Pulse LogoPulse

    Security & Data Protection

    Your trust is our top priority. Pulse is built with enterprise-grade security to protect your data at every layer.

    πŸ”’ 256-bit TLS Encryption

    βœ… OAuth 2.0 Certified

    πŸ›‘οΈ GDPR Compliant

    10 Security Layers Protecting Your Data

    1. End-to-End Encryption

    All data transmitted between your browser and our servers is encrypted using industry-standard TLS/HTTPS protocols. Passwords are hashed using bcrypt with 12 rounds of salting.

    2. OAuth 2.0 Authentication

    We use NextAuth.js with OAuth 2.0 for secure authentication via Google and Microsoft. We never see or store your email provider passwords.

    3. Secure Database Storage

    Sensitive data including access tokens and refresh tokens are stored exclusively in our encrypted PostgreSQL database with row-level access controls. Session JWTs contain only user identification data.

    4. Token Management & Auto-Refresh

    OAuth access tokens are managed through our centralized TokenManager, automatically refreshing expiring tokens to maintain secure API access without user intervention.

    5. Webhook Signature Verification

    All incoming Stripe webhooks are cryptographically verified using HMAC signatures to prevent unauthorized payment modifications and ensure data integrity.

    6. Role-Based Access Control

    Middleware-based route protection ensures users can only access their own data. Free, Pro, and Business tier restrictions are enforced at the API level to prevent unauthorized feature access.

    7. Input Validation & Sanitization

    All user inputs are validated and sanitized before processing. API endpoints enforce strict type checking and reject malformed requests to prevent injection attacks.

    8. Secure Cloud Infrastructure

    Application hosted on enterprise-grade infrastructure with automated backups, DDoS protection, and 99.9% uptime SLA. Database connections use SSL/TLS encryption.

    9. API Rate Limiting & Token Quotas

    Per-user token quotas prevent abuse and ensure fair resource allocation. API routes implement timeout protections and rate limit error handling.

    10. Privacy-First AI Processing

    AI providers are contractually bound to strict data protection agreements. We minimize data transmission and never use your data for model training or advertising.

    Our Data Protection Commitment

    Zero Third-Party Sharing

    We never sell, rent, or share your personal data with third parties for marketing or advertising purposes. Your data is yours alone.

    Compliance Standards

    Pulse follows GDPR, CCPA, and Google API Services User Data Policy requirements. We maintain strict data minimization and purpose limitation principles.

    Limited Data Access

    We only access the minimum data needed to provide our service. Email and calendar data is processed solely for user-facing features you explicitly enable.

    You Control Your Data

    You can revoke access, export your data, or request complete deletion at any time. Your privacy settings are always in your control.

    Technical Security Implementation

    Authentication & Authorization

    • OAuth 2.0 only - We never handle your email provider passwords directly
    • JWT session tokens - Signed with NEXTAUTH_SECRET, containing only user identification
    • Middleware-based protection - All authenticated routes verified before access

    Data Encryption & Storage

    • Bcrypt password hashing - 12-round salting for maximum security
    • Encrypted PostgreSQL database - All data at rest encrypted
    • Secure token storage - OAuth tokens stored in database, not in browser

    Payment Security

    • PCI DSS compliant via Stripe - We never store credit card data
    • Webhook signature verification - All payment events cryptographically verified
    • Idempotent processing - Duplicate webhook events automatically detected and ignored

    API & Application Security

    • Environment variable protection - API keys never exposed in client-side code
    • Rate limiting & quotas - Per-user token limits prevent abuse and ensure fair usage
    • Request timeout protection - All API calls have timeout limits to prevent resource exhaustion

    Zero Third-Party Data Sharing

    We explicitly commit to never selling, renting, or sharing your personal data with third parties for marketing, advertising, or any purposes unrelated to the core Pulse service.

    0

    Third-Party Data Sales

    0

    Advertising Partners

    100%

    Your Data Ownership

    Limited Use Disclosure

    Pulse's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We use your Google data exclusively to provide and improve user-facing features within Pulse.

    Compliance & Standards

    πŸ‡ͺπŸ‡Ί

    GDPR

    European General Data Protection Regulation compliant

    πŸ‡ΊπŸ‡Έ

    CCPA

    California Consumer Privacy Act compliant

    πŸ’³

    PCI DSS

    Payment Card Industry standards via Stripe

    Your Data Rights

    Right to Access

    You can request a copy of all personal data we hold about you at any time.

    Right to Deletion

    Request complete account and data deletion through Settings or by contacting support.

    Right to Portability

    Export your data in machine-readable format to transfer to another service.

    Right to Revoke

    Revoke Pulse's access to your Google/Microsoft accounts anytime through your account permissions.

    Questions About Security?

    We're committed to transparency. If you have specific security questions or concerns, our team is here to help.

    Last updated: October 23, 2025

    Β© 2025 Pulse. All rights reserved.|Pulse is a product of SysteMind, Inc. (USA)|Terms of Service|Privacy Policy