Security

How we protect your data.

Brand content is sensitive. Our security program is built to match.

Last updated: April 21, 2026

Certifications & compliance

  • SOC 2 Type II — audit report available under NDA for Growth and Enterprise customers.
  • GDPR & UK GDPR — DPA available; we act as a processor for customer data.
  • CCPA/CPRA — full rights self-serve in the app; subject-access requests honored within 30 days.
  • HIPAA — not offered today. Don't feed protected health info into Publick.

Encryption

All data in transit uses TLS 1.2+. Data at rest is encrypted with AES-256. Secrets and OAuth tokens live in a managed KMS with per-customer envelope keys and regular rotation.

Infrastructure

Publick runs on top-tier cloud providers (US-East and EU-West regions). Production is segmented from staging with zero network reachability. Every deploy runs through code review, automated tests, security scans, and a staged rollout.

Access

Publick staff get production access only when a support ticket requires it, only for the minimum time and scope needed, and only with MFA and device posture checks. Every privileged action is logged and reviewed.

Authentication

  • SSO via Google, Microsoft, and SAML 2.0 (Enterprise).
  • MFA for all workspace roles; required for admins.
  • Session invalidation on credential change and inactivity.
  • API keys are scoped, rotatable, and revocable per key.

Secure development

  • Peer review on every pull request — no direct pushes to main.
  • Dependency and container scanning on every build.
  • Annual third-party penetration test; report available under NDA.
  • Public bug bounty at publick.ai/security.

Availability & resilience

99.9% monthly uptime target on the production API and dashboard. Automated failover between regions. Backups are encrypted, cross-region, and tested quarterly for restore.

Incident response

A named on-call team, an incident runbook, and customer comms inside 24 hours for any confirmed incident that touches your data. Postmortems are published at our status page after material outages.

Responsible disclosure

If you've found a vulnerability, email security@publick.ai. We acknowledge within one business day, triage within three, and fix with urgency matching the severity. Please don't run disruptive tests against production.

Want the SOC 2 report, DPA, or pen test summary? Email security@publick.ai — we'll send it under a mutual NDA.