> For the complete documentation index, see [llms.txt](https://pulselabs.gitbook.io/pulse-labs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://pulselabs.gitbook.io/pulse-labs/privacy-center/readme/technical-and-organizational-measures.md).

# Technical and Organizational Measures

*Last updated: June 23, 2026*

The technical and organizational measures set forth below have been implemented by the data importer to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

The measures below summarize Pulse Labs' current security program at a customer-facing level. They are intended to describe the safeguards Pulse Labs applies generally across its business and services, while recognizing that specific controls may vary based on product, data type, customer agreement, legal requirement, and operational context.

## 1. Security Governance

Pulse Labs maintains an information security program overseen by designated security and leadership stakeholders. The program is designed to establish security responsibilities, define approved policies and procedures, assess information security risks, and support ongoing improvement of security controls.

Pulse Labs' information security policies address areas including access control, information classification, acceptable use, asset management, cryptography, cloud security, secure development, change management, vulnerability management, logging and monitoring, incident response, supplier management, backup and recovery, business continuity, and personnel security.

Security policies and related procedures are reviewed periodically and updated as needed to reflect changes in technology, business operations, customer requirements, and applicable legal or regulatory obligations.

## 2. Personnel Security and Training

Pulse Labs requires employees, contractors, and other authorized personnel to follow company security policies and protect confidential information. Personnel with access to company or customer information are expected to complete onboarding activities that include information security and data protection awareness.

Where permitted by law and appropriate for the role, Pulse Labs may conduct background checks before or shortly after personnel begin work. Employees, contractors, and third-party users are required to protect confidential information and may be subject to confidentiality obligations or nondisclosure agreements.

Pulse Labs maintains a disciplinary process for violations of company policies and security procedures.

## 3. Access Control

Pulse Labs uses role-based and need-to-know access principles to limit access to company systems, cloud infrastructure, source code repositories, business tools, and customer data. Access requests are reviewed and approved by appropriate managers, department heads, or security personnel before access is granted.

Administrative and privileged access is restricted and subject to additional controls, including multi-factor authentication where supported and appropriate. Shared accounts are avoided unless there is a justified business need and appropriate approval.

Access is modified or revoked when personnel change roles, no longer require access, or leave the company. Pulse Labs maintains access records and conducts periodic access reviews to identify and remove access that is no longer needed.

## 4. Authentication and Password Management

Pulse Labs requires users to authenticate before accessing company systems and services. Passwords and authentication credentials must be protected from unauthorized use and disclosure.

Personnel are expected to use secure password practices and change default passwords at first use where applicable. Lost or forgotten passwords are reset through approved processes rather than retrieved in plaintext. Privileged and remote access may require multi-factor authentication where technically supported.

## 5. Remote Work and Device Security

Pulse Labs operates with remote work practices and provides company-managed devices to employees where appropriate. Contractors, temporary employees, and interns may use personally owned devices only with approval and subject to security expectations.

Devices used for company work are expected to use reasonable security protections, such as operating system updates, endpoint protection or built-in platform security features, screen locking, and full-disk encryption where supported. Remote access can be revoked when employment, contractor status, or business need ends.

Company-owned assets must be returned at the end of employment or engagement. Computers, storage components, and removable media are securely wiped or disposed of before reuse or retirement.

## 6. Information Classification and Handling

Pulse Labs classifies information to guide handling, access, sharing, retention, and disposal. Classification categories include confidential information, internal-use information, public information, and externally originated information such as customer-provided data.

Customer and externally provided data is handled according to the classification and handling requirements provided by the customer where applicable. If no customer classification is provided, Pulse Labs applies its internal classification approach based on the sensitivity and confidentiality of the information.

Access to confidential information is limited to authorized personnel with a business need. Personnel are prohibited from copying, altering, disclosing, or destroying confidential information unless authorized and within the scope of their work.

## 7. Cloud Hosting and Infrastructure Security

Pulse Labs uses cloud infrastructure and third-party cloud service providers to host and support its services. Cloud access is governed by the same access control principles used for other company systems, including restricted access, approval-based provisioning, and additional protection for administrative access.

Pulse Labs considers security, privacy, availability, data location, auditability, identity and access management, data isolation, incident response, and backup capabilities when evaluating cloud service providers and cloud-hosted systems.

Where technically supported and appropriate, cloud infrastructure is configured to separate environments, restrict administrative access, synchronize system clocks for logging, and apply provider-native security controls.

## 8. Encryption and Key Management

Pulse Labs uses cryptographic controls to protect data, communications, administrative access, and authentication processes where appropriate. These controls may include TLS/SSL certificates, encrypted communications, authentication tokens, VPN-related cryptographic keys, and multi-factor authentication mechanisms.

Cryptographic keys and certificates are managed through approved processes. Pulse Labs' procedures are designed to track key ownership or custody, protect keys from unauthorized access, and retire or dispose of keys when they expire or are no longer required.

## 9. Secure Development and Change Management

Pulse Labs maintains development and change management processes designed to reduce security and operational risk. Development, testing, and production environments are separated where practical, and production changes are expected to follow documented change management procedures.

Changes are categorized based on risk and urgency. Non-standard and higher-impact changes are reviewed before implementation where appropriate. Emergency changes may be approved through an expedited process and reviewed after implementation.

Pulse Labs' secure development practices include peer review, testing before deployment, consideration of security requirements during design, and use of static analysis or security assessment activities where appropriate. Customer personal data and confidential information should not be used in non-production testing unless specifically approved and protected.

