Skip to main content

Security & Content Protection

Publica.la provides a B2B2C digital publishing SaaS platform: branded ecommerce storefronts plus a secure reading and listening experience delivered through our web reader and our native applications for iOS, Android, macOS, and Windows. The service is fully cloud-based on AWS, fronted by Cloudflare, with no on-premise component required of you or your content partners.

This page documents how we protect publisher content and platform data. It is written for publishers, content distributors, and vendor-risk teams evaluating the platform. If you need deeper detail than this page provides (architecture, reports, policies), see Requesting security documentation.

Content Protection & DRM

Content on the platform is protected with our proprietary streaming-first DRM. The original file is never delivered to a device.

ControlWhat it does
Encrypted deliveryContent is transformed and encrypted with AES-256-GCM before delivery. Readers never receive the source file.
Signed, time-limited accessProtected content is served only through signed, expiring requests, and decrypted only within the authorized reading experience, never persisted in clear.
Server-side entitlementsAccess is governed by server-side entitlement checks, so it can be revoked immediately. Configurable concurrent device limits apply.
Protected offline readingIn the native apps, offline content stays encrypted in sandboxed storage inaccessible to the user, re-checks entitlements against the server, and is deleted automatically on expiry.
Device-level safeguardsThe apps block screenshots on iOS and Android and will not run on rooted or jailbroken devices.
Extraction limitsCopy, print, and extraction limits deter bulk extraction.

Content Ingestion

Content files (EPUB, PDF, MP3 audiobooks) and ONIX metadata are delivered into a dedicated, encrypted content-ingestion environment, isolated per client. Source content is stored encrypted and is not publicly reachable. Full transfer details are shared with content partners during onboarding.

Platform & Infrastructure Security

  • Encryption everywhere: Data at rest is encrypted with AES-256 across object storage, database, and backups, and protected content is additionally encrypted with AES-256-GCM. All traffic uses TLS 1.2+ in transit.
  • Hardened edge: The platform sits behind enterprise-grade WAF and DDoS protection at the edge, on a segmented network with restricted administrative access.
  • Least-privilege access: Access follows least privilege with mandatory MFA, and production changes ship only through CI/CD.
  • Managed endpoints: Staff devices are company-owned, centrally managed endpoints with enforced full-disk encryption and remote wipe.
  • Continuous scanning: Security scanning runs in CI/CD with risk-based release gates, backed by 24/7 monitoring and on-call.
  • External penetration testing: We run periodic external penetration testing. Our latest web, iOS, and Android penetration test and retest report is available on request under NDA.

Compliance & Certifications

ISO/IEC 27001 certification is actively in progress. We maintain PCI DSS SAQ-A and GDPR/LGPD compliance. No cardholder data is stored on our systems: payment card processing is fully outsourced to PCI-compliant providers via hosted checkout.

Infrastructure controls are inherited from certified providers. Our infrastructure providers hold ISO 27001 and SOC 2 attestations, and current attestations are shared during vendor review.

Data Protection & Subprocessors

We hold Data Processing Agreements with our core subprocessors, all attested to ISO 27001 or SOC 2. Subprocessors handling customer or end-user data must demonstrate GDPR/CCPA compliance as a condition of engagement. The current subprocessor list and our standard customer-facing DPA are available for review on request.

For AI-specific data handling (what is sent to AI providers and the controls you have), see AI Transparency & Data Handling.

Requesting Security Documentation

If you are running a vendor security assessment, we can provide:

ArtifactHow to get it
Standard customer-facing DPAOn request
Information Security Policy and related policiesOn request
Penetration test and retest reportOn request, under NDA
Subprocessor list and provider attestationsOn request, during vendor review
Completed security questionnairesSend yours to your account manager

Contact your account manager or [email protected].

Responsible Disclosure

If you believe you have found a security vulnerability in the platform, report it to [email protected]. We review every report and respond to legitimate findings.

X

Graph View