Protect data
Encrypt customer data in transit and at rest. Isolate every tenant with row-level security so accounts never cross.
Security first
We protect customer data, systems, and users with industry practices — and stay accountable for how we do it. Encryption, access control, continuous monitoring, and an open disclosure channel for researchers.
Encrypt customer data in transit and at rest. Isolate every tenant with row-level security so accounts never cross.
B2B professional contacts only. PII redacted from logs. Automated deletion after account closure.
Least-privilege access, MFA-ready auth, hashed API keys, and signed webhooks for every integration.
Real-time monitoring, automated alerts, and a documented incident plan with customer notification SLAs.
Publish honest compliance status — including what is still in progress — and open a clear disclosure path.
All traffic uses TLS 1.2+. Data at rest uses AES-256. Sensitive credentials use AES-256-GCM before storage.
Production access is limited to essential personnel. Roles, hashed API keys, and immediate revocation on departure.
RLS at the database layer, parameterized queries, CSRF guards, rate limits, and security headers on every response.
Sentry across server, edge, and client. Structured logs with severity levels. Alerts on auth failures and error spikes.
Dependabot scanning, npm audit on every build, annual penetration testing, and post-incident reviews.
TLS 1.2+ in transit · AES-256 at rest
JWT auth, MFA support, RBAC, least privilege
Hetzner + Cloudflare WAF · SSH key-only
Tenant isolation · deletion on account close
Detect → contain → notify → remediate
Dependabot, pinned deps, input validation
Found a vulnerability? Email our security team. Please do not access other users' data, run destructive tests, or disclose publicly before we have a reasonable window to fix the issue.
security@outpulse.ioWe appreciate your help in keeping OutPulse secure.
Response within 24 hours
We acknowledge every valid report quickly so researchers are never left guessing.
Vulnerability triage
Initial assessment within 72 hours with a clear severity and remediation path.
Disclosure policy
Coordinate public disclosure after a reasonable fix window. No legal action for good-faith research.
Acknowledgement
Credit researchers who help us harden OutPulse — unless you prefer to stay anonymous.
This policy applies to all OutPulse products, services, websites, and systems.
Last updated: May 25, 2026