Security, GDPR & Data Handling

AES-256-GCM encryption, per-company key isolation, EU data residency by default, GDPR rights.

Your Bill of Materials is among your most sensitive intellectual property — it reveals which components a product uses, in what quantities, from which suppliers. TekPulse is built around the assumption that this data must be protected even from us. Here is exactly how, in plain language.

Encryption at rest

• AES-256-GCM authenticated encryption protects the sensitive fields of every BOM line (manufacturer part number, manufacturer, description, reference designator) and every stored distributor API credential, before they are written to the database.
• Per-company keys: each company's data is encrypted with a key derived from a master key and that company's unique ID using HKDF-SHA256. No two companies share an encryption key.
• The master key is stored as a protected environment secret — never in the database or source code.
• Stored credentials are masked in the interface — only the last four characters of any API key are ever shown back to you.

Encryption in transit

• All traffic to TekPulse is encrypted with TLS, terminated and managed by Cloudflare (web app) and Railway (backend services).
• Certificates are issued and rotated automatically by our infrastructure providers.

Authentication & access

• Passwords hashed with bcrypt (cost factor 12) — never stored in plaintext or reversible form.
• Short-lived access tokens with server-side validation on every request.
• Rate limiting on authentication endpoints to slow brute-force attempts.
• Tenant isolation enforced in code: every request is checked for company membership before any company data is returned. Internal service-to-service credential access is gated by a separate internal secret.

Where your data lives

• EU data residency by default. TekPulse's database is hosted in the EU (Frankfurt, eu-central-1). Your BOM data does not leave the EU region. This is the default for all plans.

Infrastructure we build on

We build on independently audited providers and inherit their controls:

Cloudflare

Web app hosting, TLS, CDN, DDoS protection — SOC 2 Type II, ISO 27001.

Supabase / AWS eu-central-1

Database, authentication storage — SOC 2 Type II; AWS underlying region SOC 2 / ISO 27001.

Railway / AWS

Backend service hosting — SOC 2 (AWS infrastructure).

Amazon SES (via Resend)

Transactional email — SOC 2, ISO 27001.

Email & domain security

• SPF and DKIM are configured and passing for all TekPulse mail.
• DMARC is enforced (currently at quarantine, ramping to reject) — protecting your inbox from anyone spoofing the TekPulse domain.

GDPR compliance

TekPulse processes personal data only where strictly necessary (account email, name, IP for security logs). We do not sell, share with advertisers, or use your BOM data to train external AI models.

Right to access

Export your account and BOM data from Settings.

Right to rectification

Edit your profile directly in Settings.

Right to erasure

Delete your account in Settings; data is purged.

Right to data portability

Export BOM data as CSV / Excel from the BOMs page.

Breach notification

We notify affected users within 72 hours per GDPR Art. 33–34.

Certifications — where we are honestly

• TekPulse is not yet SOC 2 or ISO 27001 certified. We are an early-stage company and have prioritised building the actual technical controls first.
• Our infrastructure providers (Cloudflare, Supabase/AWS, Railway, Amazon SES) are SOC 2 Type II / ISO 27001 certified — the platform your data runs on is independently audited.
• We will pursue a formal penetration test and then SOC 2 when our customers' security requirements call for it. Contact [email protected] if your procurement process needs either.