Security & Responsible Disclosure
What we can actually show you, verified against the live site itself rather than asserted from memory.
What is verifiably true today
- Every page is served over HTTPS with HSTS enforced (
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload) -- browsers are told to never fall back to plain HTTP. - A Content-Security-Policy is enforced site-wide, restricting which scripts, styles and frames are allowed to run on the page at all.
X-Frame-Options: SAMEORIGINblocks the site from being embedded in a hidden frame on another site (clickjacking protection).X-Content-Type-Options: nosniffstops browsers from guessing file types in a way attackers can abuse.- A Permissions-Policy blocks camera, microphone, geolocation and browsing-topics access by default on every page -- nothing on the site should ever need them.
- The site sits behind Cloudflare’s edge network.
- Every code change is scanned for accidentally-committed secrets (API keys, credentials) before it is allowed to publish -- this is a hard, automatic block, not a manual step someone can forget.
- The full site and its underlying code are automatically backed up (version-controlled) roughly every 15 minutes, so a bad edit or server failure does not mean lost history.
What we do not claim
BankPulse does not hold ISO 27001, SOC 2, or any other formal security certification today, and we do not describe ourselves as certified. A roadmap toward that kind of independently-audited assurance exists for when the business reaches the enterprise stage that would need it, but nothing is claimed before it is actually completed and verifiable.
Reporting a security issue
If you find a security issue on bankpulse.ai -- a data exposure, an authentication bypass, anything that shouldn’t be possible -- please email [email protected] with details and, if possible, steps to reproduce it. We read every message sent there and treat security reports as priority. Please do not publicly disclose a vulnerability before we have had a reasonable chance to fix it.