Security-first by design. ReviewPulse is built on Microsoft Azure
(West Europe region, based in the Netherlands) and inherits the security certifications
of the underlying infrastructure. We apply defence-in-depth at every layer of the application.
Infrastructure & hosting
ReviewPulse runs on Microsoft Azure App Service (Linux) with
Azure SQL as the managed database. Azure's data centres in the
Netherlands (West Europe region) are certified to:
ISO/IEC 27001
SOC 2 Type II
ISO/IEC 27018
NEN 7510 (NL)
These certifications cover Microsoft's physical infrastructure, data centres, and
platform services. ReviewPulse the application has not independently pursued
SOC 2 or ISO 27001 certification at this time. Enterprise customers requiring
detailed security documentation can request our security questionnaire at
contact@classroomcreatives.nl.
Application security
HTTPS everywhere
All traffic is encrypted in transit via TLS 1.2+. Plain HTTP is rejected. HSTS is enforced.
CSRF protection
Every form and AJAX request is protected by a Flask-WTF CSRF token. All mutation endpoints
require it.
Rate limiting
Login, registration, password reset, and file upload endpoints are rate-limited to prevent
brute-force and abuse.
Upload controls
File uploads are restricted to specific extensions (CSV, XLSX, JSON). Maximum 32 MB per
upload.
Access controls
Multi-tenant isolation: each billing organisation is scoped. Regular users can only access
their assigned property.
Password security
Passwords are hashed with bcrypt (Flask-Bcrypt). We never store or log plain-text passwords.
Secure cookies
Session cookies are HttpOnly, SameSite=Lax, Secure in production. Remember-me cookies expire
after 30 days.
Security headers
X-Frame-Options: DENY, Referrer-Policy, and HSTS headers are set via Flask-Talisman on all
responses.
Data encryption
- In transit: TLS 1.2+ for all client-server communication. Azure App Service
enforces HTTPS at the load balancer.
- At rest: Azure SQL uses Transparent Data Encryption (TDE) with AES-256, enabled
by default. Database backups are also encrypted.
- Secrets: API keys, database credentials, and the application secret key are
stored as Azure Application Settings (environment variables), never hardcoded or committed to
source control.
- Payments: Payment processing is handled entirely by Mollie. ReviewPulse never
stores card numbers or payment credentials. Mollie webhook signatures are verified using HMAC
before any processing occurs.
GDPR & data residency
- Data location: All data is stored in Azure West Europe (Amsterdam, Netherlands)
— within the EU.
- Data minimisation: We collect only what is needed to operate the service. Guest
reviews are customer-uploaded data; we process them on your behalf as a data processor.
- Retention: Data is automatically purged 30 days after account closure. Active
accounts are never subject to automated deletion.
- DPA: A Data Processing Agreement is available and must be accepted before using
paid features. View the DPA →
- Your rights: Access, rectification, erasure, and portability requests can be
submitted to contact@classroomcreatives.nl. We respond
within 30 days.
AI & LLM processing
ReviewPulse uses a Large Language Model (currently Azure OpenAI GPT-4, hosted in the EU)
to extract operational issues from guest reviews and generate reply suggestions.
- Review text is sent to the LLM only when you explicitly trigger an analysis or reply generation.
- LLM outputs are used only to populate your dashboard — they are never sold or shared.
- Azure OpenAI does not use your data to retrain models (per the Azure OpenAI Data, Privacy, and
Security documentation).
- LLM token usage is tracked per user and organisation for cost management purposes only.
Monitoring & incident response
- Request performance is logged (endpoint, duration, status code) to detect anomalies.
- Failed login attempts are logged. Accounts are not locked but rate limiting applies.
- Payment webhook failures are tracked, retried automatically, and escalated to the platform
administrator after 5 failed attempts.
- In the event of a data breach affecting personal data, we will notify the Dutch Data Protection
Authority (Autoriteit Persoonsgegevens) within 72 hours and affected users without undue delay,
as required by GDPR Art. 33–34.
Responsible disclosure
If you believe you have found a security vulnerability in ReviewPulse, please report it
responsibly before public disclosure. We will acknowledge receipt within 5 business days
and work with you to resolve the issue.
Contact:
contact@classroomcreatives.nl
· Subject: Security Report
We do not have a formal bug bounty programme at this time, but we sincerely appreciate
responsible researchers who help keep ReviewPulse secure.