Products
Publisher - Trusted PDF Sealing Publisher Identity Validator
Pricing
Resources
API Docs CLI Docs Zapier Documenso
PDF Validator Download CLI
Support
Learn
Blog FAQ Announcements
Company / Contact
Sign in/up
Zero-Trust Architecture

Seal PDFs Securely. Keep Files Where They Are

Keep PDFs in your environment while we apply Adobe-aligned, tamper-evident seals. Non-exportable keys locked in FIPS 140-3 HSMs; zero-trust access by design.

Document Privacy

PDFs never leave your servers. We seal using SHA-256 digests—content stays private.

HSM-Protected Keys

Non-exportable signing keys secured in FIPS 140-3 Level 3 HSMs.

Enterprise Alignment

Adobe Acrobat trusted; eIDAS aligned behaviors for regulated use cases.

Zero-Trust Controls

Network isolation, mutual TLS, and least-privilege access at every layer.

Secure by Design

A single-command sealing service that keeps PDFs inside your security boundary, while our keys stay locked in FIPS 140-3 Level 3 HSMs. Publisher - Trusted PDf Sealing delivers audit-ready proof of authenticity and slashes fraud risk — protecting revenue, reputation, and future compliance without adding operational burden.

Provable Trust

The security of your data isn’t just a feature — it’s foundational. We don’t need a copy of your document to vouch for your seal. From our command-line tools to our cryptographic key infrastructure, every layer of our system is built with zero trust principles, clear boundaries, and hardened infrastructure. Eliminate a high-value attack surface by sealing documents in-place while meeting FIPS 140-3 and global certificate standards.•

Audit-ready seals, built on FIPS-validated hardware and globally trusted certificates.

Software and System Design

CLI

Security-forward by default: sends only what’s required to seal, nothing more.

  • Local SHA-256 digest created on your machine; the PDF itself is never uploaded
  • HMAC-SHA-256 is computed with your API Key to prove authenticity and freshness
  • HTTPS-only transport protects confidentiality and integrity in transit
  • No overreach: the CLI sends just the digest, HMAC, and a UTC timestamp — never your documents

API

Built to minimize attack surface and keep operations predictable (see API documentation):

  • Least privilege access at every layer is enforced at every layer — services, IAM roles, and internal processes
  • Separation of concerns: each component does one job, securely
  • Modular architecture: rapid patching and safe isolation of components
  • Ephemeral compute:: disposable workloads; no persistent state
  • Zero trust requests: everything is authenticated; client data is untrusted and verified server-side

Keys

Granular control over how sealing runs in your environment:

  • 160-bit cryptographically secure random keys
  • Scoped access: allowed IPs, time windows, rate limits, and expirations
  • Audit-friendly: each key usage is logged and tied to the action it authorized; logs are immutable
  • Encrypted at rest: keys are encrypted with an HSM-hosted key and only decrypted by the PDF-signing service.

Architecture

Built for strict isolation and predictable compliance:

  • Network-isolated: Private VPC; no public internet exposure and tightly scoped ingress.
  • TLS everywhere All service-to-service calls require mutual TLS.
  • Key never leave the HSM: All signing happens on-device; material is non-exportable.
  • FIPS 140-3 Level 3 HSMs High-assurance custody for cryptographic keys.

Signing Logic

Standards-based seals that validate in Acrobat/Reader or any PAdES-compliant reader

  • CMS/PKCS#7 from your SHA-256 digest We sign the hash you provide.
  • Certificate chain embedded Adobe-aligned validation; optional LTV adds timestamp + revocation data.
  • Timestamps Request times are recorded; RFC 3161 TSA inside the PDF is optional.
  • WORM logs Every signing event is immutably recorded (write-once, read-many).

Frequently Asked Questions

How secure are PDF digital signatures?
Our PDF signatures use enterprise-grade HSM protection with FIPS 140-3 Level 3 compliance, the same security level used by banks and government agencies. Our focus on security from the start has made Publisher - Trusted PDf Signatures a premier product.
Learn more about Publisher
How do you keep our document content secure?
We never see or store your PDF documents. Only SHA-256 hashes are transmitted for signing, ensuring complete document privacy. Because we never have access to them, it is impossible for us to leak your confidential documents.
What compliance standards do you meet?
We meet Adobe and EU Advanced (eIDAS) standards for PDF security and X.509 certificates. This means documents sealed with Publisher are PAdES compliant.
Learn more about compliance
Is this an e-signature workflow tool?
No. Publisher seals PDFs; it’s not a signer routing platform. It adds security where you don’t need signatures or it works with Documenso to enhance your workflow.

Want peace of mind?

Trusted Signatures provides the fastest, most affordable, secure PDF signatures on the internet.

Get Started Free