Security is the product.
Compliance is the proof.
PulseADT is built to the standards we expect every customer to enforce. This page shows exactly where we stand on every framework - no marketing, no hedging.
Where we are.
Where we are going.
Every framework below is tracked openly. Status reflects the current programme stage - not where we want to be, but where we actually are. We update this page as progress is made.
Service Organisation Control 2 - security, availability, processing integrity, confidentiality, and privacy trust service criteria.
International standard for information security management systems covering risk treatment, controls, and continuous improvement.
Nigeria Data Protection Regulation - lawful processing, data subject rights, breach notification, and third-party processor obligations.
Payment Card Industry Data Security Standard - requirements for handling cardholder data, encryption, access controls, and monitoring.
General Data Protection Regulation - lawful basis for processing, data minimisation, subject rights, DPO appointment, and cross-border transfers.
Central Bank of Nigeria IT and Cybersecurity Standards for financial institutions - risk frameworks, incident response, and data governance.
Health Insurance Portability and Accountability Act - safeguards for protected health information, BAA requirements, and breach notification.
Nigerian Communications Commission cybersecurity guidelines for licensed telecom operators covering network security, data protection, and incident response.
National IT Development Agency directives on data governance, audit obligations, and breach notification for technology companies operating in Nigeria.
What we do to
protect your data.
Encryption at Rest & in Transit
All customer data is encrypted at rest using AES-256. All data in transit is protected via TLS 1.3. Key management uses envelope encryption with separate data encryption keys per customer tenant.
Data Residency
Customers can select their storage region. Data is not replicated outside the selected region without explicit opt-in. Replication logs are cryptographically signed and available on request.
Access Controls
Internal access to production systems requires hardware MFA and is granted via just-in-time approval workflows. All access is logged, attributed, and reviewed on a rolling 30-day basis.
Penetration Testing
External penetration testing is conducted annually by an independent third party. Internal red team exercises run quarterly. Findings are publicly summarised after remediation is complete.
Vulnerability Disclosure
PulseADT operates a responsible disclosure programme. Security researchers can report vulnerabilities via security@glemad.com. We acknowledge receipt within 24 hours and resolve critical findings within 14 days.
Incident Response
A documented incident response playbook is maintained and tested every quarter. Breach notification obligations are tracked to the strictest applicable regulation. Customers are notified within 72 hours of confirmed incidents affecting their data.
Third parties
we trust with your data.
We contractually bind all sub-processors to the same data protection standards we apply internally. This list covers infrastructure, communications, and operational tooling where customer data may be processed.
For a complete and current sub-processor list or data processing agreement, contact privacy@glemad.com.
Questions about
our security posture?
Enterprise customers can request our security questionnaire responses, penetration test executive summaries, and data processing agreements. Contact our security team directly.