> ## Documentation Index
> Fetch the complete documentation index at: https://docs.runpulse.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> How Pulse protects documents, credentials, storage, retention, and production workflows.

Pulse is built for production document workflows where source files may contain sensitive commercial, financial, legal, healthcare, or personal data. This page collects the security and compliance topics that should be visible before a team goes live.

<CardGroup cols={3}>
  <Card title="Security Page" icon="shield-check" href="https://www.runpulse.com/security">
    Review current compliance, security, and trust materials.
  </Card>

  <Card title="Trust Center" icon="badge-check" href="https://trust.runpulse.com">
    Access Pulse trust, security, and compliance documentation.
  </Card>

  <Card title="Custom Storage" icon="database" href="/storage/overview">
    Store extraction artifacts in your own cloud storage bucket.
  </Card>
</CardGroup>

## Platform Security

| Area           | Pulse behavior                                                                                                                        |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
| Authentication | Platform users authenticate through the Pulse app. API calls use API keys created from the Platform.                                  |
| API keys       | Keys should be stored server-side and rotated when they are no longer needed.                                                         |
| Transport      | API traffic should be sent over HTTPS to `https://api.runpulse.com`.                                                                  |
| Data use       | Customer documents are not used to train models.                                                                                      |
| Retention      | Extraction artifacts are retained for a limited period unless your organization uses custom storage or a contracted retention policy. |
| Access control | Platform access is scoped by organization and user role.                                                                              |

## Compliance

Pulse maintains security and compliance controls for enterprise document processing. The introduction should stay focused on product onboarding; compliance belongs here and in formal trust materials.

<CardGroup cols={4}>
  <Card title="SOC 2" icon="shield-check">
    Audited controls for security operations.
  </Card>

  <Card title="ISO 27001" icon="certificate">
    Information security management controls.
  </Card>

  <Card title="HIPAA" icon="hospital">
    Healthcare data workflows when covered by the right agreement.
  </Card>

  <Card title="GDPR" icon="lock">
    Privacy controls for EU personal data workflows.
  </Card>
</CardGroup>

<Note>
  Compliance commitments depend on your agreement and enabled product configuration. Use the public security page or contact Pulse for the latest formal documentation.
</Note>

## API Key Handling

Use API keys from server-side code only.

```bash theme={null}
export PULSE_API_KEY="..."
```

```python theme={null}
import os
from pulse import Pulse

client = Pulse(api_key=os.environ["PULSE_API_KEY"])
```

Do not embed API keys in browser code, mobile apps, public notebooks, or client-side demos. For browser-facing applications, call your own backend and have the backend call Pulse.

## Storage Options

Pulse supports two common storage patterns:

| Pattern                | Use when                                                                   |
| ---------------------- | -------------------------------------------------------------------------- |
| Pulse-managed storage  | You want the simplest setup and standard retention behavior.               |
| Bring Your Own Storage | You need artifacts written to your AWS, GCP, or Azure storage environment. |

See [Custom Storage Overview](/storage/overview) for BYOS setup details.

## Production Checklist

* Store API keys in a secret manager.
* Use separate keys for development and production.
* Keep storage enabled for chained workflows.
* Use BYOS if your team requires direct ownership of extraction artifacts.
* Use async processing and webhooks for long-running jobs.
* Log `job_id`, `extraction_id`, `schema_id`, and `split_id` for traceability.
* Avoid storing source documents longer than your policy requires.
* Build retry handling around documented API errors.

## Related

<CardGroup cols={2}>
  <Card title="Authentication" icon="key" href="/authentication">
    Create and use API keys safely.
  </Card>

  <Card title="Error Handling" icon="triangle-exclamation" href="/advanced/error-handling">
    Build resilient production integrations.
  </Card>

  <Card title="Webhooks" icon="webhook" href="/svix-webhooks">
    Receive async job notifications securely.
  </Card>

  <Card title="Bring Your Own Storage" icon="database" href="/storage/overview">
    Configure custom artifact storage.
  </Card>
</CardGroup>