Skip to content
Pulse

Security

Your data, locked down by default.

Multi-tenant isolation enforced at the model level. OAuth and email credentials encrypted at rest. JWT auth with per-session revocation. Audit log on every change. Webhook HMAC. Rate limiting. The security baseline of an enterprise tier — on every plan.

Start free See it in action

Tenant isolation by design

Every domain model includes a TenantScoped concern. Every query scopes by current_tenant. Unique indexes scoped per tenant. Data leakage is structurally impossible.

Encrypted at rest

Rails 7 encrypts on OAuth tokens, IMAP/SMTP passwords, and integration credentials. AES-256.

Audit log on every change

AuditLog row per create / update / destroy on every domain entity. Captures who, what, when, IP, device, severity, recorded_changes diff.

Anatomy

Every region, explained.

1

TenantScoped concern

Mixed into every domain model. Forces scope at the ORM level. Controllers filter by current_tenant.

2

Devise + JWT auth

Stateless tokens with JTIMatcher revocation strategy. Per-session UserSession row with token_digest, IP, device, last_seen_at.

3

Encrypted fields

OAuth access + refresh tokens, IMAP password, SMTP password — all encrypted via Rails encrypts.

4

Audit log

Auditable concern hooks after_create / after_update / after_destroy. Severity field, anomaly text, partial index on non-info events.

5

Rate limiting

Rack::Attack on burst operations keyed by user-id-or-IP. Returns 429 + Retry-After when exceeded.

6

Webhook HMAC

Every outbound webhook signed with HMAC SHA-256 over the payload using a per-subscription secret. Rotate via API.

Deep dive

Everything that's in the box.

Per-tenant data residency

Tenant locale + timezone + currency stored on Tenant record. Data isolation enforced model-level.

Per-session revoke

Settings → Security lists every active session with device + IP + last seen. One-tap revoke invalidates token immediately.

Pundit role-based policies

Per-resource Pundit policies. Roles: admin / manager / member / viewer. Granular permissions per action.

CSRF for cookie sessions

GET /auth/csrf issues a paired cookie + token; SessionCookies concern verifies X-CSRF-Token header. JWT bearer auth bypasses CSRF (intended for SPA + native clients).

Filter parameter logging

Passwords, tokens, OTP, SSN, CVV, certificate data redacted from Rails logs at the framework level.

30-day archive purge

ArchivePurgeJob hard-deletes records that have been archived for 30 days. Right-to-be-forgotten compliant.

Slack & Gmail signature verification

Slack Events API HMAC verified before processing. Gmail Pub/Sub OIDC bearer token verified.

Honeybadger error tracking

Production exceptions captured in Honeybadger for monitoring. PII filtered at the Rails level before transmission.

In the wild

How teams use it.

10-sec revoke

"Per-session revoke saved my life when I lost my laptop. Killed the session from my phone in 10 seconds."

Carlos R.

Agency, 8 reps

3 audits passed

"Audit log answered three customer compliance audits in a row. Defensible data trail."

Maya J.

Logistics, 40 reps

Signed delivery

"Webhook HMAC let us integrate billing without trusting public endpoints."

Tomás D.

SaaS engineering

Pulse vs. The Old Way

A different league.

Pulse CRM
Spreadsheet / legacy CRM
Tenant isolation
Model-level via concern, structurally enforced
Query-time scoping (leak-prone)
Audit log scope
Every domain model auto-audited
Add-on; specific models only
Encrypted credentials
OAuth + IMAP + SMTP encrypted at rest
Sometimes encrypted, often plain
Per-session revoke
Per-device session list with one-tap revoke
Logout-all only

Keep exploring

Related features.

API

Integrations

Custom Fields

Activities

FAQ

Frequently asked

Get started in 5 minutes

Ready to see the pulse of your revenue?

Start free. Bring your whole team. Cancel whenever (you won't).

Start free — no card required Book a demo