StandardPulse Security & Architecture Whitepaper
Last Updated: March 2026
Because our platform is utilized by vCISOs, compliance architects, and enterprise risk teams, security and data privacy are not layered on top of our application—they are embedded into the foundational architecture.
This document outlines the system architecture, data isolation strategies, and artificial intelligence safeguards implemented within StandardPulse to ensure enterprise-grade security and confidentiality.
One of the most critical concerns for modern GRC teams is the handling of proprietary control frameworks and sensitive gap analyses by Large Language Models (LLMs). StandardPulse employs a strict, enterprise-first approach to AI.
All AI processing is powered by the Google Gemini API
(@google/genai). StandardPulse utilizes
enterprise API endpoints, meaning your proprietary data, custom frameworks, and internal SME comments are
never used to train foundational AI models.
All user-supplied content processed by the AI engine is sandboxed within strict delimiter tags with explicit system-level security instructions that mitigate adversarial prompt injection or role override. AI outputs are further sanitized server-side through field-length caps, enum whitelisting, and schema validation before being persisted, ensuring that neither user input nor model output can corrupt application state.
Our automated requirement decomposition and classification pipeline is strictly modeled after NIST IR 8477 (Set Theory Relationship Mapping), ensuring audit-defensible rationale (chain-of-thought) for every mapping.
A high-level look at how StandardPulse securely handles data from the client, through our isolated middleware, and into our hardened storage and AI layers.
Encrypted TLS 1.3 Connection
Google SSO Auth • Tenant Boundary Validation (Org ID)
Express Rate Limiting • Zod Input Sanitization
AES-256 Encryption
Strict Row-Level Security
Continuous Snapshots
Sandboxed Delimiters
Deterministic Vector Matching
Zero-Retention Enterprise API
StandardPulse utilizes a robust multi-tenant architecture to ensure absolute segregation of client and organizational data.
Every piece of sensitive data—including tracked sources, STRM
runs, radar configurations, custom frameworks, and intake queues—is strictly bound to a unique
organization_id.
Our API routes are protected by tenant-aware middleware. Every
request validates the authenticated user's
organization_id and role before
database execution, preventing cross-tenant data bleed.
Tenant environments are tightly controlled through explicit
lifecycle states (active,
read_only,
inactive,
dormant,
deleted) to ensure data is properly
retained or purged according to customer directives and industry standard-based account lifecycle
management controls.
Authentication and authorization are managed through industry-leading identity providers and granular Role-Based Access Control (RBAC).
Identity management is offloaded to Google Cloud Identity
Platform, supporting robust Google SSO and secure token-based authentication
(Authorization: Bearer <token>).
Access within an organization is strictly governed by distinct roles:
Organization expansion is handled via time-limited, cryptographically secure invite tokens.
Our application stack is hardened against common web vulnerabilities and operational disruptions.
The API is fortified using Helmet for secure HTTP headers, strictly configured CORS policies, and rigorous input sanitization via Zod schema validation to prevent injection attacks. AI-generated outputs are additionally sanitized through server-side field-length caps, tag whitelisting against allowed values, and numeric range clamping before persistence.
All API endpoints—particularly heavy AI-generation and document-extraction routes—are protected by express-rate-limit with automatic request throttling to ensure high availability and mitigate Denial of Service (DoS).
StandardPulse enforces strict database-level integrity and automated snapshotting to ensure high availability, concurrent read/write safety, and rapid recovery capabilities.
To proactively identify and mitigate risks, StandardPulse integrates native Google Cloud security guardrails directly into our deployment lifecycle. All application container images and dependencies undergo automated vulnerability scanning (CVE detection) via Google Artifact Registry. Furthermore, our production environment is continuously monitored by Google Security Command Center to detect infrastructure misconfigurations and enforce strict cloud security posture management, ensuring potential flaws are identified and patched before they can be exploited.
StandardPulse maintains a compliance-grade audit trail that automatically records all security-relevant operations—including authentication events, data mutations, administrative actions, and AI processing requests—with structured JSON output. Every log entry captures best-practice audit metadata: who performed the action, what was affected, when it occurred, where the request originated, and why it was classified at a given severity. All structured logs are auto-ingested by Google Cloud Logging with severity mapping (INFO, WARNING, ERROR, CRITICAL), enabling centralized querying, automated alerting, and SIEM integration. Audit records are retained for 180 days with automated purging to optimize storage costs while maintaining compliance with SOC 2 and NIST AU-2/AU-3 requirements.
StandardPulse maintains formal, framework-aligned compliance policies covering Access Review (quarterly reviews, account lifecycle, revocation SLAs), Incident Response (5-phase IR with severity classification and communication procedures), Business Continuity & Disaster Recovery (RPO ≤1 hour, RTO ≤2 hours, documented recovery procedures), and Vulnerability Management (CVSS-based remediation SLAs, CI/CD scanning gates, risk acceptance). All policies are mapped to SOC 2, ISO 27001, and NIST 800-53 controls.
StandardPulse does not store or process raw credit card data. All subscription, checkout, and billing operations are securely offloaded to Paddle via secure webhook integrations with HMAC-SHA256 signature verification.
The platform is deployed entirely on Google Cloud Platform (GCP). Data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
StandardPulse believes in earning your business through ongoing value, not vendor lock-in.
Customers retain full ownership of their compliance data. Every STRM crosswalk, control gap analysis, AI-generated executive briefing, and SME comment review can be exported instantly to standard, audit-ready formats (XLSX, CSV, or PDF).