Security & Trust

Built for the kitchens auditors trust.

OpsPulse is what your security review wants — not a checklist of buzzwords. Real isolation, real encryption, real audit trails.

Get a demo Download DPA

TLS 1.3 in transit

AES-256 at rest

Row-level security

Per-tenant isolation

Region-pinned data

Full DPA available

Auth & access

Identity that can't be spoofed.

OpsPulse uses Supabase Auth for operator accounts and short-lived, per-shift identity for staff. Every action on the kiosk is attributable — no shared store PINs, no anonymous taps.

Email + password with optional magic link
Per-manager PINs — every shift action is tied to who
Role-based access (owner, manager, staff) at the database level
Session tokens rotate; no long-lived API keys for client code

Identity stack

Layered access on every request

User

Role

Location

Action

Data

Your data, your tenant, your region.

Operational records live in Supabase Postgres with row-level security on every table. Photos and evidence sit in Cloudflare R2, encrypted at rest. Tenants never see each other's data — enforcement happens in the database, not the application code.

Postgres with row-level security on every table
Photos + evidence on Cloudflare R2, encrypted at rest
Region-pinned (US at launch, EU + APAC coming)
Zero shared data across tenants — RLS enforced server-side

Data residency

Pinned, isolated, enforced

1Your data

2Region

3Tenant boundary

4RLS

AI safety

The AI never sees what it shouldn't.

Every LLM call routes through Cloudflare AI Gateway — rate-limited, logged, observable. Personal data is redacted before any knowledge indexing or retrieval. Your knowledge stays scoped to your tenant.

All LLM calls route through Cloudflare AI Gateway (rate-limited, logged)
PII redacted before any knowledge indexing or retrieval
Vector retrieval is tenant-scoped — your knowledge stays yours
Your data is never used to train models. Period.

Safety envelope

Every model call, every time

1Your prompt

2PII redaction

3AI Gateway

4Response

5Audit log

Compliance

Compliance posture, plainly stated.

We don't claim certifications we don't have. Here's exactly where we stand today and what's on the roadmap.

GDPR

EU-ready architecture with region pinning. DPA available on request. Data deletion and export honored within the regulatory window.

CCPA

California-resident rights supported — access, deletion, and opt-out mechanics built into the operator dashboard.

SOC 2 Type I

Roadmap — Q4 2026. We're building toward a Type I report with a Type II to follow. We won't claim it until it's signed.

Subprocessors

Who touches your data, and what they do.

Full list of subprocessors available in your DPA.

Subprocessor	Purpose
Cloudflare	Compute, edge, storage (R2), AI Gateway, Durable Objects
Supabase	Auth, Postgres, Realtime
OpenAI	LLM inference (via Cloudflare AI Gateway)

Cloudflare

Compute, edge, storage (R2), AI Gateway, Durable Objects

Supabase

Auth, Postgres, Realtime

OpenAI

LLM inference (via Cloudflare AI Gateway)

Responsible disclosure

Found something? Tell us first.

If you believe you've found a security vulnerability in OpsPulse, please report it privately to security@opspulse.io. We acknowledge every report within 24 hours and will keep you posted through resolution. We don't pursue legal action against good-faith researchers who follow coordinated disclosure.

security@opspulse.io

Have a security review?

We'll get on a call with your security team.

Bring your questionnaire. We've answered every one of them.

Get a demo Download DPA