Encryption
AES-256 at rest (RDS + S3-encrypted buckets). TLS 1.3 in transit. Customer-managed keys available on the Self-host tier.
Security
The code is public.
So is how we secure it.
Open source doesn't mean casual about security — it means you can verify
our claims. Every control below is implemented in the repo at
packages/*/ and
apps/app/src/lib/security/.
No "proprietary architecture" hand-waving.
Certifications — status-honest.
| SOC 2 Type II | In progress | Observation period started Q1 2026 with a Big-Four auditor. Report expected Q3 2026; available under NDA once issued. |
| GDPR | Certified | GDPR-compliant by design. DPA templates auto-signed at sign-up. EU data residency available in Frankfurt, Dublin and Milan. |
| ISO 27001 | Roadmap | Gap analysis done. Target certification: H1 2027. Controls already mapped to ISO Annex A in the internal wiki. |
| HIPAA | Roadmap | BAAs available on request today for US healthcare customers; full HIPAA self-assessment planned once the US customer base crosses 25. |
| CCPA | Certified | Privacy policy, data-subject-access flows and deletion endpoints meet CCPA. California users can request their data via /settings → privacy. |
Controls.
Data residency
Choose Frankfurt (eu-central-1), Dublin (eu-west-1) or Milan (it-south-1) at sign-up. Data never replicates out of the chosen region.
Access control
SSO via SAML 2.0 (Okta, Entra, Google) or OIDC, included on every tier. SCIM provisioning. Granular role-based permissions with audit on every read and write.
Audit log
Immutable, append-only log of every state change — who, what, when, from what IP. Exportable via API. Retention 6 years by default.
Tenant isolation
Logical separation at the DB row level with tenant_id in every foreign key. Row-level security policies enforced at Postgres.
Incident playbook
24/7 on-call rotation. P0 SLA: 15 min acknowledge, 2 h workaround. Public status page at status.pulsehr.it with incident post-mortems within 5 business days.
Subprocessors.
Anyone we rely on who ever touches customer data. Public by design — changes ship with 30 days' notice via the mailing list and an RSS feed at /changelog.
| Provider | Purpose | Region |
|---|---|---|
| AWS | Compute, storage, DB (EU regions only unless you opt in) | eu-central-1, eu-west-1 |
| Cloudflare | CDN, DDoS protection, WAF | Global edge |
| Stripe | Payments and invoicing | EU |
| Postmark | Transactional email | EU |
| Sentry | Error tracking (self-hosted on our infra) | eu-central-1 |
| PagerDuty | On-call routing | EU |
Responsible disclosure.
Found a vulnerability? Tell us privately first — we'll fix it, credit you publicly, and never threaten legal action against researchers acting in good faith.
- Contact security@pulsehr.it
- PGP key /.well-known/security.txt
- SLA Initial reply within 24 h. Triage within 72 h. Fix or mitigation ETA within 7 days for critical issues.
- Scope pulsehr.it, app.pulsehr.it, the GitHub repo, and any self-hosted deployment you control.
- Reward Swag + public credit in the changelog for low/medium; €200–€2,000 for high/critical, paid from our own wallet (no bug-bounty platform overhead).
Your team deserves
better software.
Free for the first 5 employees — forever. No credit card. Import your data in under an hour.