How we protect customer data, the controls we run, and the certifications we hold and pursue.
Helixx runs as a multi-tenant SaaS with tenant-isolated data planes, hardened identity controls, and continuous detection. Security is owned by engineering — not bolted on by a separate team — and every code change passes through automated security review before merge.
All data in transit uses TLS 1.3. All data at rest uses AES-256. Encryption keys are managed via a cloud KMS with HSM-backed key material, automatic rotation, and per-tenant key separation for our Enterprise tier.
Customer admins use single sign-on via SAML 2.0 or OIDC. MFA is enforced for all admin accounts. Internal Helixx access to production is restricted to a small on-call rotation, gated by hardware security keys, time-bound, and fully audit-logged. Production access requires customer-visible justification logged in your audit trail.
Every action — model prompt, model output, deployment decision, configuration change — is logged with actor, timestamp, and outcome. Logs are immutable, queryable from your admin console, and retained for 7 years to satisfy MAS and FCA recordkeeping. Anomaly detection runs continuously across the audit stream.
Helixx runs on enterprise-grade cloud infrastructure with region-pinned data planes for Singapore, EU, UK, and UAE customers. Region routing is enforced at the API gateway — customer data does not cross jurisdictions without explicit configuration. Production environments are separated from development and staging with no shared credentials.
We run automated dependency and container scanning on every build. Annual third-party penetration tests cover the application, API, and infrastructure. Critical findings are remediated within 7 days; high within 30. We operate a coordinated disclosure program — report vulnerabilities to security@helixx.ai.
We maintain documented business continuity and disaster recovery plans with quarterly tabletop exercises. Recovery time objective (RTO) is 4 hours; recovery point objective (RPO) is 1 hour. Backups are encrypted, region-pinned, and tested monthly.
All employees complete security and privacy training on hire and annually thereafter. Engineers handling production access receive additional training on incident response, privileged access, and customer data handling. Background checks are conducted in accordance with local law.
SOC 2 Type II is in progress with attestation expected Q3 2026. ISO 27001 control mapping is complete and certification is targeted for late 2026. We align to MAS Technology Risk Management Guidelines and provide customer-specific compliance attestations on request.
We commit to notifying affected customers of material security incidents without undue delay and in any case within 72 hours of confirmation, with a written follow-up containing scope, root cause, and remediation. To report an incident, email security@helixx.ai.