Security & compliance

A proxy network built for compliance.

Encryption, least privilege, and KYC are baked into every layer — from peer onboarding to API calls. We are a 2022-founded, self-funded company operating to SOC 2 / ISO 27001 framework controls; our first independent audit is in preparation. This page is detailed enough to fill out a Vendor Risk Questionnaire — bring the rest to your InfoSec team.

Our security philosophy

Security is not a feature, it is a continuous operational practice. Our security engineers publish a monthly internal 'security water level' report quantifying key controls: median patch lag, production access denial rate, annual security training completion, last quarter's internal audit findings opened vs closed. The CTO and CEO review this monthly.

Zero trust is the floor, not a slogan: we don't assume the internal network is safe; every service-to-service call uses mTLS; every employee production access requires SSO + hardware key + ticketed approval + time-bound ephemeral credentials; persistent credentials trigger alerts.

Threat modeling is open: every new feature ships its Threat Model doc internally; customers under NDA can request the version covering features they use.

Compliance frameworks & status

SOC 2 (framework-aligned)

Team operates to SOC 2 Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity). First independent audit is in preparation. Until the audit completes we publish our current control map and gap list under NDA — we do not claim certified status.

ISO/IEC 27001 (framework-aligned)

Full ISMS mapped to ISO 27001:2022 controls; certification preparation in progress. We do not claim certified status until the BSI / equivalent registry lists us.

GDPR + UK GDPR

Full DPA, SCC Modules 2/3, IDTA, and TIA documents are ready and signable. EU/UK data-subject requests are handled to the GDPR 30-day standard.

CCPA / CPRA

California 'right to be forgotten', portability, and 'do not sell' workflows handled via dashboard and privacy@helodata.com.

PCI scope minimisation

All payments processed by Stripe (PCI-DSS Level 1 processor). We are SAQ-A scope and never touch raw PANs.

PIPL / DSL / CSL

Mainland China customers: cross-border transfer handled per PIPL Chapter III; SCC standard contracts available.

Encryption

  • In transitTLS 1.3 enforced; TLS 1.2 only as compatibility fallback; TLS 1.0/1.1 fully deprecated
  • Cipher suitesChaCha20-Poly1305, AES-256-GCM; configured per Mozilla Modern
  • Certificate transparencyAll public certs logged to CT; wildcard certs phased out
  • mTLSInternal service-to-service uses mutual TLS based on SPIFFE identities
  • At restAES-256-GCM; PostgreSQL with TDE; S3 with SSE-KMS
  • Key managementAWS KMS multi-region + HSM (FIPS 140-2 Level 3); keys auto-rotated every 90 days; least-privilege bound to job role
  • Sensitive fieldsKYC documents and bank accounts use AWS KMS envelope encryption plus application-layer deterministic encryption

Access control

  • IdPOkta SSO (mandatory); employees cannot log in directly to any production system
  • MFAWebAuthn / FIDO2 hardware keys (YubiKey Bio) enforced; TOTP only as fallback
  • Production accessIAP tunnel + Boundary ticketing; sessions time-limited (4 hours default); commands recorded for 12 months
  • Privileged accounts4-eyes principle (production writes require a second approver); quarterly access review; 4-hour off-boarding for departures
  • SSHOpenSSH + short-lived certificates (max 8 hours); no static keys
  • BastionAll production SSH passes through Boundary jump host with session recording

Network & platform

WAF + DDoS

Cloudflare Enterprise sitewide; hybrid L3-L7 DDoS protection; 2.4 Tbps peak attack mitigated in 2024.

Environment isolation

Production / staging / internal tools fully isolated across separate AWS accounts, VPCs, and IAM boundaries.

Dependency scanning

Snyk + GitHub Advanced Security on every PR; CVEs ≥ 7 are patched or replaced within 7 days.

Infrastructure as code

100% Terraform; any manual production change triggers a drift alert.

Image security

All container images Cosign-signed + Trivy-scanned; unsigned images cannot deploy.

Secret scanning

TruffleHog + GitGuardian; leaked secrets auto-revoked within 5 minutes.

Secure SDLC

Threat modeling: every new feature produces a Threat Model doc at design time, signed off by a Security Architect before implementation.

SAST: CodeQL + Semgrep in CI; high-severity findings block merge; medium findings require justification approved by security leads.

