Security

Last updated: April 28, 2026

Trust center

Overview

How Pulsar protects users, data and operations

This page explains how Pulsar protects authentication flows, APIs, database access, integrations and operational workflows. Controls are layered to reduce abuse, improve tenant isolation and strengthen recovery readiness.

Controls matrix

Key controls by layer, optimized for mobile scanning.

Layer	Controls	How	When	Why
Identity and authentication	Email verification, optional TOTP MFA, org-level MFA enforcement, invite token validation	Credentials, verification state and MFA challenges are validated before sessions are issued.	Sign-up, sign-in and step-up flows.	Reduce takeover risk and unauthorized access.
Session and browser protection	Signed HttpOnly JWT cookie, SameSite controls, same-origin checks, CSRF double-submit token	Authenticated requests validate session state. Mutating requests require origin and CSRF checks.	Every authenticated and state-changing request.	Reduce token theft and cross-site request forgery.
API route protection	Central route guard, payload validation, rate limiting, workspace checks	Routes validate request structure and identity before business logic executes.	At API ingress.	Stop malformed or abusive traffic early.
Authorization	Workspace membership checks and RBAC permission controls	Roles and membership are resolved server-side before protected operations run.	Before reads and writes.	Ensure least-privilege access.
Database isolation	Workspace scoping, organization scoping, Supabase/Postgres RLS policies	Queries are tenant-scoped and reinforced at the database layer.	At query execution.	Protect cross-tenant boundaries.
Secrets and credentials	AES-256-GCM encryption, hashed tokens, controlled reveal flows	Secrets are encrypted at rest and only decrypted in trusted server paths.	Storage and retrieval events.	Protect sensitive integration material.
Webhook boundary	Provider signature checks, token gates, ingress rate limits, anti-replay nonce cache, optional IP allowlists, delivery persistence	Inbound callbacks validate signature or token before processing payloads. Request paths use dedicated rate limits, replay nonce checks on signed timestamped providers and optional source IP allowlists.	Immediately on webhook receipt and during delivery persistence.	Reject spoofed traffic and improve forensic traceability.
Observability	Audit records, delivery logs, alert pathways	Sensitive actions emit logs and operational signals.	During and after critical events.	Improve triage and recovery.

Identity and authentication

Controls: Email verification, optional TOTP MFA, org-level MFA enforcement, invite token validation

How: Credentials, verification state and MFA challenges are validated before sessions are issued.

When: Sign-up, sign-in and step-up flows.

Why: Reduce takeover risk and unauthorized access.

Session and browser protection

Controls: Signed HttpOnly JWT cookie, SameSite controls, same-origin checks, CSRF double-submit token

How: Authenticated requests validate session state. Mutating requests require origin and CSRF checks.

When: Every authenticated and state-changing request.

Why: Reduce token theft and cross-site request forgery.

API route protection

Controls: Central route guard, payload validation, rate limiting, workspace checks

How: Routes validate request structure and identity before business logic executes.

When: At API ingress.

Why: Stop malformed or abusive traffic early.

Authorization

Controls: Workspace membership checks and RBAC permission controls

How: Roles and membership are resolved server-side before protected operations run.

When: Before reads and writes.

Why: Ensure least-privilege access.

Database isolation

Controls: Workspace scoping, organization scoping, Supabase/Postgres RLS policies

How: Queries are tenant-scoped and reinforced at the database layer.

When: At query execution.

Why: Protect cross-tenant boundaries.

Secrets and credentials

Controls: AES-256-GCM encryption, hashed tokens, controlled reveal flows

How: Secrets are encrypted at rest and only decrypted in trusted server paths.

When: Storage and retrieval events.

Why: Protect sensitive integration material.

Webhook boundary

Controls: Provider signature checks, token gates, ingress rate limits, anti-replay nonce cache, optional IP allowlists, delivery persistence

How: Inbound callbacks validate signature or token before processing payloads. Request paths use dedicated rate limits, replay nonce checks on signed timestamped providers and optional source IP allowlists.

When: Immediately on webhook receipt and during delivery persistence.

Why: Reject spoofed traffic and improve forensic traceability.

Observability

Controls: Audit records, delivery logs, alert pathways

How: Sensitive actions emit logs and operational signals.

When: During and after critical events.

Why: Improve triage and recovery.

Lifecycle

1. Before access

Identity, invite requirements, credential validity and MFA requirements are checked before sessions are issued.

2. At request ingress

Protected routes enforce origin, CSRF and rate-limit checks before logic executes.

3. Before data operations

Workspace membership and RBAC permissions are resolved server-side.

4. At data access

Tenant-scoped queries and RLS policies reinforce isolation boundaries.

5. After changes

Operational and security-relevant events can emit logs, alerts and audit records.

Section

API and application security

Pulsar routes use centralized guard patterns to combine authentication, request validation, same-origin checks and CSRF controls for mutating requests.

Protected APIs require valid workspace context before application logic touches business data.

HttpOnly cookie sessions
CSRF double-submit token model
Rate limiting at ingress
Strict request schema validation

Section

Database and tenant isolation

Operational data is scoped by workspace and organization boundaries.

Supabase/Postgres row-level security policies reinforce server-side controls.

Tenant scoped queries
RLS enforced tables
Service-role only paths where required

Section

Secrets, credentials and encryption

Integration secrets are encrypted with AES-256-GCM before storage.

One-time codes and token artifacts are stored as hashes where applicable.

Versioned encrypted payload format
Hashed verification artifacts
Controlled reveal flows for sensitive actions

Section

Webhook and integration security

Inbound webhook routes enforce authenticity checks before processing provider payloads.

Provider-specific signature verification is used where supported (for example Slack, Calendly, Dropbox and HubSpot) and token gates are used on token-protected routes.

Webhook ingress uses route-level rate limits and optional source IP allowlists. Signed timestamped providers also pass replay/staleness checks before processing.

Delivery records are persisted to support replay analysis, debugging and incident triage.

HMAC/signature verification (provider-dependent)
Timestamp freshness checks on providers that include signed timestamps
Replay nonce dedupe cache for signed timestamped webhook routes
Token-gated inbound routes
Configurable webhook source IP allowlists (global + per provider)
Dedicated webhook rate limits
Delivery logs and status traces

Section

Monitoring and incident response

Critical actions emit audit and operational records used for accountability and recovery workflows.

Alert pathways reduce time-to-detect and time-to-triage.

Audit trails
Operational notifications
Failure visibility

Section

Shared responsibility model

Pulsar secures platform infrastructure, APIs and default control frameworks.

Workspace admins remain responsible for access governance, member lifecycle and least-privilege policy.

Pulsar: platform controls
Customer: permissions and access review
Joint: incident coordination

Section

Hardening roadmap

The controls above are active platform safeguards. The items below are prioritized next improvements to further reduce risk and tighten abuse resistance.

Webhook replay nonce cache across all signed providers (uniform anti-replay behavior).
IP allowlisting option per inbound webhook integration (workspace-configurable where provider supports static source ranges).
Outbound egress policy tightening: explicit host allowlists per integration class and stricter DNS rebinding defenses.
Automated secret rotation workflows for integration credentials with expiration visibility and rotation reminders.
Audit-log integrity improvements (tamper-evident hash chaining for critical security events).
Anomaly detection for auth and webhook abuse patterns (threshold-based auto-alerts and optional temporary blocks).

Reporting

Security concerns and privacy requests

To report a security concern, contact info@pulsarspaces.com with reproduction details, timestamps and any request IDs you captured.

For privacy and personal-data requests, contact privacy@pulsarspaces.com.