Security at Pulseware

Last updated: 27 May 2026

Pulseware stores survey content and respondent answers on your behalf. This page explains how we protect that data and where the boundaries are. Our goal is plain-English clarity, not a glossy security marketing page.

§1 Encryption

Data in transit: TLS 1.2 or higher on every endpoint. Data at rest: AES-256 server-side encryption via our infrastructure providers (Supabase Postgres on AWS; Vercel Edge Network).

§2 Access control

Access to production data is scoped per-account via row-level security (RLS) in Postgres. Only the survey owner can read their own surveys and responses. Pulseware staff access is logged and only used to investigate reported incidents.

§3 Authentication

Magic-link email authentication via Supabase Auth. No password to leak. No third-party social login at launch.

§4 Backups

Daily automated database backups retained for 7 days. Point-in-time recovery available for 24 hours. Disaster recovery testing reviewed quarterly.

§5 Hosting and data residency

Application: Vercel (global edge). Database and storage: Supabase Postgres on AWS. We aim to host Australian customers' primary data in an Australian region; some processors may store data in the US or EU — see privacy policy §8.

§6 Respondent IP addresses

Raw respondent IPs are not stored. We store a one-way hashed IP for abuse and duplicate detection only. When a survey is in anonymous mode, even this is optional.

§7 Third-party processors

We use Supabase (database), Vercel (hosting), SendGrid (email), OpenAI (AI builder only — see AI data policy), and Stripe (payments, when launched). Each has its own security posture, all under contractual data-processing agreements.

§8 Responsible disclosure

If you believe you've found a security issue, please report it via the in-product feedback channel marked SECURITY. We acknowledge reports within 2 business days. We will not pursue legal action against good-faith researchers who follow standard responsible-disclosure practice.

§9 What we don't claim

Pulseware is not SOC 2 / ISO 27001 / HIPAA / PCI-DSS certified at launch. We do not pretend otherwise. If your use case requires those certifications, evaluate carefully.