DAST: each main-branch deploy triggers a full OWASP ZAP scan against pre-prod.

SCA: weekly Snyk full scan; CVE / GHSA database subscription.

Red / Blue exercises: quarterly red team campaigns against production and key internal systems; reports + remediations archived.

Bug bounty: run on HackerOne, payouts USD 100–25,000; 2024 cumulative payout USD 187,000; 72-hour triage SLA.

Third-party pentests: twice yearly (spring / fall) by rotating independent firms; latest redacted report available under NDA.

Incident response

24/7 Security on-call: 5-engineer rotation via PagerDuty, first response within 10 minutes.

Severity tiers: Sev-0 (multi-customer impact) → Sev-1 (single customer) → Sev-2 (potential risk).

Customer notification SLA: Sev-0 — first notification within 1 hour, preliminary analysis within 4 hours, full public post-mortem within 72 hours.

Regulatory notification: GDPR Art. 33-34 — within 72 hours. Over the past 4 years we have had only one event requiring regulatory notification: see /security/incidents/2023-04-19.md.

Response training: quarterly company-wide chaos-engineering style drills; owner debriefs the board within 14 days.

Business continuity & disaster recovery

RPO: transactional data ≤ 5 minutes; analytical data ≤ 1 hour.

RTO: API gateway ≤ 15 minutes; dashboard ≤ 30 minutes; background batch ≤ 4 hours.

Multi-region active-active: EU (eu-west-1), US (us-east-1), APAC (ap-east-1); any one region down does not break SLA.

Backups: incremental every 5 minutes, full every 24 hours; 3-2-1 strategy; quarterly restore drills, last drill 100% success and met average RTO.

Personnel redundancy: every core role has at least 2 people capable of full recovery; on-call runbooks are public.

Employee security

Onboarding: background check (employment, criminal, education); security training + quiz; NDA + AUP signed.

Continuous: quarterly mandatory security awareness training (phishing simulations + content updates); annual compliance refresher; monthly security newsletter.

Devices: MDM enforced; full-disk encryption; endpoint detection (CrowdStrike); lost devices remote-wiped within 24 hours.

Off-boarding: all credentials revoked within 4 hours; personal devices — work data wiped within 48 hours; exit interview recorded.

Sub-processor risk management

All sub-processors complete a security questionnaire before onboarding and are reassessed at least annually; high-risk changes (e.g. data residency) trigger a fresh review.

Full sub-processor list at /security/sub-processors, including Stripe (payments), AWS (infrastructure), Cloudflare (edge), Datadog (observability), Sentry (errors), Sumsub / Onfido (KYC).

We sign DPAs with each sub-processor. Customers may request the latest SOC 2 / ISO 27001 reports of critical sub-processors under NDA.

Coordinated disclosure

We publicly commit to safe-harbor for good-faith security research: as long as research stays within published scope, accesses no other users' data, doesn't persist exploitation, and notifies us within 72 hours, we will not pursue legal action.

Reports go to compliance@helodata.com (PGP fingerprint F2D1 9C42 6B7A 8E03 1F04 5D6E 8B2C 9F1A 3D45 6789, public key at /security/pgp.txt). We commit to acknowledging within 24 hours and providing triage results within 5 business days.

Bounty by severity: Low USD 100–500 / Medium USD 500–2,500 / High USD 2,500–10,000 / Critical USD 10,000–25,000. Annual payouts disclosed (2024: USD 187,000; 2025: live).

Available compliance documents

  • SOC 2 control mapping + gap listCurrent framework-alignment package (NDA); independent audit report will be published once complete
  • ISO 27001 ISMS scope + controls + gap listCurrent package (NDA); certification preparation in progress
  • DPA + SCC + IDTADirect download at /legal/dpa, signed copies via email
  • Sub-processor list + DPAs/security/sub-processors
  • Network architecture diagramRedacted version under NDA
  • Penetration test reportMost recent (NDA)
  • BCP / DR planExecutive summary public, full plan under NDA
  • Vendor Risk QuestionnairePre-filled CSA CAIQ, SIG Lite, SIG Core

Contact

Security / vulnerabilities (PGP)
compliance@helodata.com
Privacy / DSAR
privacy@helodata.com
Abuse reports
abuse@helodata.com
Law enforcement requests
le-requests@helodata.com
security.txt
/.well-known/security.txt