TWSS AI Pulse
FeaturesWhy PulsePricingCustomersFAQAboutBlog
Sign inBook a demo

Effective 2026-04-26

Security

We treat the security of your data — and your customers' data inside AI Pulse — as a primary product responsibility, not a checkbox. Below is how we operate today and what's on the roadmap.

Section · 01 / 07

Where data lives

  • Cloud tier (default): managed Postgres in US-East via Supabase. EU residency available on Agency+ for $50/mo extra.
  • Self-hosted (Free tier): wherever you put it. We provide the docker-compose stack; you provide the box.
  • Enterprise tier: custom data residency (US / EU / APAC) negotiable. On-prem deploy in your VPC fully supported.
Section · 02 / 07

Encryption

  • In transit: TLS 1.2+ on every external interface. HSTS enabled on aipulse.swarmhr.com.
  • At rest (cloud): AES-256 disk encryption (Supabase default).
  • Application-level: every secret stored in seo_settings (ad account credentials, business profile tokens, etc.) is encrypted with PULSE_ENCRYPTION_KEY (AES-256-GCM) before insert. Key is stored separately from the database.
Section · 03 / 07

Access controls

  • Row-level security (RLS) enforced in Postgres on every multi-tenant table. Cross-site data leakage is structurally prevented at the DB layer.
  • Four roles: viewer / editor / admin / super_admin. Least-privilege by default.
  • SSO available on Enterprise tier (Okta, Azure AD, Google Workspace via OIDC / SAML).
Section · 04 / 07

Auditing

  • Audit log on every config change, every LLM call, every credential rotation. Searchable in /admin/audit and exportable.
  • LLM call telemetry: provider, model, tokens-in, tokens-out, cost, latency, success/failure, callsite — for cost auditing and incident investigation.
Section · 05 / 07

AI / LLM-specific controls

  • Bring-your-own-key for OpenAI / Anthropic — your usage runs through your provider account; we don't proxy it.
  • Local LLM (Ollama) option for fully air-gapped operation. Zero data egress to third parties.
  • Per-site provider routing — sensitive sites can be pinned to local Ollama while less-sensitive sites use cloud LLMs.
Section · 06 / 07

Compliance roadmap

  • GDPR-aligned today. Cookie-less analytics, DNT/GPC honored, right-to-delete, data portability all live.
  • SOC 2 Type II report scheduled for Q3 2026. NDA-friendly progress letter available now via hello@thoughtwavesoft.com.
  • HIPAA (BAA) under evaluation; contact us if it's a hard requirement.
Section · 07 / 07

Reporting a vulnerability

  • Email security@thoughtwavesoft.com (CC hello@) with details. We acknowledge within 1 business day and aim to remediate critical issues within 7 days.
  • We do not have a paid bounty program yet, but credit you publicly (with your permission) and provide a free Pro/Agency subscription for any verified, high-severity finding.
This document is provided as a reasonable starter; it has not been reviewed by counsel. Before relying on it for any production deployment, please have it reviewed by a lawyer familiar with your jurisdiction.