1. What data we receive
| Category | Examples | Source |
|---|---|---|
| Account data | Name, work email, company name | Sign-up form |
| License usage | Daily seat counts, peak concurrency, denials, usernames | Smart Upload, OAuth, on-prem agent |
| Contract metadata | Vendor names, renewal dates, costs, contract PDFs | You enter / upload |
| Telemetry | Page views, error stacks | Automatic |
What we do NOT receive: your source code, project files, models, message content (Slack/Teams), email bodies, calendar events, files outside license-daemon output. The OAuth scopes we request are read-only and limited to seat / activity reporting.
2. Where your data lives
- • Application + database: Render.com, US Oregon region. Render is SOC 2 Type II attested.
- • Database: PostgreSQL managed by Render, encrypted at rest by default.
- • Customer-uploaded contract documents: stored as binary blobs in the same Postgres instance.
- • AI classification: file metadata + small content samples sent to Anthropic (Claude). Anthropic does not retain or train on your data.
- • No data leaves these providers. No third-party analytics, ad networks, or unmanaged servers.
3. Encryption
In transit
TLS 1.2+ everywhere
No plaintext fallback. HTTPS-only on every public endpoint, agent ↔ API channel included.
At rest
AES-256 on Postgres volume
Render-managed encryption keys. Application secrets stored in Render's environment vault, isolated from the database.
Passwords
bcrypt (cost factor 12)
Even our own engineering team cannot recover a plaintext password.
Agent API keys
SHA-256 hash storage
Plaintext shown once at creation. Stored only as hashes. Revocation is immediate.
4. Access controls
- • Authentication — email + password, JWT-based session tokens. TOTP MFA available today. SSO (SAML/OIDC) Q4.
- • Authorization — three roles: Owner, Admin, Viewer. Multi-tenant isolation by
org_idon every database query. - • Internal access — only LicensePulse employees with operational need access production. All access is logged.
- • API keys — scoped to a single organization, revocable instantly.
- • Audit log — append-only. Every login, change, key event recorded. Owners and Admins can export to CSV.
5. Sub-processors
A small, deliberately narrow set of vendors. Each is bound by a written data-processing contract.
| Vendor | Purpose | Location |
|---|---|---|
| Render | Application hosting + Postgres | USA |
| Anthropic | AI classification of uploaded files | USA |
| Stripe | Payments (we never see card numbers) | USA |
| Cloudflare | DDoS protection, DNS, WAF | Global anycast |
| Microsoft / Salesforce / Atlassian / GitHub / Slack / Google | Only when you connect them via OAuth | Per provider |
We give customers at least 14 days' advance notice of any new sub-processor. Subscribe by emailing privacy@licensepulse.app.
6. Incident response
- • Documented incident-response playbook with defined severity levels.
- • Affected customers notified within 72 hours of confirmed discovery (GDPR-aligned, faster than CCPA's "without unreasonable delay").
- • Notification: email to primary contact + in-app status banner.
- • Post-mortem with root cause + remediation plan within 14 days.
Report a vulnerability: security@licensepulse.app. We respond within 5 business days and credit responsible disclosure publicly.
7. Backups & disaster recovery
Backups
Daily, 7-day retention
PITR
Within 24 hours
RTO
4 hours
RPO
24 hours
Restore drills run quarterly. We test what we can recover, not just whether we have backups.
8. Compliance posture
| Standard | Status | Notes |
|---|---|---|
| GDPR | ✓ Compliant | DPA available · EU SCCs incorporated |
| CCPA / CPRA | ✓ Compliant | Privacy Policy disclosures · 45-day request handling |
| SOC 2 Type 1 | ⏳ In progress | Target Q3 2026 · automated via Vanta |
| ISO 27001 | Not pursued | Will pursue when an enterprise customer requires it |
| HIPAA / PCI / FedRAMP | Out of scope | Do not upload PHI or payment-card data |