We are using Google Cloud for 100% of our infrastructure (servers, load balancers, databases, storage). We hold the following SLAs with Google: Google Cloud Platform Service Level Agreements , and those translate to our clients on an infrastructure level. On an application level we have various measures in place to establish security, failover, and redundant backups:

Database (Google Cloud MySQL): We store information about issues, publications, and users. Sensitive data like passwords are stored using one-way encryption (bcrypt). Our Databases are automatically backed up on a daily basis with 3-month retention.

Storage: (Google Cloud Storage): All Issue data (images, videos, HPUB, etc...) is stored on a redundant google cloud storage bucket. These files reside on multiple servers across regions at the same time and are thus unlikely to go lost even if one data center has an outage.

Servers (Google Compute Engine): We use Instance Groups and Load Balancers so that multiple machines are running at the same time, avoiding service interruption if one machine experiences problems. Persistent Data is directly read from and written two cloud storage and remote database (i.e. stateless), thus if a virtual machine goes down at any time, persistent data won't get lost/discarded.

As for general security, we undergo penetration tests and security assessments from time to time (however not through enterprise-grade auditors, which are ridiculously expensive). We keep our systems and software components up-to-date and have various alerts and monitoring set up to follow public security announcements (e.g. breached software libraries). Our infrastructure is running within an internal network at google, with a restrictive configuration, so that only relevant services and ports are exposed.

We record the IP addresses of all MagLoft Portal users (Editors). This information is stored in a database hosted on Google Cloud.

We do not record or store the IP Addresses of the devices (i.e. magazine readers) by default. We do - optionally - integrate with Analytics, which has the capability of storing anonymized IP- information. This technique is explained here: IP Anonymization (or IP masking) in Google Analytics - Analytics Help. This is in accordance with current legislation in Europe.

All content is stored on a Google Cloud Storage bucket or Amazon S3 bucket, and only accessible after a reader (app) authenticates successfully without servers.

Content that was downloaded to a device is available offline. We are utilizing the available features for data protection on iOS and Android, which basically restricts access to the content from other apps and the user himself from outside the app. This is - however - not a 100% safe protection, as the storage can be accessed through rigorous technical efforts (e.g. iOS jailbreak, Android device-rooting), or through transcribing or photographing the device screen.

Google Cloud Compliance: Google Cloud Platform: EU Model Contract Clauses (regarding User and Customer Data, Content and Issue Data).

If required, it is possible to host Content and Issue Data on a dedicated storage bucket of our clients (Amazon AWS, Google Cloud Storage, custom storage solution).