How Public Pulse protects government data

Parliamentary offices handle some of the most sensitive correspondence in the country. Constituent enquiries, ministerial briefs, policy discussions, and case notes all flow through these offices daily. When we built Public Pulse, we started with one question: how do you build a platform that government offices can trust with this data?

Australian data sovereignty

All Public Pulse data is hosted in Australia. No constituent data, correspondence, or knowledge base content is ever processed or stored offshore. Our infrastructure runs on Australian data centres, and our AI embedding models are hosted domestically. This is not a configuration option - it is the architecture.

Tenant isolation

Every organisation on Public Pulse is fully isolated at the database level using row-level security policies. One office cannot see, query, or access another office's data under any circumstances. This isolation extends to the AI pipeline - knowledge bases, embeddings, and generated drafts are all scoped to the individual organisation.

Encryption

Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Sensitive fields - including constituent personal details and case notes - use additional application-level encryption with per-organisation keys. Encryption keys are managed through a dedicated key management service and are never stored alongside the data they protect.

AI safety and data handling

No constituent data is ever used to train AI models. Our AI pipeline uses retrieval-augmented generation (RAG) to ground every draft in your office's knowledge base - it does not learn from or retain the data it processes. All AI-generated content is logged in an immutable audit trail with full attribution to the source documents used.

Compliance and certifications

Public Pulse is ISO 27001 certified and CASA Tier 2 assessed. The platform is designed to comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the Notifiable Data Breaches scheme. We conduct regular penetration testing through independent third parties, and our security practices are audited annually.

Access control and audit logging

Public Pulse uses role-based access control with four permission levels: admin, staff, user, and assistant. Every action on the platform - draft creation, approval, edit, send, and deletion - is recorded in a comprehensive audit log that cannot be modified or deleted. Offices can review exactly who did what, and when.

Responsible disclosure

We welcome responsible security research. If you discover a vulnerability in Public Pulse, please report it to security@publicpulse.com. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours.