// Trust & Security Report
Kalemi Code LLC (product: Publer)
All-in-one social media management platform: scheduling/bulk-posting across Facebook, Instagram, LinkedIn, Google Business, X, TikTok, YouTube; calendar planner, analytics, agency/team collaboration and approvals, browser extension, Link-in-Bio, and an optional AI Assist feature (content/caption/image generation). Sibling products under the same parent company (Kalemi Code) include Linkie (link shortener) and Kibo.
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on publer.com“Privacy Policy: 'ISO/IEC 27001 Certification: Kalemi Code is ISO/IEC 27001 certified, demonstrating our commitment to information security management best practices. You may verify our certification here.' Independent registry confirms: Certificate No. 01 153 2520565, Certificate Holder 'Kalemi Code LLC', Certificate Type 'ISO/IEC 27001', Scope 'Development, maintenance, and support of the company's products, including the Publer SaaS platform...', issued via TUV Rheinland, status 'Valid Certificate'.”
Verify on publer.com“Trust Center: 'Publer complies with GDPR and CCPA/CPRA, ensuring personal data is protected under leading global privacy laws.' Privacy Policy Section 12 details GDPR legal bases, data subject rights, an EU Representative (EU Presence d.o.o., Zagreb, Croatia) appointed under Article 27, and a Data Processing Agreement available on request.”
Verify on publer.com“Privacy Policy Section 13 provides full CCPA/CPRA disclosures: categories of personal information collected, right to know/delete/correct/opt-out, and confirms 'Kalemi Code does not "sell" personal information in exchange for monetary compensation,' with an opt-out route for cross-context sharing with affiliated products.”
Verify on publer.com“Trust Center: 'Publer meets the Google CASA framework, a cloud application security assessment that validates apps against rigorous controls.' Note: CASA is a tiered self-assessment/validation program for apps using Google user data (OAuth scopes), not a general enterprise security certification like SOC 2/ISO 27001; tier level not disclosed on the vendor page.”
> Show 7 unconfirmed / not-held certifications
source: publer.comNo mention of SOC 2 anywhere on the Trust Center, Privacy Policy, or Terms of Service. No public evidence of a SOC 2 attestation.
source: publer.comNo mention of HIPAA, BAA, or healthcare-specific compliance anywhere on Publer's Trust Center, Privacy Policy, or Terms of Service.
source: publer.com'We do not store your full credit card number or payment details on our servers. Payment information is collected and processed directly by these providers [Paddle, PayPro Global] in accordance with their respective privacy policies and PCI-DSS compliance standards.' This is the payment processors' PCI DSS compliance, not Publer/Kalemi Code's own; Publer itself never handles card data so is out of PCI DSS scope rather than certified.
source: publer.comNo public evidence of these cloud-security, cloud-privacy, or privacy-information-management ISO certifications on Publer's Trust Center or the Certipedia registry entry (which lists only ISO/IEC 27001).
source: publer.comNo mention of ISO/IEC 42001 or any AI-management-system certification on the Trust Center despite Publer offering an AI Assist feature.
source: publer.comNo public evidence of CSA STAR registry listing or attestation found for Publer or Kalemi Code.
source: publer.comNo public evidence of FedRAMP authorization; not applicable, Publer does not market to US federal government customers.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Privacy Policy Section 8: 'Publer is operated from servers located in Frankfurt, Germany. If you access the Service from outside Germany, your information will be transferred to, processed, and stored in Germany.' Standard Contractual Clauses used for EEA/UK/Swiss transfers where applicable.
Publer's AI Assist feature (marketed separately at publer.com/features/ai-assist) is described in third-party sources as powered by GPT-4/DALL-E-class models, with users either using their own OpenAI account or Publer's shared OpenAI account on Business plans. Neither the Privacy Policy nor Terms of Service contains an explicit statement about whether Publer/Kalemi Code itself trains machine-learning models on customer content, nor an explicit opt-out mechanism for AI training. No contradiction found between marketing and legal pages, but the omission itself is a gap: could not confirm training posture from vendor-domain sources alone.
// Security controls
Encryption of stored PII
Yes - Privacy Policy states full name, email address, and IP address are stored encrypted; 'We implement administrative, technical, and physical safeguards... These measures include encryption, access controls, and secure data storage.'
publer.comData hosting region
Frankfurt, Germany (single-region hosting stated); EU/UK/Swiss transfers use Standard Contractual Clauses.
publer.comPenetration testing
Yes - 'Publer conducts regular third-party penetration tests to identify vulnerabilities across our infrastructure and applications. Findings are remediated on a risk-based priority.'
publer.comGDPR Article 27 EU Representative
Yes - EU Presence d.o.o., Ulica Brune Busica 42, 10000 Zagreb, Croatia; a 'GDPR Representation Certificate' is referenced as verifiable via a linked page.
publer.comAccount deletion / data retention
Deleted accounts retain data for 7 days for recovery, then permanently deleted; immediate deletion available on request to support@publer.com.
publer.comPayment data handling
Publer never stores full card numbers; payments processed by Paddle and PayPro Global (both act as Merchant of Record) under their own PCI-DSS programs.
publer.com// Products & data scope
data: Connected social account OAuth tokens, post content/media, scheduling metadata.
Primary product; Frankfurt-hosted; ISO 27001 scope explicitly covers 'the Publer SaaS platform'.
data: User-entered prompts/text and brand-voice inputs; per third-party sources, processed via OpenAI (user's own key or Publer's shared OpenAI account on Business plan).
No vendor-domain statement on whether Publer trains its own models on this data; treat as a gap, not a confirmed no.
data: Same account/name/email may be shared across the Kalemi Code product family for marketing and unified customer experience, per Privacy Policy Section 5.2.
Users can opt out of this cross-product sharing/marketing use via privacy request or unsubscribe.
// What to watch
- ISO 27001 certificate is held by the parent/operating entity 'Kalemi Code LLC', not a separately named 'Publer' legal entity. This is not a host-vs-vendor conflation (Kalemi Code is Publer's actual data controller and operator per its own Privacy Policy, and the Certipedia scope text explicitly names 'the Publer SaaS platform'), but AIFOXX listings should attribute the cert to Kalemi Code LLC (Publer's operating company), not imply Publer is an independently certified entity.
- Trust Center wording is inconsistent on ISO 27001: the Trust Center page itself says Publer only 'aligns with' ISO/IEC 27001:2022 (softer language, no certificate number shown), while the Privacy Policy explicitly says 'Kalemi Code is ISO/IEC 27001 certified' and links to a verifiable third-party registry entry. The registry entry independently confirms an active certificate, resolving the ambiguity in favor of held=true, but the vendor's own marketing copy is not fully consistent in how it states this.
- AI training posture on customer data is undocumented on Publer's own domain (no explicit training/opt-out statement for AI Assist), despite AI Assist being a marketed feature. Recorded as null/unknown rather than assumed false.
- Google CASA is a tiered self-assessment program for Google OAuth scope access, not a general enterprise security certification; do not conflate it with SOC 2/ISO-level assurance in listings.
- No SOC 2 or HIPAA support; growth-stage company should not be penalized for this, but regulated-industry buyers (healthcare, and enterprises requiring SOC 2) should be flagged this gap explicitly.
// At a glance
Pricing model
Freemium with paid tiers (per Trust Center/site: Free, and paid plans up to Business/Agency); AI Assist usage differs by plan (bring-your-own-OpenAI-key vs. shared account on Business).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Kalemi Code LLC (product: Publer)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
publer.com