Skip to main content
pulse
Security & trust

Built on permission, not against it.

Permissions are half the moat. If we get them wrong, you can’t trust us with your data — and you’d be right not to. Here’s exactly how we handle them.

Source-system ACL inheritance

Pulse mirrors your source tools' permissions exactly. If you can't see a Slack channel, GitHub repo, or Notion page in the source, you can't see it in Pulse. We never override, we never expand. ACLs re-sync hourly in v1; real-time webhooks in v2.

Permission filtering happens BEFORE the LLM

Every retrieval is filtered by the user's ACL set before any data reaches the language model. The wrong order leaks information through model output. We do it the right way and it's not negotiable.

Confidential mode + Selective amnesia

Conversations marked confidential are not indexed, retained, or surfaced. Not even by you later. Anything previously indexed can be forgotten via Selective Amnesia: purged from the index, auditable but gone.

Personal data dashboard

Every employee can see exactly what Pulse knows about them, what data sources fed those facts, and what AI decisions or recommendations have been made about them. Live, browseable, exportable. No surprises.

Hardening shipped this quarter

The trust surface keeps widening.

Foundations are stable; what changes is the surface. Below is what we’ve added since the last audit cycle so reviewers can verify the controls match the live code.

  • Domain auto-join

    Tenant.emailDomain auto-attaches signups from a verified domain. Personal-email providers (gmail.com, outlook.com, proton.me, etc.) are denied at the action layer regardless of admin configuration.

  • Pilot-team rollout gate

    While Tenant.pilotTeam is set, only OWNER / ADMIN and pilot-team members can reach /app/*. Everyone else lands on /rollout-pending until the admin clicks Expand.

  • Sign-out on every auth wall

    verify-required and rollout-pending now use a server-action form for sign-out so the cookie is actually cleared. No more redirect loops.

  • TOCTOU-safe tenant signup

    Tenant lookup runs inside the create transaction during signup so two simultaneous registrations can't race past each other with the same email domain.

  • Defense-in-depth headers

    CSP with strict-script-src, HSTS with preload, X-Frame-Options DENY, Permissions-Policy denying camera/mic/geo/interest-cohort, Referrer-Policy strict-origin-when-cross-origin.

  • OAuth-link guard

    Google sign-in only auto-links to an existing local user when that user's email is already verified. Prevents account-link hijacking via signin to a squatted local account.

Compliance

Compliance roadmap

  • SOC 2 Type I

    in progress

  • SOC 2 Type II

    follows Type I

  • GDPR DSAR

    live

  • DPA on request

    live

  • Encryption at rest (AES-256)

    live

  • Encryption in transit (TLS 1.3)

    live