HRPulsar stores HR-grade personal data: org charts, performance history, assessment results. The same controls that are non-negotiable for that kind of data are non-negotiable for us. This page is what we already do and what we are working toward.
Last updated: May 13, 2026
This page describes our current security practices and roadmap. The page itself is a draft — the underlying practices are implemented, but the wording has not yet been reviewed by US privacy or corporate counsel. Anything material to a vendor security review should be confirmed against the working version by emailing security@hrpulsar.com.
All traffic to the HRPulsar Cloud is served over TLS 1.2+ with HSTS. Customer data, file attachments, and database backups are encrypted at rest using AES-256 (managed Postgres and Cloudflare R2 object storage). Secrets, API keys, and webhook signing keys are stored in a dedicated secrets store with per-environment rotation.
Production access is limited to a named subset of engineers. SSH and admin consoles require hardware-backed MFA. Every privileged action against production is logged and reviewable. Customer workspaces are tenant-isolated at the database level.
Postgres is backed up daily with point-in-time recovery within a 7-day window. File attachments live in Cloudflare R2 with multi-region replication. Our target recovery objectives are RPO ≤ 24 hours and RTO ≤ 4 hours for the Cloud tier. We test restores quarterly.
Security incidents are triaged by the on-call engineer, contained, and post-mortemed. Confirmed breaches affecting customer personal data are disclosed to affected workspaces within 72 hours, in line with GDPR Article 33 expectations. Post-mortems for material incidents are published on the changelog.
Customer data is processed only by a small, named set of sub-processors (the full list will be published in the Privacy Policy before Cloud billing launches; we share the current working list on request to security@hrpulsar.com). AI model providers used by Cloud workspaces are configured to not train on customer prompts or outputs. We track the EU AI Act vendor obligations and will publish our conformity statement before the act's general application date.
Every change to production code goes through review, automated tests, and static analysis. Dependencies are pinned and scanned for known CVEs on each build. We run an internal security review on each release and accept responsible disclosures at security@hrpulsar.com.
We do not display a SOC 2 badge today because we are not certified today. Below is the actual timeline. If a procurement team needs a specific certification on a specific date, write to security@hrpulsar.com and we will tell you whether we can commit.
We are tracking the SOC 2 common criteria internally today and will engage an auditor once Cloud revenue justifies the audit cost. We will publish the report under NDA on request.
Continuous monitoring evidence is being captured from day one so that the Type II observation window can begin immediately after Type I issues.
HRPulsar acts as both a deployer (for our own internal use of AI) and a downstream provider (Cloud workspaces using model providers). We are mapping the obligations under Articles 50, 53, and 55 and will publish a vendor conformity statement before the relevant deadlines.
We accept responsible disclosure today and will move to a formal bounty programme once the Cloud user base supports the operational load.
