Pulse
Back to home

Security

How Pulse protects your data, and how to report a security issue if you find one.

Our security principles

Zero-knowledge encryption

When you sync contacts to Pulse Cloud Sync from the Pulse app, your data is encrypted on your device with AES-256-GCM before it leaves it. We store the encrypted blobs but cannot read them — only your devices have the key.

Defense in depth

Every layer is hardened independently: TLS 1.2+ in transit, AES-256 at rest, bcrypt cost factor 12 for passwords, account lockout after 10 failed attempts, rate limiting (120 req/IP/min), per-user partition isolation, and IAM scoping that prevents the cloud sync service from reaching any other AWS resource.

No secret sauce

We use boring, well-audited primitives — Apple CryptoKit, AWS DynamoDB, bcrypt, TLS — implemented in the standard ways. The full security architecture is documented in our public compliance docs.

Transparency

Our privacy policy describes exactly what data leaves your device, where it goes, and how it's protected. We don't hide trade-offs (e.g., the Apple Contacts CardDAV path is plaintext because Apple's client requires it, and we say so).

For the full security architecture, see Section 11 of our Privacy Policy.

Responsible disclosure policy

We take security reports seriously. If you believe you've found a vulnerability in Pulse, please report it to us privately so we can fix it before details become public.

How to report

Email security@pulse.goudastudios.com with:

  • A clear description of the vulnerability
  • Steps to reproduce
  • The version of Pulse and the platform you tested on
  • Your name or handle (if you'd like credit)

What you can expect from us

  • Acknowledgment within 5 business days of receiving your report
  • An honest assessment of the issue's severity and our planned fix timeline
  • Regular updates as we investigate and patch
  • Public credit on this page once the fix ships, if you want it

What we ask in return

  • Give us a reasonable disclosure window (typically 90 days, sometimes longer for complex issues) before publishing details
  • Do not exploit the vulnerability beyond what is necessary to confirm it exists
  • Do not access, modify, or delete data belonging to other users
  • Do not run automated scans against our production infrastructure that could degrade service

We do not currently run a paid bug bounty program. We may in the future as Pulse grows.

Security acknowledgments

Thank you to the security researchers who have helped make Pulse safer through responsible disclosure. Researchers are listed in the order of report.

No reports yet. Be the first.

Security contact

For all security issues, vulnerability reports, and responsible disclosure:

security@pulse.goudastudios.com

For general support questions, use /support instead.