Advanced Topics
Security Overview
Security for document processing
Security Commitment
Pulse API is built with security at its core. We implement industry-leading security practices to protect your sensitive documents and data throughout the entire processing lifecycle.Compliance
ISO 27001
Information security management certification
GDPR Compliant
Full compliance with EU data protection regulations
SOC 2 Type II
Audited controls for security, availability, and confidentiality
HIPAA Compliant
Safeguards for protected health information (PHI)
For detailed compliance and security information, view our security page here.
Data Protection
Encryption
In Transit
In Transit
- TLS 1.3 for all API communications
- Certificate pinning available for enterprise
- Perfect forward secrecy enabled
- Strong cipher suites only
At Rest
At Rest
- AES-256 encryption for stored data
- Encrypted S3 buckets with customer-managed keys
- Encrypted database backups
- Secure key management via AWS KMS
Processing
Processing
- Isolated compute environments
- Memory encryption for sensitive operations
- Secure enclaves for key material
- No data persistence on compute nodes
Data Retention
| Data Type | Retention Period | Notes |
|---|---|---|
| Uploaded files | 48 hours | Automatic deletion |
| Extraction results | 48 hours | Unless saved by user |
| API logs | 30 days | For debugging only |
| Audit logs | 1 year | Compliance requirement |
Enterprise customers can configure custom retention policies to meet their compliance requirements.
Infrastructure Security
AWS Architecture
Security Features
- DDoS Protection: AWS Shield Standard + CloudFront
- Web Application Firewall: AWS WAF with custom rules
- Network Isolation: VPC with private subnets
- Access Control: IAM roles with least privilege
- Monitoring: CloudWatch + GuardDuty threat detection
Access Control
API Authentication
- API Keys: Unique per organization
- Key Rotation: Supported and recommended
- IP Allowlisting: Available for enterprise
- Rate Limiting: Automatic abuse prevention
Administrative Access
- Multi-Factor Authentication: Required for all staff
- Role-Based Access Control: Principle of least privilege
- Audit Logging: All administrative actions logged
- Background Checks: All employees screened
Data Privacy
Our Commitments
No Training
Your data is never used to train our models
No Sharing
Data is never shared with third parties
No Persistence
Automatic deletion after processing
No Access
Staff cannot access your documents
GDPR Compliance
- Right to Access: Export all your data
- Right to Deletion: Immediate purge available
- Data Portability: Standard formats
- Privacy by Design: Built-in from day one
Security Monitoring
Real-Time Protection
- Threat Detection: AWS GuardDuty + custom rules
- Anomaly Detection: ML-based pattern analysis
- Security Scanning: Continuous vulnerability assessment
- Incident Response: 24/7 security team for enterprise
Audit Trail
All API operations are logged with:- Timestamp
- API key identifier (hashed)
- Operation performed
- Response status
- IP address (hashed)
Logs are retained for 30 days and are available for security investigations only.
Vulnerability Management
Security Practices
1
Code Review
All code peer-reviewed before deployment
2
Dependency Scanning
Automated scanning for vulnerable packages
3
Penetration Testing
Annual third-party security assessments
4
Bug Bounty
Responsible disclosure program (coming soon)
Update Policy
- Critical Patches: Applied within 24 hours
- Security Updates: Applied within 7 days
- Regular Updates: Monthly maintenance window
- Zero Downtime: Rolling deployments
Incident Response
Response Plan
- Detection: Automated monitoring + manual review
- Assessment: Severity classification within 1 hour
- Containment: Immediate isolation of affected systems
- Notification: Customer notification per SLA
- Remediation: Fix deployment and verification
- Post-Mortem: Published within 5 business days
Customer Notification
Enterprise customers receive:- Immediate notification of incidents
- Regular status updates
- Post-incident report
- Remediation recommendations
Best Practices for Users
API Key Security
API Key Security
- Store keys in environment variables
- Never commit keys to version control
- Rotate keys regularly (every 90 days)
- Use different keys for different environments
- Monitor key usage in Console
Document Handling
Document Handling
- Encrypt sensitive documents before upload
- Use presigned URLs for direct S3 access
- Process documents immediately after upload
- Don’t store extraction results permanently
Network Security
Network Security
- Always use HTTPS connections
- Implement webhook signature verification
- Use IP allowlisting when possible
- Monitor for unusual activity patterns
Additional Security Information
For comprehensive security details and compliance documentation, please visit our security page.Report Security Issues
Found a security vulnerability? Please report it responsibly:Do NOT post security issues publicly. Email us directly for coordinated disclosure.