Encryption
AES-256 at rest (RDS + S3-encrypted buckets). TLS 1.3 in transit. Customer-managed keys available on the Self-host tier.
Security
Sentiment data
never crosses the manager line.
Pulse holds the most intimate data in HR — what someone wrote about how their week went, how heavy their workload feels, an anonymous Pulse mood rating. The product is built around one rule: raw chat and individual check-ins stay with the employee. Managers see aggregated trends only, and the code that enforces it is on GitHub for you to read.
Every control below is implemented in the repo. No "proprietary architecture" hand-waving — read the source.
Certifications — status-honest.
| SOC 2 Type II | In progress | Observation period started Q1 2026 with a Big-Four auditor. Report expected Q3 2026; available under NDA once issued. |
| GDPR | Certified | GDPR-compliant by design. DPA templates auto-signed at sign-up. EU data residency available in Frankfurt and Dublin. |
| ISO 27001 | Roadmap | Gap analysis done. Target certification: H1 2027. Controls already mapped to ISO Annex A in the internal wiki. |
| HIPAA | Roadmap | BAAs available on request today for US healthcare customers; full HIPAA self-assessment planned once the US customer base crosses 25. |
| CCPA | Certified | Privacy policy, data-subject-access flows and deletion endpoints meet CCPA. California users can request their data via /settings → privacy. |
Controls.
Data residency
Choose Frankfurt (eu-central-1) or Dublin (eu-west-1) at sign-up. Data never replicates out of the chosen region.
Access control
SSO via SAML 2.0 (Okta, Entra, Google) or OIDC, included on every tier. SCIM provisioning. Granular role-based permissions with audit on every read and write.
Audit log
Immutable, append-only log of every state change — who, what, when, from what IP. Exportable via API. Retention 6 years by default.
Tenant isolation
Logical separation at the DB row level with tenant_id in every foreign key. Row-level security policies enforced at Postgres.
Incident playbook
24/7 on-call rotation. P0 SLA: 15 min acknowledge, 2 h workaround. Public status page at status.pulsehr.it with incident post-mortems within 5 business days.
Subprocessors.
Anyone we rely on who ever touches customer data. Public by design — changes ship with 30 days' notice via the mailing list and an RSS feed at /changelog.
| Provider | Purpose | Region |
|---|---|---|
| AWS | Compute, storage, DB (EU regions only unless you opt in) | eu-central-1, eu-west-1 |
| Cloudflare | CDN, DDoS protection, WAF | Global edge |
| Stripe | Payments and invoicing | EU |
| Postmark | Transactional email | EU |
| Sentry | Error tracking (self-hosted on our infra) | eu-central-1 |
| PagerDuty | On-call routing | EU |
Responsible disclosure.
Found a vulnerability? Tell us privately first — we'll fix it, credit you publicly, and never threaten legal action against researchers acting in good faith.
- Contact security@pulsehr.it
- PGP key /.well-known/security.txt
- SLA Initial reply within 24 h. Triage within 72 h. Fix or mitigation ETA within 7 days for critical issues.
- Scope pulsehr.it, app.pulsehr.it, the GitHub repo, and any self-hosted deployment you control.
- Reward Swag + public credit in the changelog for low/medium; €200–€2,000 for high/critical, paid from our own wallet (no bug-bounty platform overhead).
Make your work
impossible to miss.
Self-host the open source on your own infra in 90 seconds, or pay us to run it. No demo gate. No enterprise tier with extra features. Export everything in a click — always.