Security at ePulz.io
Monitoring is a trust business - you point us at your infrastructure and rely on us to tell the truth about it. This page describes, in plain language, how we protect your data and our platform. Last updated: 10.06.2026.
EU-only infrastructure
The entire platform runs on our own infrastructure in the European Union (Slovakia). Monitoring data never leaves the EEA and no US public cloud processes it. Multi-region probes are connected through isolated WireGuard tunnels.
Encryption
All traffic to and from ePulz.io is encrypted with TLS 1.3; HSTS is enabled and the domain has been submitted to the browser preload list. Passwords are stored as bcrypt hashes and are never logged.
Backups and recovery
The database is backed up daily with continuous WAL archiving, and a copy is replicated every day to a separate physical location. Restores are tested regularly - a backup that was never restored is not a backup.
Account protection
Two-factor authentication (TOTP) with backup codes, strict rate limiting on login and password reset (per IP and per account), secure session cookies and a Content-Security-Policy with nonces across the whole application.
API and agent tokens
All tokens carry the epulzio_ prefix (easy to spot in leak scanners), have narrow scopes - an agent token can only fetch its own check list and submit results - and can be revoked in the dashboard at any time.
LAN agent
The agent is a single ~600-line Python file (standard library only) that you can read before running. It communicates outbound-only over HTTPS and runs as an unprivileged user under systemd sandboxing. How the LAN agent works
Who watches the watchmen
The platform monitors itself from multiple nodes, and an independent probe in a separate location checks ePulz.io every minute from outside our network. Current status is public at status.epulz.io.
Responsible disclosure
Found a vulnerability? Tell us at [email protected] - we respond quickly, fix faster and credit researchers who report responsibly. We do not take legal action against good-faith security research. Details: security.txt.
Compliance
ePulz.io is operated under GDPR by an EU company. We do not currently hold SOC 2 or ISO 27001 certification - we are a small European company and say so openly; certifications are planned as we grow. Related documents: Privacy policy (GDPR) · Sub-processors · DPA.