Security Overview

Access to PulseMark Field Diagnostic requires authentication. Users sign in to reach their organization’s workspace, and access is tied to the account and role that an organization grants. PulseMark uses access controls intended to keep each organization’s workspace limited to its authorized users.

The Service uses role-based access and organization scoping. A user’s role determines what they can see and do, and data is scoped to the organization it belongs to. These controls are intended to keep one organization’s projects and evidence separate from another organization’s.

At a high level, different roles have different access:

• Company Admin manages users, roles, and organization settings.
• Supervisor oversees diagnostic projects and review within the organization.
• Technician works on assigned projects and evidence within the organization.
• Outside providers connected through Provider Bridge receive scoped, revocable access to specific projects and are not OEM user seats.

Evidence uploaded to a project is stored and processed to support the diagnostic workflow. Supported evidence uploads include images, PDF, TXT, XML, CSV, and XLSX files; video and audio uploads are not supported as diagnostic evidence. Evidence is associated with the project and organization it belongs to, and access follows the same role and organization scoping as the rest of the Service.

Payments are handled by Stripe through Stripe-hosted checkout and Stripe’s billing systems. Payment card details are entered into Stripe-hosted checkout, and PulseMark does not collect or store full payment card numbers outside of Stripe’s systems. This keeps sensitive card handling with a dedicated payment processor.

PulseMark uses operational logging and monitoring to help operate the Service reliably and to detect and investigate issues. Logs capture operational and security-relevant activity, and PulseMark aims to keep operational logs free of sensitive evidence content. How log and operational data is handled is also described on the privacy page.

No system can be made completely secure, and PulseMark does not promise that the Service is immune from all risk. Security is a shared responsibility, and your organization plays an important part. You are responsible for:

• keeping account credentials secure and not sharing them;
• assigning appropriate roles and removing access when it is no longer needed;
• limiting Provider Bridge access to the projects an outside provider needs; and
• not submitting sensitive evidence through public contact forms.

If you believe you have found a security issue or have a security concern about the Service, please contact PulseMark through the contact page so the team can review it. PulseMark intends to look into reported security concerns and respond as appropriate.

This draft describes security practices, not certifications. PulseMark does not, on this page, claim any formal security or compliance certification, and nothing here should be read as a certification or a promise that the Service is free from all risk. Any future formal certification would be stated separately once achieved and approved.