Trust Centre

Overview | Security | Privacy | Policies | Assessments

Technical and Organisational Measures

Below are the technical and organisational measures (ToMs) that Pulsar Group undertakes to ensure secure business operations and to protect data processed by our products and services.

Pulsar Group Products

Technical Security Measures

Pulsar Group agrees to implement the following technical security measures to ensure the confidentiality, integrity, and availability of personal data:

Data Encryption

  • Pulsar Group encrypts all client Personal Data both during transmission and while stored, using appropriate encryption methods to protect it from unauthorised access, interception, or tampering. 
  • During transmission, encryption will ensure the confidentiality and integrity of the data as it moves across networks, whether internal or external. 
  • When stored, encryption will safeguard personal data against unauthorised access, ensuring it remains secure even in the event of a physical breach or unauthorised access to storage systems. 
  • The encryption measures employed will align with industry best practices and will be regularly reviewed and updated as necessary to address evolving security threats and compliance requirements.

Access Control

  • Access to personal data shall be restricted based on role-based access control (RBAC) principles.
  • All users shall be authenticated using strong passwords and multi-factor authentication (MFA).
  • Access logs shall be maintained for all activities involving personal data, and access to such logs shall be restricted to authorised personnel only.

Network Security

  • Pulsar Group maintains firewalls to protect internal systems from unauthorised external access.
  • Intrusion detection and prevention systems (IDPS) are maintained to monitor for suspicious activity and unauthorised access.
  • All communication channels used to transfer personal data are protected with encryption (e.g., VPNs, TLS, or equivalent).

Cloud Application Security

  • Pulsar Group maintains a web application firewall (WAF) to protect cloud application infrastructure from unauthorised external access.
  • The Software Development Life Cycle (SDLC) includes peer review, testing at various stages and vulnerability scanning. 

Backup and Data Recovery

  • Personal data shall be backed up regularly to prevent data loss.
  • Backup data shall be stored securely and shall also be encrypted.
  • A Disaster Recovery Plan is maintained in connection with our SaaS applications and a Business Continuity Plan. Both plans are reviewed, tested, and updated annually.

Data Masking and Pseudonymization

  • Where appropriate, Pulsar Group will implement data anonymisation and pseudonymization techniques to reduce the risks associated with the exposure of personal data.

Data Retention and Disposal

  • Confidential data is retained only as long as required for legal, regulatory and business requirements.
  • Upon request, or when personal data is no longer needed, it will be securely deleted or destroyed using industry-standard data disposal methods to prevent unauthorised access or retrieval.

Organisational Security Measures

Pulsar Group will adopt the following organisational measures to ensure compliance with data protection laws and maintain security standards:

Employee Training and Awareness

  • All employees with access to personal data shall receive regular training on data protection principles, security best practices, and their responsibilities regarding personal data.
  • Security awareness training will be conducted at least annually or when significant changes occur to the data protection practices or regulatory requirements.
  • All employees review and acknowledge Pulsar Group’s Information Security Policy.
  • All employee contracts include confidentiality agreements which include business and customer data. 

Incident Response and Breach Management

  • Pulsar Group maintains an incident response plan the individuals responsible for responding to a security incident, the responsibilities of those individuals during each phase of the incident response process, and, clear procedures for detecting, reporting, and managing data breaches.
  • In the event of a data breach, the Data Processor will notify the Data Controller within 72 hours of discovery in accordance with GDPR requirements.
  • Affected data subjects shall be notified of a breach where required by law.
  • Suspected security incidents must be reported immediately to the Pulsar Group Security team by email via [email protected]. In addition, clients can report security issues directly to the customer success representative in charge of the account or by using the email link on our website to contact customer support.

Monitoring and Auditing

  • Pulsar Group performs regular security audits and assessments to verify compliance with internal security policies and applicable data protection regulations.
  • Penetration Testing by an independent, CREST-certified company, at least annually.  
  • All issues reported by the testing engagements are triaged, prioritised based on the issue severity, and remediated as applicable.
  • Auditing processes shall ensure that only authorised personnel have access to personal data and that access is appropriate and consistent with business needs.

Data Access and User Management

  • Personal data shall only be accessible to personnel who need it for legitimate business purposes.
  • User access shall be regularly reviewed and revoked when no longer necessary (e.g., upon the termination of employment or contract).
  • Strong password policies are in place for all systems that store or process personal data, requiring complex passwords with a minimum length of eight characters.

Third-party and Sub-processor Security

  • Pulsar Group requires all third-party service providers with access to client or confidential data to complete a security questionnaire as part of the onboarding process.
  • Written agreements include security requirements that mirror the terms outlined in this document.

Access Control to Facilities

  • Physical access to locations where personal data is stored or processed (such as data centres or offices) shall be restricted to authorised personnel only.
  • The Data Processor shall implement keycard access systems, biometric authentication, or other appropriate physical security measures at all entry points to facilities where personal data is stored.

Environmental Security

  • Data centres or facilities that store personal data shall be equipped with fire suppression systems, climate control to prevent overheating, and backup power (e.g., UPS systems) to ensure that data is not lost or corrupted due to power failure.