1. Purpose

Pulse is committed to protecting personal data and confidential client information processed in connection with our custom software development and IT services, including consulting, implementation, testing/QA, maintenance, support, staffing augmentation, and related professional services. This policy describes our baseline controls and responsibilities for collecting, using, storing, sharing, and protecting personal data.

2. Scope and applicability

This policy applies to:

  • All Pulse workforce members (employees, contractors, temporary staff)
  • All Pulse-managed systems, endpoints, applications, repositories, and cloud services
  • All client engagements where Pulse processes personal data or confidential information (including in client-controlled environments)

3. Roles: Controller vs Processor (how Pulse typically operates)

Depending on context, Pulse may act as:

  • Data Controller (or equivalent): for personal data collected via our corporate websites, marketing, recruiting, vendor management, and general business administration.
  • Data Processor / Service Provider (or equivalent): when we process personal data on behalf of a client as part of delivering services (e.g., developing or maintaining client applications). In that scenario, the client determines purposes and means of processing, and Pulse follows documented client instructions. This controller/processor distinction is common in IT services privacy governance.

4. Data protection principles

Pulse follows standard data protection principles, including:

  • Lawfulness, fairness, transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)

5. What personal data we process (typical categories)

Pulse may process (depending on engagement and role):

  • Business contact data (clients, prospects, partners): name, email, phone, company, role
  • Recruitment/HR data: resumes, employment history, identifiers required for hiring/contracting
  • Client project data: requirements, tickets, logs, documentation that may contain personal data
  • End-user data (client-owned): when troubleshooting, testing, migrating, or maintaining client systems
  • Website data: basic usage analytics and security logs (where enabled)

We aim to use the minimum necessary data to deliver the requested service.

6. Lawful basis for processing (where applicable)

When Pulse is acting as a Controller, we process personal data based on one or more of the following (as applicable under relevant laws):

  • Contract performance (e.g., delivering services, recruitment steps)
  • Legitimate interests (e.g., security, fraud prevention, service improvement)
  • Legal obligations (e.g., accounting, tax, labor)
  • Consent (e.g., certain marketing communications, where required)

When Pulse acts as a Processor, the client’s lawful basis typically applies; Pulse supports client compliance through contractual and operational controls.

7. Secure engineering and “privacy by design” (custom software development focus)

Pulse integrates security and privacy controls into our delivery lifecycle:

  • Secure SDLC practices (requirements, design reviews, secure coding, peer review)
  • Access control and least privilege to client environments and data
  • Use of sanitized/synthetic test data whenever feasible; restrict production data use to approved scenarios
  • Vulnerability management practices for dependencies and components
  • Logging/monitoring appropriate to the system and contract

(“Privacy by design” in software development is a widely recognized approach for reducing risk and improving compliance.)

8. Data security controls (baseline)

Pulse uses administrative, technical, and organizational controls appropriate to the risk, which may include:

  • Encryption in transit (e.g., TLS) and encryption at rest where feasible/contracted
  • Identity and access management: role-based access, strong passwords, MFA where available/required
  • Endpoint security: device protections, patching, anti-malware, secure configurations
  • Network security: firewalls/security groups, hardened remote access, segmentation as appropriate
  • Audits and reviews: periodic access reviews and security assessments aligned to engagement needs
  • Workforce training: security/privacy awareness training and incident reporting expectations

9. Client data handling (processor commitments)

When Pulse processes client personal data as a Processor/Service Provider, we will, consistent with contract and applicable law:

  • Process data only on documented client instructions
  • Limit access to authorized personnel with a need-to-know
  • Use approved tools/systems for storage and transfer
  • Support client requests for access, deletion, export, or correction as contractually agreed
  • Ensure subcontractors (if any) are bound by confidentiality and data protection obligations

10. Third-party processors and subprocessors

Pulse may use vetted third parties (e.g., cloud hosting, communications, ticketing, code repositories) to support operations and delivery. We apply due diligence and contractual protections appropriate to the sensitivity of data and the services provided, consistent with the common approach described in similar policies.

11. International data transfers

Pulse may process data in multiple jurisdictions depending on client location, delivery model, and vendor footprint. Where cross-border transfer restrictions apply, Pulse uses appropriate safeguards (e.g., contractual clauses, vendor commitments, or other lawful transfer mechanisms). (This is aligned with standard GDPR transfer safeguarding approaches.)

12. Data retention and secure disposal

Pulse retains personal data only as long as necessary for legitimate business purposes, contract performance, legal/regulatory requirements, or dispute resolution. Retention may vary by:

  • Engagement contract terms (including return/deletion instructions)
  • Legal/finance requirements (e.g., invoicing/tax)
  • Security and audit logging needs

Upon expiration of retention or upon verified instruction (as applicable), Pulse will securely delete or irreversibly anonymize data.

13. Data subject rights and requests

Where applicable under law, individuals may have rights to access, correct, delete, restrict processing, object, or receive a portable copy of their personal data.

How to submit a request:
Email: [email protected]
Subject line: “Data Protection Request”

To protect confidentiality, we may need to verify identity and/or confirm whether Pulse is acting as Controller or Processor for the requested data. If Pulse is acting as a Processor for a client, we may redirect the request to the relevant client (Controller) or assist the client per contract.

14. Incident and breach management

Pulse maintains processes to identify, contain, investigate, and remediate suspected security incidents involving personal data. Where notification is required by law or contract, Pulse will provide notifications to clients and/or affected parties within required timelines and with appropriate details.

15. Governance and responsibilities

  • Executive Management: accountable for overall compliance and resourcing
  • Delivery/Project Leadership: ensures engagement-specific controls (access, environments, vendors, retention) are applied
  • IT/Security Function: implements baseline security controls, monitoring, and incident response support
  • All Workforce Members: must follow this policy, complete required training, and promptly report suspected incidents

16. Policy review

This policy is reviewed periodically and updated as necessary to reflect changes in law, technology, business operations, and risk.

17. Contact (Data Protection Officer)

For questions, complaints, or requests related to this policy:

Data Protection Officer (DPO)
Email: [email protected]