YUDU Sentinel

YUDU Publisher

YUDU Publisher provides easy digital publishing to browser and to custom apps, and allows the control of who can access published items.

Upload content as PDF and optionally add enhancements such as embedded multimedia and interactivity. Responsive content for small screen reading is also supported.


  • Publish to browser or custom cross-platform app
  • Responsive layout mode for reading on phone screens
  • Organise published items and documents by category
  • Unified search across all documents
  • Annotations and highlighting with cross-device synchronisation
  • Offline reading and document access
  • Embed multimedia and feedback widgets
  • Built-in analytics on document viewing patterns


  • Publish your content across all device types
  • Control access to restrict content to its intended audience
  • Make sure users always see the latest version of documents
  • Publish large content volumes quickly and easily
  • Enhance content for maximum visual impact
  • Deliver to a custom branded cross-platform app
  • Publish any content: magazines, catalogues, ebooks, business documentation etc
  • In-app purchasing for ecommerce apps and publications


£500 per licence per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11


YUDU Sentinel

James O'Brien



Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints No relevant constraints
System requirements N/A

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 24 hours excluding weekends and UK bank holidays.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels First level support response is provided during UK working hours via email and phone, with an assigned technical account manager, at no additional cost. Tickets are managed using ZenDesk.

Support tickets are escalated to second-level development staff where required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide extensive guidance and support resources at https://help.yudu.com/. Online training via webinar and/or onsite training are also available at an additional cost.
Service documentation No
End-of-contract data extraction Data consists of i) content that the users have published through the service, and ii) records of the users as used for authentication etc.

Published content is typically already available to users since they provided it in the first place. Users may download the published version of the content if they wish, though since it uses a custom publication format that is of limited use without the rest of the platform.
End-of-contract process The contract price includes access to the publishing platform and support by email and phone, as well as all hosting and bandwidth costs for published content.
Bureau publishing services, additional support such as on-site training, design projects etc. are available at an additional cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service PhoneView ensures that documents are smoothly fitted to any screen size.
Service interface Yes
Description of service interface The interface allows you to upload, manage, enhance and publish your digital documents to web, iOS, Android or Windows apps.
Accessibility standards None or don’t know
Description of accessibility Content published through the platform can be provided in a responsive HTML format allowing font resizing and text to speech using mobile devices' built in support.
Accessibility testing Content published to iOS apps with a responsive version of the content can generally be accessed using the device's built-in accessibility features. Preliminary testing with Windows-based assistive technology for text to speech indicates that further development would be needed to make the content accessible. Accessibility testing has not been performed on the publishing platform itself.
What users can and can't do using the API Using the API clients can upload and publish or depublish content, as well as control which users have access to which pieces of content.

The API provides a subset of the functionality available through the main publishing UI, but includes all of the most important publishing options.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available No


Independence of resources Intensive operations are queued for asynchronous processing by a separate set of servers, meaning site responsivity is unaffected by heavy usage.


Service usage metrics Yes
Metrics types Built-in metrics show aggregate viewing statistics for published items, such as visit count, page views and interaction counts.
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Other
Other data at rest protection approach Data is stored on AWS s3 storage instances. Encryption at rest could be supported as an add-on.
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach The nature of the service is that users already have their content, and the platform allows them to publish it in a custom format to a defined audience, so data export is not normally required.
Data export formats Other
Other data export formats N/A
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We will use commercially reasonable efforts to make Publisher available 99.95% of the time. In the event YUDU does not meet the goal of 99.95% availability in a given calendar month (“Monthly Uptime Percentage”), you will be eligible to receive a Service Credit.

The credit shall be calculated as five (5) percent of the Customer’s monthly spend with the us for each of the SLA targets unto a maximum of a ten (10) percent credit, where the monthly spend is defined as the total invoiced amount for the calendar month period of the month affected by downtime.
Approach to resilience We use multiple datacentre locations, using load balancers to span across datacentres using Amazon Web Services (AWS). Databases are similarly configured for multiple availability zones and automatic failover using AWS RDS. Filestores (S3) use multiple storage locations to ensure no data is lost, with CloudFront's CDN acting as a near-ISP high speed cache for serving of content in the United Kingdom and around the world, as required.

Each server type (web, task, etc.) has at least two (and often 3-5) instances running constantly to ensure no single point of failure.
Outage reporting Any planned out-of-hours downtime is shown ahead of time in a message screen shown to users logging on to the platform. In the event of an outage, updates are sent to clients and users via a Twitter account.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Admin level users with access in the system to data from more than one client are subject to more stringent password requirements, and admin accounts are subject to periodic review.

Higher level access such as to the database or server configuration is only available to the development team, and requires connection via a secure VPN.
Access restriction testing frequency Less than once a year
Management access authentication Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 01/01/2016
CSA STAR certification level Level 2: CSA STAR Attestation
What the CSA STAR doesn’t cover We are with AWS, who are CSA STAR accredited.
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Security policy is managed by the CTO, Head of Security and CEO, based on reference to relevant standards such as ISO27001 wherever it's practical to follow those guidelines.
Information security policies and processes Security policies are enforced by an assigned Security Officer for each office/department of the company. These report to a single Head of Security, who in turn report to the CTO and CEO.

All employees agree to the company security policy on joining, and are required to report any lapse of the policy to the appropriate Security Officer so that it can be addressed. Security Officers also monitor and periodically review to identify any points of concern.

We are currently working towards our ISO22301 certification.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Change requests from customers, internal and external stakeholders are assessed by an internal review team at least once per quarter, with non-trivial development items discussed (including any impact of the change to other components of the system), reviewed and accepted for the following quarter, with all subsequent development being peer-reviewed and tested before release.

Separate internal teams are maintained for development items that are less than a couple of man-days, reviewed and implemented as time allows from the support developer team resources.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Potential threats are assessed from multiple documented sources, from commonly used resources like the OWASP project (https://www.owasp.org/index.php/Main_Page), as well as mailing lists and security updates (typically critical, high) for the client-facing software we use.

Speed of deployment is usually within a week for critical vulnerabilities, but depends on individual assessment of the issue - for example, the recent Intel hardware issues (Spectre and Meltdown) had fixes that crippled the servers they were deployed on, requiring more extended deployment timescales and further testing.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Internet facing servers are hardened to use only essential ports, with penetration testing against the public interfaces. Clients are free to arrange external penetration testing by appointment.

Any compromise detected is dealt with as a Tier 1 support issue (most urgent), with the entire development and support team being involved.

In the event of a security breach as defined by the Data Protection Legislation or any such event that may impact on the customer's data, we will upon discovery notify the customer without undue delay and in any event within 48 hours.
Incident management type Supplier-defined controls
Incident management approach Clients may report incidents via telephone, email or a support/ticket system (Zendesk), which will keep them up to date of the progress of their support tickets. This information is permanently available to clients for their internal reports.

Support items are classified according to impact, urgency and sorted either into a dedicated support team member or, if requiring developer level support, assigned into a queue system for that support.

Common events typically have documented processes for support staff to resolve without developer level support.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £500 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial 30 day free trail to access the platform for standard projects.

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