Security & Data Handling

Pulse of the Hill is a research platform built on public-record data: Senate LDA disclosures, Congress.gov bill data, committee hearing calendars, and a curated registry of announced Congressional fly-in events. We do not collect personally identifiable information from end-users beyond what is necessary to operate the service: account name, work email address, organization name, and product usage logs.

We do not sell customer data, share it with third parties for marketing, or use it to train machine-learning models — ours or anyone else’s.

• Application: Vercel, US regions only.
• Database: Neon Postgres, US regions only.
• Email delivery: Resend, US infrastructure.
• No customer data is transferred outside the United States.

• In transit: TLS 1.2 or higher, enforced across all application endpoints. HTTPS-only; no plaintext HTTP fallback.
• At rest: AES-256 encryption applied at the storage layer by our hosting providers (Vercel, Neon).
• Secrets: API keys and credentials are stored as encrypted environment variables, never committed to source control.

• Production access is limited to the founder. Access is gated by SSO with multi-factor authentication enforced.
• Customer accounts use email + password authentication today. SSO (SAML / OIDC) is on the roadmap for customers requesting it; we support a federated identity proof-of-concept on request during pilot.
• Internal access to customer data is logged. Access for support purposes happens only with customer consent during an active ticket.

• Database backups are taken continuously by Neon (point-in-time recovery, 30-day retention on production).
• Application code and infrastructure-as-code are version-controlled in GitHub; the service can be re-deployed from source in under an hour.
• Recovery Time Objective (RTO): 4 hours for full restoration. Recovery Point Objective (RPO): 1 hour for customer-account data.

Production incidents that affect customer data confidentiality, integrity, or availability are communicated to affected customers via email within four hours of detection, with a follow-up post-incident review within seven days. We retain incident records for two years.

Our material subprocessors are Vercel (application hosting), Neon (database hosting), Resend (transactional email), Cloudflare (DNS and domain registration; no application traffic is proxied through their network), and Google Workspace (internal email and document storage). Each operates under its own SOC 2 Type II program. We do not use third-party analytics or session-replay tools.

A SOC 2 Type II audit is scoped for fiscal year 2027. We are executing a readiness assessment in the interim. Procurement teams requiring a current attestation may request our subprocessor SOC 2 reports under NDA.

To report a security vulnerability or suspected data incident, email security@pulseofthehill.com. We acknowledge reports within one business day. Please do not disclose vulnerabilities publicly before we have had an opportunity to investigate and respond.

We are happy to complete vendor security questionnaires (SIG Lite, CAIQ, or custom). Contact security@pulseofthehill.com with your form and required response window.