SECURITY · LAST UPDATED MAY 2026

Security at TillPulse

The security commitments we make to customers, the controls behind them, and how to report a vulnerability. For a developer-facing rundown of internals, see the security model in the docs.

Our commitments

  • We never look at your raw event data outside an investigation initiated by you.
  • We never train AI models on your event data. AI features (Ask Pulse and TillMind) call out per-request to a routed inference provider with zero retention beyond the response — see DPA Annex II for the current provider.
  • We separate concerns by region. Pin a project to a data region and its events stay there.
  • We disclose breaches affecting your data without undue delay, and never later than 72 hours after we become aware, in line with applicable law.

Identity & access

  • Bcrypt-hashed passwords (12 rounds).
  • JWT RS256 access tokens (15-minute TTL), opaque refresh tokens (sha256-only at rest, single-use, rotated on every refresh, 30-day TTL).
  • Optional TOTP. Secrets encrypted at rest with AES-256-GCM. Backup codes hashed.
  • Optional OIDC SSO with PKCE, JWKS-verified id_token, JIT user creation gated on allowed-email-domain list.
  • Role-based access: owner > admin > developer > viewer.
  • Per-user personal API keys, scopable, revocable instantly.
  • Audit log of all privileged actions, retained 365 days.

Encryption

  • TLS 1.2+ for all client-server traffic. HSTS enforced on app domains.
  • AES-256-GCM at rest for: TOTP secrets, SSO client secrets, tracker integration tokens.
  • Database encryption at rest provided by Neon (AWS KMS) and ClickHouse Cloud.

Privacy by design

  • PII scrubbed twice — at the SDK before transmission, and at the ingest API before storage. Patterns: emails, phones (NG/KE/ZA/GH/RW), payment cards (Luhn-checked), NIN, BVN, M-Pesa references, Bearer tokens, IPv4.
  • End-user IP addresses are stripped at ingest. The dashboard only ever sees aggregated geo (country, city) derived from MaxMind lookup.
  • Configurable beforeSend hook on the SDK lets you drop or redact events before they leave the device.

Network & infrastructure

  • Cloudflare WAF and DDoS protection in front of the dashboard and ingest API.
  • Rate limiting: per-DSN sliding window in our own Redis fleet, plus per-IP fallback against DSN-spray.
  • HMAC-verified webhooks (GitHub X-Hub-Signature-256, Slack X-Slack-Signature with 5-minute replay window, Linear Linear-Signature).

Operations

  • Least-privilege access for engineers. Production access gated by SSO + hardware key.
  • Background-checked staff. Onboarding security training. Annual review.
  • Backups daily, restored quarterly to validate.
  • Incident response runbook with named roles and a recurring drill cadence.

Sub-processors

TillPulse uses a small set of vetted sub-processors. The full list with location and purpose lives in Annex II of the DPA. We provide 30 days' notice before adding a sub-processor.

Compliance posture

We design to support GDPR, POPIA, and Nigeria's NDPA. We are happy to complete vendor security questionnaires for enterprise customers — email security@tillpulse.io with the questionnaire and your timeline.

Vulnerability disclosure

Security researchers are welcome. Please:

  • Email security@tillpulse.io with details and reproduction steps.
  • Avoid actions that affect other customers (no DoS, no spamming, no data exfiltration beyond what's necessary to demonstrate the issue).
  • Give us a reasonable window to remediate before public disclosure.

We respond within one business day, prioritise validated issues, and credit researchers who request acknowledgement. We do not currently run a paid bounty program, but we send swag and write thank-you notes.

Out of scope

  • Findings that require physical access, social engineering, or compromise of a customer's own infrastructure.
  • Reports that consist solely of the output of automated scanners with no impact analysis.
  • Self-inflicted issues — e.g. a customer who configures sendDefaultPii: true and is surprised that PII is sent.
  • Missing security headers without an exploitation path (we'll fix them — they're not bugs to disclose).

Security model (docs) →Privacy policy →DPA →