Security & Trust

Enterprise-grade infrastructure.
Your data stays yours.

SODPulse is built on Google Cloud — the same infrastructure trusted by the world's largest financial institutions. We publish this assessment proactively.

ISO 27001 Certified
SOC 1 / SOC 2 / SOC 3
TLS 1.3 in Transit
AES-256 at Rest
Full Tenant Isolation
Controls Verified
Security Domains
Total Controls
LIVE ASSESSMENT This security assessment is updated continuously as controls are verified. Each item shows our documented position and evidence.
Certifications
Infrastructure you can trust
SODPulse inherits world-class security certifications through its Google Cloud / Firebase infrastructure layer.
🏅
ISO 27001
Information security management — Google Cloud certified
Infrastructure
🔐
SOC 1 / 2 / 3
Service organisation controls — GCP annual audit
Infrastructure
🇪🇺
GDPR DPA
Data processing agreement available on request
Available Now
📋
SODPulse SOC 2
Application-level SOC 2 Type I — in progress
In Progress
🛡️
Pen Test
Third-party penetration test — on roadmap
Roadmap
Shared Responsibility
What we cover.
Security is shared between Google Cloud (infrastructure) and SODPulse (application layer).
Google Cloud / Firebase
INFRASTRUCTURE LAYER
  • Physical data centre security
  • Network security & DDoS mitigation
  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • ISO 27001 / SOC 1, 2, 3 certification
  • GDPR Data Processing Terms
  • 99.95%+ uptime SLA
  • Automated backup & DR
SODPulse Application
APPLICATION LAYER
  • Firestore security rules & tenant isolation
  • Role-based access control (RBAC)
  • Admin-provisioned accounts only
  • In-browser processing (no raw data transit)
  • Org-scoped data access enforcement
  • Analysis run audit logging
  • App-level SOC 2 — in progress
  • Penetration test — on roadmap
Data Flow
How your SAP data is handled
Your authorisation export never leaves your browser unencrypted — and is never stored on our servers.
01 — EXTRACT

You run ABAP report

Our ABAP report runs in your SAP system, producing a CSV of role assignments. No SODPulse system access required.

Your environment
02 — UPLOAD

File loaded in browser

The CSV is parsed entirely in your browser. The raw data is never transmitted to any SODPulse server.

Client-side only
03 — ANALYSE

Rules fetched & applied

SOD rules are fetched from Firestore (auth-gated). Analysis runs in-browser. Only metadata (counts, timestamps) is logged.

No raw data stored
04 — REPORT

Results in your session

Violation output lives in your browser session only. Print to PDF for archival. No violation data is ever written to our database.

Session-scoped
Security Roadmap
Where we're headed
Transparent about current state. Committed to closing remaining gaps for FSI and enterprise customers.

Committed certifications & improvements — 2025–2026

Enterprise customers requiring specific timelines can contact us — we will provide written commitments as part of commercial agreements.

✓ Google SOC 2 — available now ✓ GDPR DPA — on request ✓ ISO 27001 infrastructure SODPulse SOC 2 Type I Third-party pen test SSO / SAML / OIDC MFA enforcement for all users Incident response policy Cyber liability insurance Public status page

Security questions?

FSI and audit firm procurement teams are encouraged to send vendor risk questionnaires. We respond to SIG Lite, CAIQ, and custom questionnaires.

Contact Security Team Back to Overview