Security & Compliance

Built so you never lose a deal over a security questionnaire

PulseCargo.ai™ is security-first by design. Per-tenant database isolation, native MFA, audit logs on every action, and leading compliance frameworks tracked from day one — without the enterprise complexity.

AES-256 Encryption

All data encrypted at rest using SQL Server TDE and Azure Blob Storage encryption. TLS 1.3 enforced for all data in transit.

Per-Tenant Database Isolation

Each tenant gets their own SQL Server database. Not a row-level filter. Not a query parameter. A separate database per tenant, resolved at the middleware layer. Compliance auditors notice immediately.

Native MFA + SSO

Native TOTP authenticator with QR enrollment. SMS factor via Twilio. SSO federation via Microsoft 365 and Google Workspace at portal and tenant scope. MFA can be enforced per role tier.

SOC 2 Type II Path

Architecture designed from day one to meet SOC 2 Trust Services Criteria. 23 control templates loaded across CC1–CC9; integration probes ingest evidence from M365, GitHub, Okta, CrowdStrike, Sentinel, Splunk, Datadog, Cloudflare, and more.

GDPR & CCPA Subject Rights

Self-service privacy endpoints live today: data access requests, deletion requests, data export, and opt-out. Admin-initiated export available for tenant admins. GDPR Art. 5 / 32 / 33 and CCPA § 1798.100 / .105 / .150 controls mapped.

Immutable Audit Trails

Inbound API calls, CargoWise webhooks, and user actions logged per request with timestamp, user, tenant, and action. Outbound integration audit (Stripe, TMS providers) being expanded for full SOC 2 CC4.1 / CC7.2 coverage.

Tenant Isolation Audit

61 controllers and ~140 endpoints reviewed for cross-tenant data exposure. Zero CRITICAL findings. The audit report is shareable with your security team on request.

Software Escrow

NCC Group, Iron Mountain, and EscrowTech integrations. ZIP deposits include source code, per-tenant plugins, SQL backup, and a SHA-256 manifest. Rehydration tested end-to-end — never dry-run only.

RBAC Permissions

Portal admin, tenant admin, tenant user, and per-client-association roles. Granular permission sets control what each user sees. Tenant impersonation logged separately for support workflows.

Azure-Hosted

Hosted on Azure App Service in centralus with App Service, SQL, Blob, Key Vault, SignalR, and Front Door + WAF. Bicep-modeled infrastructure across networking, data, and application tiers.

Multi-Framework Compliance

Tracks leading industry frameworks — SOC 2, ISO 27001, GDPR / CCPA, OWASP, NIST, and additional standards. SOC 2, ISO 27001, GDPR, CCPA, and CTPAT have populated control libraries today; additional frameworks tracked with templates being authored. Full framework list available on request.

Penetration Testing

Annual third-party penetration testing planned with published remediation timelines. Continuous dependency scanning and patch management today.

Compliance & Security Frameworks

What our infrastructure, code, and privacy posture is measured against.

PulseCargo tracks four classes of standards across the platform — infrastructure compliance, application security, DevSecOps controls, and privacy regulation alignment. Status badges below reflect what is currently Live in production, what is actively In Progress, and what is Tracked (controls mapped, evidence collection underway).

Infrastructure compliance

How our hosting platform, networks, and operational practices stack up against industry standards.

SOC 2 Trust Services Criteria (CC1–CC9)
In Progress23 control templates loaded; evidence probes ingest from M365, GitHub, Okta, CrowdStrike, Sentinel, Splunk, Datadog, Cloudflare
ISO/IEC 27001:2022
TrackedAnnex A controls mapped; ISMS scoping in progress
NIST Cybersecurity Framework (CSF) 2.0
TrackedIdentify / Protect / Detect / Respond / Recover / Govern functions mapped to control library
NIST SP 800-53 (Moderate baseline)
TrackedAccess control, audit logging, system integrity families overlapped with SOC 2 controls
CIS Critical Security Controls v8
LiveAsset inventory, secure config, vulnerability management, account monitoring implemented
CIS Azure Foundations Benchmark
LiveBicep-modeled infrastructure validated against CIS Azure recommendations
Azure Cloud Adoption Framework (CAF)
LiveLanding zone design, naming standards, governance & identity baselines aligned with CAF
CTPAT (Customs-Trade Partnership Against Terrorism)
TrackedSupply chain security controls relevant to freight customers populated

Application development security

What the source code is actually measured against during build, review, and deploy.