## 10. Vulnerability and Patch Management

Pulse Labs maintains vulnerability and patch management procedures designed to identify, assess, prioritize, and remediate security weaknesses. Vulnerabilities may be identified through vulnerability scans, penetration testing, audit findings, security monitoring, vendor advisories, industry publications, and internal review.

Identified vulnerabilities are assessed and prioritized based on severity, exploitability, and risk to Pulse Labs systems and services. Pulse Labs tracks remediation activities and applies security updates, patches, or compensating controls based on risk and operational impact.

Pulse Labs' procedures contemplate regular vulnerability scanning, annual external testing for public-facing systems, and additional assessment following significant infrastructure or application changes where appropriate.

## 11. Anti-Malware and Endpoint Protection

Pulse Labs uses endpoint protection, operating system security features, malware detection, and related monitoring controls to help protect company devices and systems. Endpoint protection is configured to update automatically where supported and to detect, quarantine, or remove malicious code.

Personnel are instructed not to open suspicious attachments, download files from untrusted sources, or use removable media without appropriate precautions. Suspected malware incidents are handled through Pulse Labs' incident response process.

## 12. Logging and Monitoring

Pulse Labs maintains logging and monitoring practices for systems and applications that process sensitive or operationally important information. Logs may include authentication events, administrative actions, privilege changes, application activity, system changes, security events, and error conditions.

Logs are protected from unauthorized access and are made available only to personnel with a business or security need. Pulse Labs' procedures are designed to avoid storing plaintext passwords in logs and to limit logging of private information unless necessary for security, operations, or audit purposes.

Security-relevant logs are reviewed on a periodic or risk-based basis. Suspected or confirmed security events identified through logging or monitoring are escalated for investigation.

## 13. Backup and Recovery

Pulse Labs maintains backup procedures designed to support availability and recovery of important systems and data. Backup frequency and retention vary by data type, system, service provider capabilities, and business need.

Pulse Labs' procedures include backups for production databases, source code, and business data where applicable. Restoration testing is performed periodically for selected systems, and backup or restoration failures are escalated through the incident management process.

## 14. Business Continuity and Disaster Recovery

Pulse Labs maintains business continuity and disaster recovery procedures designed to support continued operation of critical business functions during disruptive events. Business continuity planning considers critical services, recovery priorities, maximum acceptable outage, recovery time objectives, recovery point objectives, responsibilities, escalation paths, and communication flows.

Business continuity and recovery procedures are reviewed and tested periodically using methods such as tabletop review, simulation, partial testing, or complete testing where appropriate. Test results and lessons learned are used to improve continuity planning.

## 15. Incident Response

Pulse Labs maintains an incident response process for reporting, assessing, containing, remediating, recovering from, and reviewing information security incidents. Personnel are expected to report suspected security events or weaknesses through approved channels.

Reported events are assessed to determine whether they constitute security incidents and to assign appropriate priority. Incident response activities may include containment, root cause analysis, eradication of the cause, system recovery, evidence preservation, post-incident review, and lessons learned.

If an incident involves customer data or personal data, Pulse Labs assesses notification obligations under applicable contracts, laws, and regulations and coordinates appropriate notifications.

## 16. Supplier and Subprocessor Management

Pulse Labs evaluates external providers before and during engagements based on factors such as business need, competence, security posture, confidentiality obligations, regulatory requirements, and service expectations.

External providers that may access confidential information are expected to enter into appropriate contractual commitments, including confidentiality or nondisclosure obligations. Access granted to external providers is limited to what is necessary for the service and is subject to approval and revocation processes.

For cloud service providers and other providers that may process customer or personal data, Pulse Labs considers controls such as data location, authentication, encryption, backup capabilities, audit evidence, incident notification, and compliance with applicable legal and contractual obligations. The current list of subprocessors is maintained on the [Subprocessors](/pulse-labs/privacy-center/readme/subprocessors.md) page.

## 17. Data Retention and Deletion

Pulse Labs maintains data retention and deletion procedures designed to retain records only for as long as required by customer agreement, applicable law, regulatory obligation, contractual requirement, or legitimate business need.

Customer data retention and deletion may vary by product, data type, and contract. At the end of the applicable retention period, Pulse Labs' procedures are designed to delete, purge, archive, or otherwise dispose of data securely. Deletion of backups and archives is handled according to applicable backup retention and archival processes.

Pulse Labs maintains records of deletion or disposal for certain categories of personal data, confidential information, or regulated records where appropriate.

## 18. Risk Management and Continuous Improvement

Pulse Labs uses risk management processes to identify, assess, and address risks to information assets, systems, and business operations. Risk treatment may include implementing security controls, accepting risk, transferring risk, avoiding risky activities, or applying compensating controls.

Pulse Labs periodically reviews its security program through internal review, management review, audit-related activities, vulnerability management, incident lessons learned, supplier review, and policy updates. Findings, nonconformities, and improvement opportunities are tracked and addressed based on risk and priority.

## 19. Customer Responsibilities

Customers are responsible for using Pulse Labs services in a secure manner, including managing their own users, permissions, authentication settings, customer-side integrations, data inputs, and endpoint security. Customers should provide clear instructions regarding customer data classification, retention, deletion, and processing requirements when those requirements differ from Pulse Labs' standard practices.

## 20. Changes to These Measures

Pulse Labs may update these technical and organizational measures from time to time to reflect changes in its services, operations, security practices, technology, legal obligations, or risk environment. Pulse Labs will not materially decrease the overall level of protection for customer data during the term of an applicable customer agreement without an appropriate replacement or compensating measure.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://pulselabs.gitbook.io/pulse-labs/privacy-center/readme/technical-and-organizational-measures.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
