Trust & compliance

XenithPulse (operating as XenithPulse Software) is a software company operating from Doha, Qatar, with an additional presence in Doha, Qatar. The team has been shipping production software since 2024.

XenithPulse Software is currently operated as a sole proprietorship and is not yet incorporated as a separate legal entity in either jurisdiction. We disclose this rather than imply otherwise. When the entity is formally incorporated, this page and our customer contracts will be updated and customers will be notified through release notes.

Our principal point of contact for any legal, privacy, or security matter is admin@xenithpulse.com.

All customer-facing contracts and policies are governed by the laws of the State of Qatar, with exclusive venue in the Courts of Doha, Qatar for any dispute arising out of or relating to those contracts or our products.

Without prejudice to any mandatory consumer-protection rights you have under the laws of your country of habitual residence (including, where applicable, the European Union and the United Kingdom).

Pakistan was selected as the governing-law jurisdiction because our primary operations, our production infrastructure, our flagship customers, and the founding team all sit there today. This is a conservative, transparent choice; it does not attempt to claim a tax or regulatory residence we do not have.

Where your data physically lives matters. Production infrastructure for our hosted products runs on:

• Compute: Render (us-east region)
• Database: MongoDB Atlas (AWS us-east-1)
• Object storage: AWS S3 (us-east-1)
• Realtime: Pusher Channels (eu / ap clusters depending on tenant)
• Push delivery: Apple APNs, Google FCM, Expo Application Services

Where personal data of users in the EU/EEA, the UK, or other jurisdictions with cross-border transfer rules is moved outside their region, transfers are made under Standard Contractual Clauses (SCCs) with each sub-processor.

We use third-party sub-processors only where necessary to deliver the service. Each is bound by contract to act on our instructions and to apply security controls at least as protective as our own.

• All traffic encrypted with TLS 1.2 or higher.
• Passwords stored as bcrypt hashes; plaintext never written or logged.
• Multi-tenant isolation enforced server-side from the JWT — never from the URL or a client-supplied header.
• Production secrets held in a managed secret store and rotated on a scheduled basis.
• Network CRUD payloads are binary-schema compressed (~60% smaller than equivalent JSON), reducing the attack surface for replay-based exfiltration.
• Account-deletion intents on the EOS Companion app are signed with HMAC-SHA256 and bound to a username, tenant, and short expiry window.

Security disclosures should be sent to security@xenithpulse.com. Please do not file public issues for security bugs.

Different products carry different obligations because they serve different audiences. The matrix below maps each product to its scope, its primary contract surface, and the policy/contact you should reach for.

We host individual privacy / usage policies on behalf of clients who use our messaging or POS infrastructure to communicate with their own customers. These pages are the client's policy (the client is the data controller); we are listed as a sub-processor.

• Château D'amour — WhatsApp Communication Policy

• Privacy Policy (EOS Companion)
• Terms of Service (EOS Companion)
• Account deletion
• Client support