
Contact your account manager or [email protected].
Responsible Disclosure
If you believe you have found a security vulnerability in the platform, report it to [email protected]. We review every report and respond to legitimate findings.