Security at TillPulse
The security commitments we make to customers, the controls behind them, and how to report a vulnerability. For a developer-facing rundown of internals, see the security model in the docs.
Our commitments
- We never look at your raw event data outside an investigation initiated by you.
- We never train AI models on your event data. AI features (Ask Pulse and TillMind) call out per-request to a routed inference provider with zero retention beyond the response — see DPA Annex II for the current provider.
- We separate concerns by region. Pin a project to a data region and its events stay there.
- We disclose breaches affecting your data without undue delay, and never later than 72 hours after we become aware, in line with applicable law.
Identity & access
- Bcrypt-hashed passwords (12 rounds).
- JWT RS256 access tokens (15-minute TTL), opaque refresh tokens (sha256-only at rest, single-use, rotated on every refresh, 30-day TTL).
- Optional TOTP. Secrets encrypted at rest with AES-256-GCM. Backup codes hashed.
- Optional OIDC SSO with PKCE, JWKS-verified
id_token, JIT user creation gated on allowed-email-domain list. - Role-based access: owner > admin > developer > viewer.
- Per-user personal API keys, scopable, revocable instantly.
- Audit log of all privileged actions, retained 365 days.
Encryption
- TLS 1.2+ for all client-server traffic. HSTS enforced on app domains.
- AES-256-GCM at rest for: TOTP secrets, SSO client secrets, tracker integration tokens.
- Database encryption at rest provided by Neon (AWS KMS) and ClickHouse Cloud.
Privacy by design
- PII scrubbed twice — at the SDK before transmission, and at the ingest API before storage. Patterns: emails, phones (NG/KE/ZA/GH/RW), payment cards (Luhn-checked), NIN, BVN, M-Pesa references, Bearer tokens, IPv4.
- End-user IP addresses are stripped at ingest. The dashboard only ever sees aggregated geo (country, city) derived from MaxMind lookup.
- Configurable
beforeSendhook on the SDK lets you drop or redact events before they leave the device.
Network & infrastructure
- Cloudflare WAF and DDoS protection in front of the dashboard and ingest API.
- Rate limiting: per-DSN sliding window in our own Redis fleet, plus per-IP fallback against DSN-spray.
- HMAC-verified webhooks (GitHub
X-Hub-Signature-256, SlackX-Slack-Signaturewith 5-minute replay window, LinearLinear-Signature).
Operations
- Least-privilege access for engineers. Production access gated by SSO + hardware key.
- Background-checked staff. Onboarding security training. Annual review.
- Backups daily, restored quarterly to validate.
- Incident response runbook with named roles and a recurring drill cadence.
Sub-processors
TillPulse uses a small set of vetted sub-processors. The full list with location and purpose lives in Annex II of the DPA. We provide 30 days' notice before adding a sub-processor.
Compliance posture
We design to support GDPR, POPIA, and Nigeria's NDPA. We are happy to complete vendor security questionnaires for enterprise customers — email security@tillpulse.io with the questionnaire and your timeline.
Vulnerability disclosure
Security researchers are welcome. Please:
- Email security@tillpulse.io with details and reproduction steps.
- Avoid actions that affect other customers (no DoS, no spamming, no data exfiltration beyond what's necessary to demonstrate the issue).
- Give us a reasonable window to remediate before public disclosure.
We respond within one business day, prioritise validated issues, and credit researchers who request acknowledgement. We do not currently run a paid bounty program, but we send swag and write thank-you notes.
Out of scope
- Findings that require physical access, social engineering, or compromise of a customer's own infrastructure.
- Reports that consist solely of the output of automated scanners with no impact analysis.
- Self-inflicted issues — e.g. a customer who configures
sendDefaultPii: trueand is surprised that PII is sent. - Missing security headers without an exploitation path (we'll fix them — they're not bugs to disclose).