Compliance & Trust
LogPulse is committed to meeting the compliance and regulatory requirements of our customers. This page provides a transparent view of our current compliance status, roadmap, data processing practices, and available documentation.
For a high-level overview of our security posture, see the Security page. For questions about compliance or to request documentation, contact [email protected].
Compliance Roadmap
The table below shows the current status of our compliance certifications and programs. We are transparent about what we have achieved and what is in progress.
| Framework | Status | Expected Completion | Details |
|---|---|---|---|
| GDPR | Compliant | Completed | Full compliance with EU General Data Protection Regulation. DPA available. |
| SOC 2 Type II | In Progress | Q3 2026 | Audit engagement active with independent auditor. Trust Services Criteria aligned. |
| ISO 27001 | Planned | 2027 | Information security management system certification. Scoping phase. |
| HIPAA | Ready | Available on Enterprise | BAA available for Enterprise plan customers handling PHI. |
| NIS2 | Monitoring | As required | Tracking EU NIS2 directive requirements applicable to our sector. |
GDPR
LogPulse is fully compliant with the EU General Data Protection Regulation. Key capabilities include:
- Data Processing Agreement (DPA) available for all paid plans
- Right to erasure (Article 17) via targeted deletion API
- Right to data portability (Article 20) via export API
- Data minimization through configurable retention policies
- EU data residency by default (GCP Netherlands, europe-west4)
- Sub-processor transparency with advance notification of changes
SOC 2 Type II
LogPulse is currently undergoing a SOC 2 Type II audit with an independent auditor. The audit covers the Security, Availability, and Confidentiality trust services criteria. We expect the audit to complete in Q3 2026.
Controls already in place include continuous monitoring, access reviews, change management procedures, incident response plans, and vendor risk management. A SOC 2 Type II report will be available under NDA upon request once the audit is completed.
ISO 27001
ISO 27001 certification is planned for 2027. We are currently in the scoping phase, defining the Information Security Management System (ISMS) boundaries. Our security controls are already aligned with many ISO 27001 requirements through our SOC 2 program.
HIPAA
LogPulse supports HIPAA-eligible configurations on the Enterprise plan. This includes encryption at rest (AES-256), encryption in transit (TLS 1.3), comprehensive audit logging of all data access, and a signed Business Associate Agreement (BAA).
HIPAA requires a minimum 6-year retention period for certain records. Enterprise plan customers can configure retention policies up to 2,190 days (6 years) or use archival exports to their own HIPAA-compliant storage.
Data Processing Agreement (DPA)
A Data Processing Agreement is available for all paid LogPulse plans. The DPA covers:
- Scope of data processing and categories of personal data
- Sub-processor list with advance notification of changes
- Data subject rights procedures
- Security measures and incident notification (72-hour notification window)
- Data return and deletion upon contract termination
- International transfer safeguards
To request a DPA, contact [email protected] or your account manager. Signed DPAs are typically returned within 5 business days.
Standard Contractual Clauses
For transfers of personal data outside the European Economic Area, our DPA includes the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission (June 2021 version). The SCCs apply to any sub-processor located outside the EEA, currently limited to Anthropic for AI processing (schema metadata only, zero-retention API).
LogPulse's primary infrastructure (compute, storage, databases) is hosted entirely within the EU (GCP Netherlands, via Railway and ClickHouse Cloud). No customer log data leaves the EU during normal operation.
Security Whitepaper
A detailed security whitepaper is available on request. The whitepaper covers:
- Platform architecture and security design principles
- Encryption standards and key management
- Multi-tenancy isolation model
- Access control and authentication
- Incident response procedures
- Vulnerability management program
- Business continuity and disaster recovery
Request the security whitepaper by contacting [email protected].
Audit & Reporting
Audit Log Retention
LogPulse maintains comprehensive audit logs for all administrative actions, including user logins, API key creation and usage, configuration changes, data exports, and deletion requests. Audit logs are retained for the following periods:
| Plan | Audit Log Retention | Export Available |
|---|---|---|
| Free | 90 days | No |
| Starter | 90 days | No |
| Pro | 90 days | CSV export |
| Business | 90 days | CSV and JSON export |
| Enterprise | Custom (up to 2,190 days) | CSV, JSON, and SIEM integration |
Audit Log Export
Pro, Business, and Enterprise plans can export audit logs for external analysis or compliance archival. Exports include all audit events with full metadata (timestamp, actor, action, resource, IP address, user agent).
Penetration Testing
LogPulse undergoes annual third-party penetration testing conducted by an independent security firm. The scope covers the web application, API endpoints, infrastructure, and authentication systems. A summary of findings and remediation status is available on request under NDA.
Sub-processors
LogPulse uses a minimal set of sub-processors to deliver the platform. We select sub-processors based on security posture, compliance certifications, and data residency capabilities.
| Sub-processor | Purpose | Location | Certifications |
|---|---|---|---|
| Railway (GCP) | Application hosting, PostgreSQL, Redis | EU (Netherlands) | SOC 2, ISO 27001 (via GCP) |
| ClickHouse Cloud (GCP) | Log storage & analytics | EU (Netherlands) | SOC 2, ISO 27001 (via GCP) |
| Anthropic | AI Investigator & query generation (schema metadata only) | US (EU-bound SCC in place) | SOC 2 Type II, ISO 27001, HIPAA (zero-retention API) |
| Microsoft Azure | Email alerting via Microsoft Graph API | EU (West Europe) | SOC 2, ISO 27001, HIPAA |
| Cloudflare | CDN, DDoS protection, DNS, WAF | Global (EU-proxied) | SOC 2, ISO 27001, PCI DSS |
| Mollie | Payment processing (iDEAL, SEPA, credit card) | EU (Netherlands) | SOC 2, PCI DSS Level 1 |
Changes to the sub-processor list are communicated to customers with DPAs at least 30 days in advance, giving you time to review and object if necessary.
Data Residency
By default, all LogPulse customer data (logs, metadata, backups) is stored in the European Union, specifically in GCP Netherlands (via Railway and ClickHouse Cloud). This applies to all plans.
| Data Type | Storage Location | Notes |
|---|---|---|
| Log data (hot, warm) | EU (Netherlands) | ClickHouse Cloud on GCP |
| Log data (cold/archive) | EU (Netherlands) | ClickHouse Cloud on GCP |
| Metadata (users, orgs, config) | EU (Netherlands) | PostgreSQL on Railway (GCP) |
| Backups | EU (Netherlands) | Automated backups within GCP Netherlands |
| Payment data | Mollie (EU/Netherlands) | Processed by Mollie; not stored by LogPulse |
US region availability is planned for Enterprise customers on request. Contact your account manager to discuss data residency requirements for other regions.