Our security principles
PulseDesk handles personal health information and WhatsApp credentials for hundreds of patients and clinics. Security is not an afterthought — it's built into the architecture of the platform.
Encryption at rest
All data stored in our database is encrypted using AES-256. WhatsApp access tokens are additionally encrypted before storage and never returned in any API response.
Encryption in transit
All communication between your browser and PulseDesk uses TLS 1.2 or higher. All API calls to Meta and Supabase are made over HTTPS.
Clinic isolation (Row-Level Security)
Each clinic can only access their own data. We use PostgreSQL Row-Level Security policies that enforce clinic isolation at the database level — not just at the application layer.
Role-based access control
Staff members have role-specific permissions — admins, receptionists, and doctors each see only what they need. JWT tokens are scoped per clinic and per role.
Immutable audit logs
Every queue event and status change is logged in an append-only audit table. Nothing is ever deleted from the audit trail — giving clinics a complete record of all activity.
Webhook signature verification
All incoming WhatsApp webhooks from Meta are verified using HMAC-SHA256 signature checking. Unsigned or tampered webhook requests are rejected.
Infrastructure security
PulseDesk is built on industry-standard cloud infrastructure:
- Database — Supabase (PostgreSQL 15) with automated backups, point-in-time recovery, and SOC 2 Type II compliance
- Backend API — Railway, with environment variable encryption and isolated containers
- Frontend — Vercel, with automatic HTTPS, edge caching, and DDoS protection
- WhatsApp API — Meta Cloud API, processed through Meta's ISO 27001-certified infrastructure
Authentication
- All user authentication is handled by Supabase Auth with industry-standard JWT tokens
- Passwords are hashed using bcrypt and never stored in plain text
- JWT tokens expire and require re-authentication after inactivity
- Custom JWT claims inject clinic_id and role at login — preventing cross-clinic data access even if a token is compromised
Data minimisation
We collect only what is necessary for clinic operations:
- Patient data is collected only when they initiate a booking
- WhatsApp sessions expire automatically after 24 hours of inactivity
- Message logs are retained for 90 days and then purged
- We do not store payment information — no card numbers, no bank details
Responsible disclosure
If you discover a security vulnerability in PulseDesk, please report it to us responsibly before disclosing it publicly. We commit to:
- Acknowledging your report within 48 hours
- Investigating and addressing valid vulnerabilities promptly
- Keeping you informed of our progress
- Not pursuing legal action against good-faith security researchers
Report security issues to: support@pulsedesk.in with the subject line "Security Disclosure".
Contact
support@pulsedesk.in
Subject: "Security Disclosure"
Zhecker Technologies Private Limited
45-A, 2nd Floor, Alaknanda Tower, City Center
Gwalior, Madhya Pradesh 474011, India