Security & Privacy
Pulse Endpoint is designed with security in mind. Here is a complete breakdown of how data is handled in transit and at rest.
Data Collected
The device heartbeat transmits only the following fields. No telemetry, performance metrics, user activity, keystrokes, browsing data, or personally identifiable information beyond the license email is ever sent.
| Field | Example | Purpose |
|---|---|---|
| license_email | admin@acme.com | Associates device to license |
| hardware_uuid | a3f8c1...(HMAC-SHA256) | Hashed device identifier for seat counting |
| app_version | 1.0.0 | Pulse Endpoint version for update tracking |
| license_type | pulse_250 | License tier for fleet management |
Encryption in Transit
- TLS 1.2+ — All heartbeat communication uses HTTPS. macOS App Transport Security enforces a minimum of TLS 1.2 for all connections.
- Certificate validation — Pulse Endpoint uses the system trust store to validate server certificates. Connections to endpoints with invalid or expired certificates are rejected.
- No plaintext fallback — HTTP connections are never attempted. The endpoint enforces HTTPS with automatic redirect.
Encryption at Rest
- Server-side — Device activation records are stored in a PostgreSQL database with AES-256 encryption at rest.
- Client-side — The license key is stored in macOS UserDefaults (
com.qlabs.pulse.plist), protected by macOS file permissions and FileVault disk encryption when enabled. - License key format — License keys are cryptographically signed (RSA-2048, SHA-512) to prevent tampering. The signature is verified locally against an embedded public key.
Network Requirements
Pulse Endpoint sends a lightweight heartbeat to the licensing server once every 24 hours for device visibility and fleet management. It is fire-and-forget and never blocks the app.
Heartbeat Endpoint
https://licensing.pulseformac.dev/api/heartbeat- Protocol: HTTPS (port 443)
- Frequency: Once every 24 hours
- Required: No — if blocked, Pulse Endpoint continues to function normally. A warning appears after 30 days
If your environment uses a web proxy or firewall, ensure licensing.pulseformac.dev is allowlisted. This is the only external endpoint Pulse Endpoint contacts (apart from any Splunk HEC URLs you configure).