Trust · Compliance
Trust & compliance
Last updated: 2026-06-11
One place that summarises how XenithPulse handles data across every product we ship — the consumer EOS Companion app, our B2B ERP, POS, and commerce suites, and the per-tenant integrations we operate for clients. The Company sections apply everywhere; each product has its own compliance tab.
Courts of Doha, Qatar
Response within 30 days
MongoDB Atlas (AWS us-east-1)
Render (us-east region)
Bcrypt password hashing · secrets vaulted
Who you're dealing with
XenithPulse (operating as XenithPulse Software) is a software company operating from Doha, Qatar. The team has been shipping production software since 2024.
XenithPulse Software is currently operated as a sole proprietorship and is not yet incorporated as a separate legal entity. We disclose this rather than imply otherwise. When the entity is formally incorporated, this page and our customer contracts will be updated and customers notified through release notes.
Our principal point of contact for any legal, privacy, or security matter is WhatsApp +974 55911793.
Governing law & dispute resolution
All customer-facing contracts and policies are governed by the laws of the State of Qatar, with exclusive venue in the Courts of Doha, Qatar for any dispute arising out of or relating to those contracts or our products.
Without prejudice to any mandatory consumer-protection rights you have under the laws of your country of habitual residence (including, where applicable, the European Union and the United Kingdom).
Qatar was selected as the governing-law jurisdiction because our principal place of business and operations sit there today. This is a conservative, transparent choice; it does not attempt to claim a tax or regulatory residence we do not have.
Infrastructure & data location
Where your data physically lives matters. Production infrastructure for our hosted products runs on:
- Compute: Render (us-east region)
- Database: MongoDB Atlas (AWS us-east-1)
- Object storage: AWS S3 (us-east-1)
- Realtime: Pusher Channels (eu / ap clusters depending on tenant)
- Push delivery: Apple APNs, Google FCM, Expo Application Services
Where personal data of users in the EU/EEA, the UK, or other jurisdictions with cross-border transfer rules is moved outside their region, transfers are made under Standard Contractual Clauses (SCCs) with each sub-processor.
Sub-processors
We use third-party sub-processors only where necessary to deliver the service. Each is bound by contract to act on our instructions and to apply security controls at least as protective as our own.
| Sub-processor | Purpose | Region |
|---|---|---|
| Render | Application compute, deployment | us-east |
| MongoDB Atlas | Primary database for tenant data | AWS us-east-1 |
| Amazon Web Services | Object storage, logs, secrets | us-east-1 |
| Pusher Channels | Realtime event delivery (opaque payloads) | eu / ap |
| Expo Application Services | Push token vending for the EOS Companion app | us |
| Apple APNs | Push notification delivery to iOS devices | global |
| Google FCM | Push notification delivery to Android devices | global |
| Stripe | Payment processing for paid B2B subscriptions | us / eu |
| Meta Platforms (WhatsApp Business) | Customer messaging on tenants that opt in | global |
Security practices
- All traffic encrypted with TLS 1.2 or higher.
- Passwords stored as bcrypt hashes; plaintext never written or logged.
- Multi-tenant isolation enforced server-side from the JWT — never from the URL or a client-supplied header.
- Production secrets held in a managed secret store and rotated on a scheduled basis.
- Network CRUD payloads are binary-schema compressed (~60% smaller than equivalent JSON), reducing the attack surface for replay-based exfiltration.
- Account-deletion intents on the EOS Companion app are signed with HMAC-SHA256 and bound to a username, tenant, and short expiry window.
Security disclosures should be sent via WhatsApp +974 55911793. Please do not file public issues for security bugs.
EOS Companionlive
Free, read-only mobile companion to the Banquet ERP — a public iOS + Android app for venue owners and on-floor staff.
XenithPulse is the data controller. This product has its own public privacy policy and terms on this site.
Banquet & Event Management ERPlive
B2B web ERP for banquet halls and event venues. Licensed to organisations per tenant.
The customer organisation is the data controller; XenithPulse Software acts as the data processor under the per-tenant agreement / DPA.
E-commerce Suite Managementlive
Storefront, B2B and back-office commerce platform. Licensed to merchants per tenant.
The customer organisation is the data controller; XenithPulse Software acts as the data processor under the per-tenant agreement / DPA.
Business Suite Managementavailable
Unified admin console for sales, billing and finance. Licensed to organisations per tenant.
The customer organisation is the data controller; XenithPulse Software acts as the data processor under the per-tenant agreement / DPA.
Restaurant POSlive
Multi-user restaurant point of sale. Licensed to operators per tenant.
The customer organisation is the data controller; XenithPulse Software acts as the data processor under the per-tenant agreement / DPA.
Windows Thermal Printer Servicelive
On-premise ESC/POS printing bridge. Runs entirely on the user's machine; no personal data is sent to our servers.
Runs on-premise on the user's own machine. No personal data is transmitted to XenithPulse Software, so there is no controller/processor relationship for hosted data.
School ERP (eSM)development
Academic and administrative lifecycle ERP for schools. In development; licensed per tenant.
The customer organisation is the data controller; XenithPulse Software acts as the data processor under the per-tenant agreement / DPA.
Client-hosted policies
We host individual privacy / usage policies on behalf of clients who use our messaging or POS infrastructure to communicate with their own customers. These pages are the client's policy (the client is the data controller); we are listed as a sub-processor.