OWASP Application Security Verification Standard (ASVS) Level 2
LiveAuthentication, session management, access control, input validation, cryptography requirements gating
OWASP Top 10 (2021)
LiveA01 Broken Access Control through A10 SSRF mapped to code review checklists and CodeQL queries
OWASP API Security Top 10 (2023)
LiveEndpoint-level threats (BOLA, broken auth, excessive data exposure) checked for every API surface
CWE/SANS Top 25 Most Dangerous Software Weaknesses
LiveCWE-79, CWE-89, CWE-352, CWE-22, CWE-787 et al. enforced via SAST
NIST Secure Software Development Framework (SSDF) SP 800-218
In ProgressPO/PS/PW/RV practices being mapped to internal SDLC documentation
SLSA (Supply-chain Levels for Software Artifacts) — Level 2
In ProgressProvenance generation, source/build hardening; signed artifact attestation in design
OWASP Software Assurance Maturity Model (SAMM) v2
TrackedGovernance, design, implementation, verification, operations practices measured quarterly
Microsoft Security Development Lifecycle (SDL)
LiveThreat modeling, security gates, fuzzing where applicable; .NET-stack specific guidance applied

DevSecOps & code-level scanning

Continuous automated controls run on every commit and pull request.

GitHub Dependabot — Dependency vulnerability scanning
Livenpm + NuGet manifests scanned hourly; PRs auto-generated for vulnerable transitive dependencies
GitHub CodeQL — Static Application Security Testing (SAST)
LiveJavaScript/TypeScript + C# queries on every push; security-extended query suite enabled
GitHub Secret Scanning + Push Protection
LiveSecrets detected pre-push and blocked; partner integrations (Azure, Stripe, Resend) covered
npm audit / dotnet list package --vulnerable
LiveCI gate fails PR on Critical/High vulnerabilities
Branch protection + Required reviews
Livemain branch protected; required reviews, signed commits encouraged, force-pushes blocked
Container image scanning (Trivy / Defender for Containers)
In ProgressBase image vulnerabilities scanned; rolling out to all CI pipelines
Dynamic Application Security Testing (DAST)
In ProgressOWASP ZAP automated scans on staging; results triaged into vulnerability backlog
Third-party penetration testing
TrackedAnnual engagement planned; published remediation timelines

Privacy regulation alignment

Controls mapped to the leading data-protection regimes our customers operate under.

GDPR (EU) — Articles 5, 32, 33
LiveSelf-service data access, deletion, export, opt-out endpoints; lawful basis registers populated
CCPA (California) — § 1798.100, .105, .150
LiveNotice at collection, right to know, right to delete, opt-out of sale (n/a)
PDPA (Singapore)
TrackedConsent, purpose limitation, accountability controls mapped; Coming Soon
LGPD (Brazil)
TrackedAligned with GDPR-equivalent articles in the compliance framework; Coming Soon
POPIA (South Africa)
TrackedInformation officer roles, processing limitations mapped; Coming Soon
UK GDPR + Data Protection Act 2018
LiveSame controls as EU GDPR; ICO Code of Practice referenced

Full control matrix with control IDs, mapping rationale, and evidence pointers available under NDA. Request the framework dossier →

Frequently asked

Security questions procurement teams ask first.

How does PulseCargo isolate customer data between tenants?

PulseCargo uses three-layer isolation: a dedicated SQL Server database per tenant (not a row-level filter or query parameter), EF Core query filters plus Azure SQL Row-Level Security as defense in depth, and per-tenant Azure Blob storage containers. 61 controllers and ~140 endpoints have been reviewed for cross-tenant data exposure with zero CRITICAL findings.

Is PulseCargo SOC 2 compliant?

PulseCargo’s architecture is designed from day one to meet SOC 2 Trust Services Criteria. 23 control templates are loaded across CC1–CC9. Integration probes ingest evidence from Microsoft 365, GitHub, Okta, CrowdStrike, Sentinel, Splunk, Datadog, and Cloudflare. SOC 2 Type II report timing is shared with prospective customers under NDA.

Does PulseCargo support MFA and SSO?

Yes. Native TOTP authenticator with QR enrollment is included on every tier. SMS factor via Twilio is available. SSO federation via Microsoft 365 and Google Workspace is available at portal and tenant scope on Enterprise and above. MFA can be enforced per role tier.

How does PulseCargo handle GDPR and CCPA requests?

Self-service privacy endpoints are live: data access requests, deletion requests, data export, and opt-out. Admin-initiated export is available for tenant admins. GDPR Articles 5, 32, and 33 and CCPA sections 1798.100, .105, and .150 controls are mapped in the compliance framework platform.

Does PulseCargo offer software escrow?

Yes. PulseCargo integrates with NCC Group, Iron Mountain, and EscrowTech. Deposit ZIPs include source code, per-tenant plugins, SQL backup, and a SHA-256 manifest. Rehydration is tested end-to-end, not dry-run only. Software escrow is included with Enterprise+ and available as an add-on on Enterprise.

Where is PulseCargo hosted?

Azure App Service in the centralus region. Infrastructure includes App Service, SQL, Blob, Key Vault, SignalR, and Front Door with WAF. Bicep-modeled across networking, data, and application tiers. Enterprise+ supports dedicated Azure infrastructure and multi-region deployment.

Pass every security review.

Your customers' procurement teams will love what they see.

Request Security Documentation →
Preview Pulse VOX

Tap to speak

Prefer typing?