Legal

Security.

OSHA Pulse runs on Microsoft Azure in US regions. Passwords are stored with BCrypt at cost 12. Authentication cookies are HttpOnly + Secure + SameSite=Strict. Every API and portal request is forced through a tenant-scoped data layer; cross-tenant reads are not possible by design. Every account-mutating action is recorded in a per-tenant audit log.

Outbound webhook deliveries are HMAC-signed with a per-tenant secret; inbound Stripe webhooks are signature-verified. Customer data is logically isolated and retained for a minimum of 90 days after cancellation before purge.

Report a vulnerability to security@oshapulse.com. For penetration-testing letters, our security questionnaire, or insurance certificates, the same address.