Security

Built to be trusted
by the people who build.

Construction data — payroll records, GPS coordinates, incident reports, crew information — is sensitive. We treat it that way from the first line of code.

Six layers of protection

01

End-to-End Encryption

All data in transit uses TLS 1.3. Sensitive fields — GPS coordinates, payroll records, personal identifiers — are encrypted at rest with AES-256. Nothing leaves our servers unencrypted.

02

Privacy-First GPS

Location is captured only at the exact moment of clock-in and clock-out. We do not track workers between those events. No background location. No continuous monitoring. Architecturally impossible — we never request the permission.

03

Role-Based Access

Workers see only their own data. Project managers see their assigned crew. Admins control the organisation. Access boundaries are enforced at the database query layer — not just the UI — so there is no path around them.

04

Organisation Isolation

Every organisation's data is logically isolated. Multi-tenancy is enforced at the database query layer, not the application layer. Your crew's timesheets are structurally unreachable by any other account.

05

Threat Detection

Automated anomaly detection monitors for unusual access patterns, failed authentication spikes, and bulk data export events. All security events are logged, timestamped, and retained for 12 months.

06

Immutable Audit Trail

Every clock-in, clock-out, safety report, and admin action is written to an append-only audit log. Exportable on demand for payroll disputes, compliance audits, or legal proceedings.

Our GPS promise

We know where your crew clocked in.
That is it.

PulseIQ captures GPS coordinates at two moments per shift: clock-in and clock-out. The mobile app never requests background location access. Workers are not tracked between events — not during lunch, not while driving home. Not ever.

This is not just policy. The app is architecturally incapable of background tracking because we never request the operating system permission that would allow it.

Location captured at clock-inYes
Location captured at clock-outYes
Worker can view their own GPS historyYes
Background location trackingNo
Continuous GPS monitoring between shiftsNo
Location data sold to third partiesNo

Compliance & certifications

GDPR

Active

European data processing agreements available on request. Users can access, correct, or delete their data at any time.

CCPA

Active

California consumer privacy rights fully supported. We do not sell personal information.

SOC 2 Type II

In Progress

Assessment underway. Target completion Q3 2025. Controls documentation available on request under NDA.

ISO 27001

Roadmap

Planned after SOC 2 completion.

Common questions

Do you sell or share worker location data?

Never. GPS data is used solely for work-site verification within your organisation. It is never sold, shared with third parties, or used for advertising.

Can workers see what data is being collected on them?

Yes — full transparency is a core principle. Workers can see every clock-in, clock-out, and GPS coordinate attached to their profile at any time from the mobile app.

Where is data physically stored?

Production data is stored on cloud infrastructure in the United States. European customers can request a data residency agreement for EU-region storage.

What happens to our data if we cancel?

You can export all your data at any time in CSV or JSON format. Upon account closure, data is held for 90 days for recovery purposes, then permanently deleted from all systems including backups.

How do you handle a security incident?

We maintain an incident response plan with defined SLAs. Affected organisations are notified within 72 hours of a confirmed breach, in compliance with GDPR Article 33 requirements.

Have a specific security concern or need documentation for a compliance review?

security@projectpulseiq.com →