Trust Center
The Helodata Trust Center
Live operating commitments, our audit roadmap, and how to report a vulnerability. Last updated: .
Live today
These are not aspirations. They are how Helodata operates today, every day — verifiable by any customer, partner, or auditor.
Opt-in peer network
Every residential IP in our network comes from a fully opted-in peer. Peers receive clear disclosure, can audit their own participation, and revoke access at any time. Zero covert collection. Zero deception.
KYC on every account
No anonymous access, no exceptions. Every account — including free trials — goes through Know Your Customer verification before receiving credentials. We deny accounts where the use case fails our Acceptable Use Policy at intake.
TLS 1.3 in transit, AES-256 at rest
All traffic between customers, our gateway, and exit nodes is encrypted with TLS 1.3 (no fallbacks to weaker ciphers). Operational data at rest is encrypted with AES-256. Customer credentials are hashed with industry-standard KDFs and never logged in plaintext.
Minimal logs with auto-expiry
We collect the minimum operational data required to bill, debug, and prevent abuse. Request logs auto-expire on a defined retention schedule. We do not sell, share, or license customer request data to any third party. Ever.
Public Acceptable Use Policy
Our AUP is published, plain-English, and enforced. Prohibited uses include attacks, fraud, CSAM, sensitive PII harvest, and copyright infringement.
Read the full policy →Vulnerability disclosure with 3-day response SLA
We publish a Vulnerability Disclosure Policy and operate security@helodata.com. Researchers acting in good faith receive an acknowledgment within 3 business days, with safe harbor protection. See "Report a vulnerability" below.
On the roadmap
We commit to specific, dated milestones — not vague “coming soon” language. This section will be updated quarterly with progress.
SOC 2 Type II audit — kickoff Q3 2026
We are preparing to enter the SOC 2 Type II observation period in Q3 2026. Type II requires a 6-12 month observation window plus auditor review, so formal attestation is targeted for late 2027. Until then, we are happy to share our SOC 2 readiness self-assessment and security control documentation with enterprise customers under NDA.
ISO/IEC 27001 readiness — H1 2027
ISO 27001 gap assessment scheduled for H1 2027, following SOC 2 control maturity. We are not claiming this certification today.
Public bug bounty program — after VDP maturity
A formal bug bounty program (with monetary rewards and a managed platform) is on the roadmap once our VDP has 12+ months of operational data. In the meantime, recognized researchers receive public acknowledgment in our hall-of-fame upon request.
Compliance and data protection
Data Processing Addendum (DPA) availability
We provide DPAs covering GDPR, UK GDPR, CCPA, and PIPL on request. Standard Contractual Clauses (2021 EU SCCs) and the UK International Data Transfer Addendum are incorporated by reference where applicable.
To request a DPA, email compliance@helodata.com with your entity name, jurisdiction, and use case.
Data residency
Operational request logs are stored in our primary infrastructure region. The specific region and provider are disclosed to enterprise customers under NDA as part of the DPA process.
We do not currently offer customer-selectable data residency. If your deployment has hard residency requirements (specific region pinning, sovereign cloud), please raise this during procurement and we will scope the engagement accordingly.
Data minimization
We collect what we need to operate the network: account identity (KYC), billing data, and per-request operational metadata for the contractual retention window. We do not collect, retain, or analyze the response content (HTML, JSON, etc.) you fetch through our network.
Sub-processors
A current list of sub-processors — covering infrastructure, payment, KYC vendor, and observability — is available on request via compliance@helodata.com. We commit to 30 days advance notice before adding or replacing a material sub-processor for customers under DPA.
Security operations
Encryption
- In transit: TLS 1.3 between customer, gateway, and exit nodes
- At rest: AES-256 for all operational stores
- Credentials: never stored or logged in plaintext; hashed with modern KDFs
Access control
- Production access is role-based, MFA-enforced, and audit-logged
- Principle of least privilege; no shared admin accounts
- Privileged access reviews on a quarterly cadence
Incident response
We maintain an internal incident response runbook covering detection, triage, containment, customer notification, and post-incident review. Notification timelines for incidents affecting customer data are governed by the applicable DPA (typically 72 hours under GDPR Art. 33).
Report a vulnerability
We welcome reports of security vulnerabilities from researchers, customers, and the wider community. This section is our public Vulnerability Disclosure Policy (VDP).
Scope
In scope:
- helodata.com and all subdomains
- Helodata API endpoints (api.helodata.com, *.helodata.com gateways)
- Customer dashboard and authentication flows
- Helodata-published SDKs (Python, Node.js, Go, Java)
How to report
Email security@helodata.com with:
- A clear description of the vulnerability
- Steps to reproduce
- Affected URL, endpoint, or version
- Your name or alias for acknowledgment (optional)
PGP key available on request. We accept reports in English and Chinese.
What we commit to
- Acknowledgment of your report within 3 business days
- Initial triage assessment within 7 business days
- Regular status updates until resolution
- Public acknowledgment in our hall-of-fame upon request and your consent
- No legal action against good-faith researchers (see Safe Harbor below)
Out of scope
The following are not eligible for VDP submission:
- Denial of service attacks (volumetric DoS, application-layer DoS)
- Social engineering of Helodata employees, contractors, or peers
- Physical attacks against Helodata facilities or staff
- Vulnerabilities in third-party services we do not control
- Self-XSS that requires the victim to paste content
- Reports based solely on automated scanner output without analysis
Safe harbor
We will not pursue legal action, file a complaint, or initiate law enforcement involvement against researchers who:
- Make a good-faith effort to comply with this policy
- Avoid privacy violations, service degradation, and data destruction
- Give us a reasonable time to respond before public disclosure (we suggest 90 days from acknowledgment, longer for complex issues)
If in doubt, ask us at security@helodata.com before testing.
Ethical IP sourcing
Our residential IP pool exists because real people choose to share their device’s idle bandwidth in exchange for a free service or compensation. This is the foundation of our trust model.
How peers join
Peers join exclusively through clearly-disclosed, opt-in onboarding flows in partner applications. The disclosure explains: what is shared (idle bandwidth), what is not shared (personal data, device contents, location beyond IP region), and how to leave.
Peer rights
Every peer can:
- View their participation status at any time
- See aggregate bandwidth contribution
- Pause participation
- Permanently revoke and remove their IP from the network
Revocation is honored within 24 hours of request.
Zero PII
We collect no personally identifying information from peer nodes. We do not track browsing, capture device contents, or correlate peer identity with traffic flowing through them.
Request documentation
The following documents are available on request to enterprise customers and prospective customers under NDA:
- SOC 2 readiness self-assessment (current)
- Security controls overview
- Sub-processor list
- DPA (GDPR, UK GDPR, CCPA, PIPL versions)
- KYC procedure overview
- Incident response runbook (summary)
- Insurance certificates (cyber, E&O)
To request, email compliance@helodata.com with:
- Your company name
- Document(s) requested
- Brief description of the use case
- Whether you have an existing NDA with Helodata or need one
We respond within 2 business days during the week.
Questions?
- For security issues
- security@helodata.com
- For compliance & DPA
- compliance@helodata.com
- For sales & enterprise
- sales@helodata.com
- For everything else
- Contact us →
Last updated: