Identity
Identity and session security
Password policies, hashed secrets, MFA flows, trusted-device handling, and session revocation help reduce account abuse.
PULSE MANOR SECURITY
Enterprise-Grade Security for Property Management
Pulse Manor protects tenant data, financial records, and operational workflows through encryption, strict access controls, and continuous monitoring.
TLS-protected transport
Scoped role access
Validated file uploads
Operational audit trails
Control domains
Security overview
Controls are applied across authentication, authorization, file handling, API protection, and monitoring. Exact deployment settings can vary by environment, but the product is built around least privilege, tenant boundaries, and observable operations.
Authentication and session controls
Organization and property scoping
Rate limits, logging, and telemetry
Validated uploads and controlled media access
Deployment settings can vary by environment.
Security Overview
A layered approach instead of a single perimeter.
Pulse Manor combines security measures at the application, session, upload, and infrastructure layers. The goal is straightforward: keep access narrow, keep changes traceable, and keep failure paths contained.
Boundaries
Tenant and portfolio boundaries
Organization scoping and property-level authorization checks are enforced in backend workflows so clients cannot define their own access scope.
Operations
Operational resilience
Rate limiting, suspicious IP handling, request timeouts, telemetry, and upload validation help the platform degrade safely under misuse or failure.
Security Pillars
The main control areas we focus on.
These pillars reflect how security is implemented across the current platform.
Layered architecture
Security is applied across frontend, API, storage, and operational middleware.
Protected transport and secret handling
Traffic protections and hashed secrets reduce unnecessary exposure of credentials and tokens.
Least-privilege access
Role checks, MFA support, and session controls narrow access to what each user needs.
Tenant data isolation
Organization and property scope are enforced on the server, not delegated to the client.
Secure file handling
Uploads are validated before they are accepted and stored.
Monitoring and resilience
Telemetry, rate limits, logging, and response controls help detect and contain issues.
Detailed Controls
How the security model is applied in practice.
The current platform uses multiple control layers rather than relying on a single security feature or network boundary.
01
Security architecture
Security is not delegated to the client. The backend enforces authentication, organization scoping, property access checks, validation, and request controls before business logic runs.
Security middleware runs early for headers, CORS, IP handling, sanitization, and rate limiting.
Authorization decisions are based on authenticated user context, not user-supplied organization or property identifiers.
02
Data encryption
Production traffic is intended to run over HTTPS with strict transport headers, while credentials and sensitive tokens are stored or compared as hashes rather than plain text.
Passwords use bcrypt hashing and refresh or reset tokens are stored as HMAC-based hashes.
Transport protections such as TLS and HSTS are configured at the web and edge layers.
03
Access control
Role-based authorization, MFA support, trusted-device handling, and session revocation are used to narrow who can do what and for how long.
Routes can require specific roles before any protected action is processed.
Sessions can be limited, listed, rotated, and revoked when access needs to be reduced.
04
Tenant data isolation
Organization and property boundaries are enforced on the server so users cannot reach records outside their assigned scope by changing client-side inputs.
Organization scope is derived from the authenticated user profile.
Property-scoped resources are checked against allowed property access before read or write operations.
05
Secure file storage
Uploads are validated for size, type, extension, and content, then passed through malware scanning where configured before storage operations are allowed.
Unvalidated user-supplied files are rejected before Cloudinary uploads.
Controlled media access can use signed URLs and scoped storage keys for sensitive assets.
06
Infrastructure security
Security headers, CORS restrictions, secure cookies, timeouts, and deployment-level HTTPS settings help reduce common web attack surfaces.
Helmet, CSP, frame protection, referrer policy, and no-sniff controls are part of the stack.
Reverse-proxy SSL termination and HSTS settings are defined for production environments.
07
Monitoring and threat detection
Operational visibility combines telemetry, application logging, suspicious IP tracking, rate limiting, and failure monitoring.
Sentry captures client and server exceptions with replay and tracing controls.
The API tracks suspicious activity and can throttle or block abusive traffic patterns.
08
Auditability
Selected workflows keep activity or audit logs so important actions can be reviewed after the fact.
Payment, deposit, communication, and activity flows include audit-oriented logging paths.
Logs help teams investigate operational changes, approvals, and delivery outcomes.
09
Backup and disaster recovery
Recovery planning is treated as an operational requirement, with session cleanup, service restart behavior, and provider-backed data services forming part of the recovery model.
Exact backup frequency and recovery objectives depend on the deployed environment.
The platform is structured so failed sessions can be revoked and services can recover cleanly after restart.
10
Secure development practices
Security checks are built into the codebase through validation, scoped access patterns, safer upload paths, and targeted tests for high-risk flows.
Input validation and sanitization reduce injection and content-based abuse.
Tenant-isolation hardening and route tests are maintained for sensitive workflows.
11
Incident response
When issues are identified, the focus is containment, access reduction, investigation, and corrective change using available logs and session controls.
Trusted devices and active sessions can be revoked as part of account response.
Telemetry, audit records, and scoped logs support investigation and follow-up remediation.
Security vs Privacy
Related, but not the same.
Security controls protect systems and data from unauthorized access or misuse. Privacy explains what data is collected, how it is used, and what choices or obligations apply to that data.
System protection
Security
Focused on protecting systems, credentials, sessions, files, and operational workflows.
Data handling
Privacy
Focused on data handling, purpose, retention, disclosure, and legal or contractual responsibilities.
This page describes technical and operational safeguards. The privacy policy covers data handling practices.
Responsible Disclosure
Report a security concern responsibly.
If you believe you have found a vulnerability, send a concise report with reproduction steps, affected area, and potential impact. Avoid accessing data that does not belong to you, avoid service disruption, and do not share the issue publicly before it has been reviewed.
What helps
Useful reports usually include the affected route or screen, account type used, reproduction steps, timestamps, and any supporting screenshots or logs.
Scope expectation
Only test against accounts and properties you are authorized to use. Do not attempt destructive actions, bulk extraction, or tenant data access.
Contact channel
Security reports can be sent to our team through the primary company contact mailbox.
Security contact
info@pulsemanor.comTrust is earned through controls, not slogans.
We present security as an ongoing engineering discipline: narrow access, explicit boundaries, careful file handling, observable operations, and measured response when something goes wrong.