Skip to main content
Pulse
by FinanceJoy
Back to homeSign in

Security

Last updated: 7 May 2026

Pulse handles financial data for UK company directors and accounting practices, so we treat security as a first-class feature, not a checklist. This page summarises the controls we have in place today.

Hosting & data residency

  • Application and database hosted on infrastructure with data centres in the UK and EU. Your data does not leave the UK/EU region.
  • Database backups are encrypted and retained for disaster-recovery purposes only.

Encryption

  • In transit: all traffic is served over HTTPS (TLS 1.2+). HSTS is enabled.
  • At rest: the database and backups are encrypted using AES-256.
  • OAuth tokens (Xero) are encrypted at the application layer before storage.

Authentication

  • Email + password with leaked-password checks against Have I Been Pwned.
  • Optional sign-in with Google.
  • Sessions are httpOnly, rotated on sign-in, and revocable from your settings.

Access to your data

  • Row-level security (RLS) is enforced at the database level — every query runs as you, and the database refuses access to other users' data even if there were a bug in the application code.
  • Only a small number of FinanceJoy engineers have production database access, gated by single sign-on with hardware-backed 2FA. Access is logged.
  • We do not sell, rent, or share your data with advertisers.

Xero connection

  • We request read-only Xero scopes (offline_access, accounting.reports.read, accounting.transactions.read, accounting.contacts.read, accounting.settings.read). Pulse cannot post journals or modify your books.
  • You can disconnect Xero at any time from Settings → Connections; we revoke the refresh token and stop syncing.

Payments

Payments are processed by Paddle as Merchant of Record. Pulse never sees or stores your card details — they go directly to Paddle's PCI-DSS-compliant systems.

Your rights & controls

  • Download a copy of your data (JSON) from Settings → Danger zone → Download my data.
  • Delete your account and all associated data from Settings → Danger zone → Delete my account.
  • Cancel your subscription at any time from Settings → Billing.

Reporting a vulnerability

Found something that looks insecure? Email security@financejoy.co.uk with details and we'll respond within 2 working days. We don't currently run a paid bug-bounty programme, but we're happy to credit researchers who report issues responsibly.

Sub-processors & the rest

For a full list of the third parties we use to operate Pulse, see our sub-processor list. For details on what data we collect and why, see our Privacy Notice.