Information security is an essential consideration for all IT organizations around the world. Security is always the first priority for our product and it’s constantly improved by ensuring that up-to-date technologies are used and that security policies are enforced for both staff and end-users. Pulseway utilizes industry-standard encryption, attack protection systems, security policies, and multi-factor authentication mechanisms to ensure security compliance.

Pulseway uses end-to-end encryption, which ensures that your private infrastructure information stays private and unauthorized access is prevented. All connections to Pulseway services are done with a fully encrypted communication based on RSA public/private key exchange and AES (256 Bit) session encoding. This is the current industry standard encryption algorithm used worldwide.

All communication messages are encrypted with AES (256 Bit) symmetric keys, which are sent via RSA public/private key exchange mechanism to guarantee that in the unlikely event of transport encryption failure, privacy is not compromised. Keys are automatically rotated on a controlled interval to prevent brute-force attacks also adding an extra layer of security against man-in-the-middle attacks.

A brute-force attack is a trial-and-error method used to guess account passwords. With the growing computing power of standard computers, the time needed for guessing long passwords has been increasingly reduced. Pulseway defends brute-force attacks by blocking multiple failed requests and increasing the timeout between failed requests.

All the Pulseway Windows and macOS agents and applications are signed using a Code Signing certificate to guarantee that the binaries have not been altered or compromised by a third party

We host our servers on US East Coast data centers providing high redundancy and lower latency.

The Datacenter complies with US federal regulations and industry standards - ISO Certification, LEED Certification, SOC 2, and Uptime Institute.

The Pulseway agents and client software do not require the opening of any inbound network ports. The solution only requires the HTTPS (TCP 443) outbound port to be available.

For enhanced security on the Pulseway mobile apps you can setup:

• PIN code mobile authentication (and Touch ID / Face ID where supported) to prevent unauthorized access to the monitored systems.
• Centralized device access control lists with the ability to remotely disable mobile devices.
• Default device access control list: Used for newly added systems, allowing you to deny access for all systems until you explicitly approve the new device.

Two-factor authentication (2FA) is an additional security layer that will require an additional step to access your account or perform certain operations.

2FA is mandatory for all instances. You will receive Push notifications on your mobile apps to approve authentication requests or can use a TOTP app (Time-based One-Time Passcode) like Google Authenticator, Authy, or 1Password.

When setting up 2FA, the system will also generate backup codes that can be used when all the other authentication methods are not available. Each backup code can only be used once.

Pulseway users who are part of the Administrators team will also secure the Pulseway instance by enforcing two-factor authentication for all user accounts.

All Pulseway commands are locally logged in the Application Windows Event Log and in the Pulseway Server database for auditing reasons. The account owner is notified via email every time a new mobile device or a web browser instance is registered on the account.

Both Pulseway infrastructure and the Pulseway software are subject to penetration tests on a regular basis. The tests are performed by our internal SaaS OPS team and also by independent companies, specializing in security testing.