Security

How we handle data, what infrastructure we run on, and how to reach us with security concerns.

Data handling

Regulatory documents ingested by NodalPulse are stored as structured text in Cloudflare R2 object storage. Storage is encrypted at rest using AES-256. Access to stored documents is controlled per user entitlement — a Starter subscriber cannot retrieve documents or brief items belonging to another account.

Document content is treated as read-only reference data. We do not modify, annotate, or redistribute source documents outside of our pipeline. Brief summaries are derived from document text; the underlying source is always cited by filing ID, page, and paragraph.

No PII in logs

Email addresses and user names are redacted before log entries are written to application logs and error tracking (Sentry). Log queries against dockets or search terms are stored only in aggregated, anonymized form. We do not sell or share user activity data with third parties.

Infrastructure

Application hosting
Railway (US region, us-west-2)
Database
Railway Postgres with automated daily backups and point-in-time recovery. Backups retained 30 days.
Object storage
Cloudflare R2 (us-east-1 jurisdiction)
CDN / edge
Cloudflare (marketing site, static assets)
Email delivery
Brevo transactional email with SPF, DKIM, and DMARC configured on nodalpulse.com
Transport security
TLS 1.3 enforced on all external connections. TLS 1.2 minimum on infrastructure connections.

Authentication

NodalPulse uses email magic links for authentication. No passwords are stored — there is no password database to breach. Magic links are single-use and expire after 15 minutes.

Session tokens are short-lived (8-hour expiry) and stored in HttpOnly cookies with SameSite=Strict. Token rotation occurs on each authenticated request. There is no "remember me" session persistence longer than 30 days.

Authentication is implemented using better-auth. The auth layer is isolated from the brief pipeline and document storage.

Data retention

Regulatory documents
Retained indefinitely. These are public records. We store them to support citation linking and Q&A on historical filings.
Brief history
Retained per plan tier (30 days on Starter, 1 year on Pro, 3 years on Team, unlimited on Org).
User account data
Deleted within 30 days of a verified account deletion request. Includes email address, saved searches, tracked dockets, and brief history.
Logs
Application logs retained 14 days. Error tracking events retained 30 days. Aggregated usage metrics retained 12 months.

Contact

To report a security vulnerability or request a data deletion, contact:

security@nodalpulse.com

We acknowledge security reports within 1 business day and aim to resolve confirmed vulnerabilities within 14 days. Please do not disclose vulnerabilities publicly before we have had a chance to investigate.