Security

Last updated: March 5, 2026

Infrastructure

• US-hosted only: All data resides in US data centers. Pipeline route data is classified as Critical Infrastructure Information (CII) and is never stored or processed outside the United States.
• Encryption at rest: AES-256 encryption for all stored data including databases, object storage, and backups.
• Encryption in transit: TLS 1.3 for all connections. HSTS enforced.
• Network isolation: Private VPC with no direct internet access to databases or internal services.

Access Control

• Authentication: OIDC-based single sign-on with JWT validation. API key authentication for integrations.
• Authorization: Role-based access control (Owner, Analyst, Viewer) with scope-based API permissions.
• Tenant isolation: PostgreSQL row-level security (RLS) enforces strict data separation between organizations.
• Secrets management: All secrets handled via the secrecy crate. Secrets are never logged or exposed in error messages.

Compliance

• SOC 2 Type II: Target compliance. All mutations are audit-logged with actor, timestamp, and change detail.
• WCAG 2.1 AA: Accessibility compliance for federal agency customers.
• CII handling: Pipeline route data treated as Critical Infrastructure Information per TSA Pipeline Security Directives.

Monitoring

• Structured logging: JSON-formatted logs with OpenTelemetry tracing for full request lifecycle visibility.
• Audit trail: Immutable audit log of all data mutations, accessible to tenant administrators.
• Alerting: Automated alerts on anomalous access patterns, failed authentication attempts, and system health degradation.

Vulnerability Reporting

If you discover a security vulnerability, please report it to security@groundpulse.io. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours.