Security

Take a look under the hood at the security controls we use to protect your data and infrastructure.

PulseHA is built to help organizations enforce secure access by default. Our platform applies Zero Trust principles across identity, device, network, and application access so that every connection is authenticated, authorized, and encrypted.

Security at PulseHA

PulseHA is a Zero Trust Network Access (ZTNA) platform built on the principle of never trust, always verify. Access is not granted based on network location alone. Instead, trust is established through strong identity, device, and policy controls for every connection.

Security Architecture

Zero Trust by Design

PulseHA is designed around core Zero Trust principles:

  • No implicit trust: network location does not grant access
  • Continuous verification: identity and access decisions are evaluated for each connection
  • Least privilege: users and devices receive only the access required for their role
  • Assume breach: layered controls are used to limit exposure and reduce blast radius

Encryption and Key Management

PulseHA uses modern cryptographic controls to protect both management traffic and application access.

  • Agent tunnels: WireGuard using ChaCha20, Curve25519, BLAKE2s, and SipHash
  • Public control plane endpoints: TLS 1.3
  • Gateway authentication: mutual TLS with SPIFFE-based identities
  • Certificates: short-lived certificates with enforced rotation and expiry controls

Private keys are generated on-device and are never transmitted off the endpoint.

Authentication and Identity

Gateway Authentication

Gateways authenticate using mutual TLS with SPIFFE URI Subject Alternative Names in the format:

spiffe://pulseha.com/tenant/{tenant_id}/gateway/{gateway_id}

Gateway identity is validated before trust is established, including certificate identity, status, and expiration checks.

Agent Authentication

Agents authenticate using a device-based authentication flow and receive short-lived tokens that are validated by the control plane. Access decisions are enforced according to tenant policy on protected requests.

Enterprise Identity Integration

PulseHA supports enterprise identity integration for centralized authentication and lifecycle management.

  • SAML 2.0 single sign-on
  • SCIM 2.0 provisioning
  • Support for Google, Microsoft Entra ID, Okta, GitHub, and custom OIDC providers

Compliance

PulseHA is committed to building and operating in line with recognized security standards and best practices.

  • Cyber Essentials certified
  • Cyber Essentials Plus certification pending
  • SOC 2 and ISO/IEC 27001 are on our compliance roadmap

Vulnerability Disclosure

We welcome responsible security research and coordinated vulnerability disclosure.

Contact: security@pulseha.com

Target response times:

  • Critical: within 24 hours
  • High: within 48 hours
  • Medium and Low: within 72 hours

Please include:

  • A description of the vulnerability
  • Steps to reproduce
  • Affected components or assets
  • Potential impact
  • Any relevant proof-of-concept material

Product Binary Signature Verification

PulseHA Authenticode signs Microsoft Windows executables and code signs Apple macOS executables.

Apple macOS

Use Apple's codesign utility to verify the integrity of an Apple macOS executable and pay attention to the TeamIdentifier field which should match the one below.

codesign --verify -d --verbose=2 /usr/local/bin/pulsehad
 
Executable=/usr/local/bin/pulsehad
Identifier=pulsehad
...
Authority=Developer ID Application: PulseHA Ltd. (xx)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
...
TeamIdentifier=xx
...

Microsoft Windows

Windows binaries may be signed by certificates with thumbprints matching a97c06036f97c93151cd17b2e12728fb7a569a5d.

Use Microsoft's Get-AuthenticodeSignature cmdlet to verify the integrity of a Microsoft Windows executable. For example:

(Get-AuthenticodeSignature -FilePath terraform.exe).SignerCertificate | Format-List
 
Subject      : CN="PulseHA Ltd", O="PulseHA Ltd", C=UK
Issuer       : CN=DigiCert Trusted G4 Code Signing Europe RSA4096 SHA384 2023 CA1, O=DigiCert, Inc., C=US
Thumbprint   : a97c06036f97c93151cd17b2e12728fb7a569a5d
FriendlyName : DigiCert EV Code Signing Certificate
SerialNumber : 03757da52dfa563bbc211aabdef73f1f
NotBefore    : 10/02/2026 00:00:00
NotAfter     : 09/02/2027 23:59:59
Email        : security@pulseha.com