Security at Pulsar Informatics

At Pulsar Informatics, protecting our customers' data is foundational to everything we build. Our fatigue risk management platform is trusted by organizations where safety is critical, and we hold ourselves to a security standard that reflects that responsibility.

Infrastructure Security

Pulsar's platform is hosted on Amazon Web Services (AWS). We design and operate our environments using AWS security best practices, including principles from the AWS Well-Architected Framework. We use recognized hardening baselines, including CIS Benchmarks and DISA STIGs, as guidance for applicable systems and configurations.

Key infrastructure practices include:

  • Logically separated development, staging, and production environments hosted in distinct AWS accounts
  • Network segmentation with default-deny traffic policies between environments
  • Multi-factor authentication (MFA) and role-based access controls enforced across production systems
  • Comprehensive audit logging and monitoring via AWS-native services
  • Endpoint protection through mandatory Mobile Device Management (MDM) enrollment for all company devices

Data Protection

Pulsar maintains a formal data classification framework that categorizes all information based on sensitivity and applies appropriate controls throughout its lifecycle, from creation and storage to sharing and disposal. Our data handling practices are informed by NIST SP 800-53 Rev 5 and SOC 2 requirements.

  • Encryption in transit: All data is encrypted using TLS 1.2 or higher with 2048-bit RSA keys and SHA-256 signatures.
  • Encryption at rest: Customer data is protected using AES-256 envelope encryption via AWS Elastic Block Store.
  • Key management: Encryption keys are managed through AWS Key Management Service (KMS) with automatic annual rotation. Private keys are non-exportable and stored under FIPS 140-2 validated hardware security modules (HSMs).
  • Access controls: Data access is governed by role-based access controls and the principle of least privilege, with MFA required for access to sensitive data.
  • Data retention and disposal: Retention periods are defined by product, contract, and regulatory requirements. When data reaches the end of its retention period, it is disposed of using methods compliant with NIST SP 800-88 guidelines for media sanitization.
  • Removable media: Normal operations do not use removable media or external storage devices. Customer data is introduced exclusively through secure network integrations or direct user upload.

Secure Development

Security is embedded throughout our software development lifecycle, not applied as an afterthought. Our engineering team follows a secure-by-design approach informed by OWASP, CIS, and CERT guidelines.

Our development practices include:

  • Mandatory peer code review for all changes before they reach production
  • Automated static and dynamic application security testing (SAST/DAST) integrated into our CI/CD pipeline
  • Automated dependency scanning and vulnerability monitoring for third-party libraries
  • Secure coding standards aligned with the OWASP Top 10 and CERT Secure Coding Practices
  • Logically separated environments that mirror production configurations for thorough pre-release validation
  • A formal change control process for infrastructure and security-sensitive modifications
  • Annual secure development training for all engineers

Incident Response

Pulsar maintains a formal Incident Response Plan that is reviewed and tested at least annually. The plan defines clear severity classifications, escalation procedures, and roles to ensure rapid and coordinated response to any security event.

Our incident response program includes:

  • A defined severity framework (Critical through Low) with corresponding response timelines
  • Designated incident leads and an established escalation chain through senior leadership
  • Post-incident root cause analysis and remediation tracking for significant events
  • A formal customer notification process in the event of a confirmed breach
  • Continuous improvement through post-mortem reviews and lessons learned

Vendor Management

We recognize that our security posture extends to the third parties we work with. Pulsar maintains a formal Vendor Management Program that evaluates and monitors all third-party relationships through a risk-based framework.

  • Prospective vendors undergo a due diligence process that includes risk scoring across multiple factors such as data access, service criticality, and financial health.
  • Vendors are classified into risk tiers (Low, Medium, High), with escalating levels of security review required, including detailed information security questionnaires for higher-risk engagements.
  • Approved vendors are required to adhere to Pulsar's information security, privacy, and incident response policies.
  • All vendor relationships are subject to continuous monitoring and annual security reviews.
  • Access granted to vendors follows the principle of least privilege and is revoked immediately upon termination of the business relationship.

People & Operations

Technology is only part of the equation. We invest in the people and processes that support a strong security culture.

  • Background checks and confidentiality agreements are required for all personnel with access to sensitive systems.
  • Employees and contractors receive security awareness training appropriate to their role, at least annually.
  • Role-specific training is provided for personnel handling sensitive or restricted data.
  • Access to systems and data follows the principle of least privilege and is reviewed on a regular basis.

Privacy

We are committed to protecting the privacy of our users and their data. Privacy-by-design principles are integrated into our product development process, and our data handling practices are governed by our Privacy Policy. For more information, please also review our Terms of Use.

Continuous Improvement

Security is not a destination, it's an ongoing commitment. We continuously evaluate our security posture through internal audits and monitoring, invest in new controls, and work toward formal certifications to provide our customers with additional assurance.

Questions?

If you have questions about our security practices or need to report a security concern, please reach out through our Contact Us page.