PExcis Pulse by Excis
Talk to sales Start free trial
Legal / Security & compliance

Security & compliance

The controls and practices that keep Customer Data safe. We publish the boring details on this page; the audit reports are available under NDA.

Last updated: 12 May 2026 · Hosting: European Union only

Certifications & standards

StandardStatus
ISO/IEC 27001:2022Certified (Excis Compliance group certificate)
SOC 2 Type IIAudit in progress — report expected H2 2026
Cyber Essentials Plus (UK)Certified
GDPR (Regulation 2016/679)Aligned — see DPA
UK GDPR & Data Protection Act 2018Aligned

Data location

  • Primary processing & storage: Frankfurt, Germany (EU)
  • Disaster recovery replica: Amsterdam, Netherlands (EU)
  • Backups: Encrypted and stored exclusively within the EU; 35-day rolling window
  • No transatlantic copies, ever. Production data is geo-fenced at the infrastructure layer

Encryption

  • In transit: TLS 1.3 with strong cipher suites; HSTS enabled on all customer-facing endpoints; HTTP/2 and HTTP/3
  • Agent ↔ ingest: TLS 1.3 plus mutual TLS using device-bound certificates issued at first enrolment
  • At rest (server): AES-256-GCM for databases and object storage; keys managed in HSM-backed KMS
  • At rest (agent): The local SQLite event buffer is encrypted with a per-device key derived from the OS keystore (DPAPI, Keychain, libsecret)
  • Backups: AES-256, separate key hierarchy from production
  • Key rotation: Annual for data-encryption keys; on-demand for any suspected compromise

Access control

  • SSO with WebAuthn (FIDO2 hardware key) MFA required for all Excis personnel with production access — no exceptions for executives
  • Just-in-time access elevation via a documented approval workflow; standing access to production is held by zero employees
  • All administrative sessions are recorded and reviewed monthly
  • Quarterly access reviews; immediate offboarding on termination
  • Customer-side: SAML and OIDC SSO available; SCIM provisioning on Enterprise; granular RBAC with custom roles

Agent security

  • Written in Rust — memory safety eliminates entire classes of vulnerability (use-after-free, buffer overflow)
  • Binaries are signed: Authenticode on Windows, codesign + notarisation on macOS, GPG-signed packages on Linux
  • Reproducible builds (Cargo + locked toolchain) — third parties can verify the released binaries match the source
  • Auto-update channel uses signed manifests with Ed25519; downgrades are rejected
  • The agent process runs as a service under a dedicated, non-privileged account
  • Local data buffer is encrypted (see above) and capped at the configured limit (default 500 MB)

Network & infrastructure

  • Per-tenant VPC isolation; databases in private subnets with no public ingress
  • Web Application Firewall (WAF) at the marketing-site edge
  • Ingest endpoint is rate-limited per device-certificate
  • No public object storage buckets — all object access mediated by signed URLs
  • Centralised, tamper-evident audit logging retained for 12 months
  • Configuration as code (Terraform), versioned in Git, peer-reviewed before apply

Secure development lifecycle

  • All changes require pull-request review by at least one engineer other than the author
  • Automated checks block merges on: failing tests, lint, type errors, dependency audit, SAST scan, secret detection
  • Software Bill of Materials (SBOM) published with every release in CycloneDX format
  • Critical and high-severity vulnerabilities patched within 7 days; mediums within 30; lows on the next minor
  • Third-party penetration tests every quarter (rotating between an EU and a UK firm); results summarised under NDA
  • Annual red-team exercise scoped to the agent → ingest → dashboard chain

Incident response

  • 24×7 on-call rotation for SEV-1 and SEV-2 incidents
  • Documented response runbooks tested quarterly; post-mortems are blameless and published to the engineering org
  • Customers are notified within 36 hours of a confirmed personal-data breach, per the DPA
  • Status page at status.pulse.excis.com for operational issues; customer success contacts admins directly for incidents requiring action

Business continuity & disaster recovery

  • RPO: 15 minutes (asynchronous replication to Amsterdam)
  • RTO: 4 hours for the dashboard service; ingest tolerates indefinite agent buffering
  • DR is exercised end-to-end at least annually; partial drills quarterly
  • Critical vendors are reviewed annually for their own BC posture and exit strategy

People & vendors

  • Background checks on hire where lawful; signed confidentiality agreements for all personnel
  • Mandatory annual data-protection and secure-development training; phishing simulations quarterly
  • Sub-processors are listed publicly at /legal/subprocessors and added only after a documented vendor-security review

Coordinated vulnerability disclosure

We welcome reports from security researchers.

  • Email [email protected] — PGP key fingerprint 4A7D 9C2E 13F8 5BA1 6D04 C9B2 F8A1 3E7D 4C6B 91E5
  • Or use our security.txt
  • We acknowledge within 1 business day, give a remediation ETA within 5 business days, and recognise reporters publicly with their consent
  • Safe-harbour for good-faith research: no legal action against researchers who follow our policy

Reports & due-diligence requests

Available under NDA to current customers and prospects in active evaluation:

  • Current ISO 27001 certificate
  • SOC 2 Type II report (from H2 2026)
  • Penetration-test executive summary
  • SIG Core or CAIQ Lite questionnaires, pre-filled
  • SBOM for the current agent release
  • DPIA template, populated for a typical deployment

Request via your account manager or [email protected] — we respond within 5 business days.