Skip to main content

Security

Last updated: 2026-04-22

HelpMesh is built for regulated enterprise environments. Security is a first-class engineering concern, not a post-launch checklist. This page summarises the controls in production today; the detailed security package (SOC 2 Type I report, penetration test letter, DPA, security questionnaire) is available under mutual NDA — email security@helpmesh.io.

Tenant Isolation

  • Every database query is scoped by tenantId via Prisma middleware and AsyncLocalStorage — no application code can bypass without an explicit, code-reviewed withTenantOverride() call.
  • Integration tests assert “tenant A cannot see tenant B” on every endpoint — enforced in CI, non-negotiable.
  • Redis keys, S3 object prefixes, and audit log entries are tenant-prefixed.
  • Super-admin access is logged to an immutable audit trail and requires MFA.

Encryption

  • In transit: TLS 1.2+ enforced on all public endpoints (HSTS enabled, preload list eligible).
  • At rest: AES-256 via AWS KMS for RDS, S3, EBS, and ElastiCache. Keys rotated annually.
  • Message bodies, contact PII, and webhook secrets encrypted at the field level.
  • API keys stored as SHA-256 + per-key salt; plaintext shown once at creation.
  • Passwords hashed with bcrypt (cost factor 12).

Access Controls

  • Role-based access control (RBAC): Owner, Admin, Agent, Viewer per tenant.
  • Optional enforced MFA per tenant; mandatory for super-admin accounts.
  • Session management via NextAuth database sessions; short access token (15 min) + rotating refresh.
  • API keys are tenant-scoped, scope-limited, and revocable.
  • All administrative actions written to an append-only audit log retained for 2 years.

Infrastructure

  • Primary deployment: AWS ECS Fargate in ap-south-1 (Mumbai, India). Per-tenant region selection — including me-central-1 (UAE), us-east-1, eu-west-1 — on the Phase 6.5 roadmap.
  • Multi-AZ RDS with automated backups (30-day retention) and point-in-time recovery.
  • VPC-isolated; no public database or cache endpoints.
  • WAF (OWASP Core Rule Set + custom rules) fronted by CloudFront.
  • Secrets stored in AWS Secrets Manager; no plaintext credentials in source or CI.

Application Security

  • Input validation via Zod schemas on every external boundary.
  • User-generated HTML sanitised with DOMPurify before storage.
  • Outbound webhooks signed with HMAC-SHA256.
  • Rate limiting on every public endpoint; aggressive limits on unauthenticated requests.
  • CSP, X-Frame-Options: DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy headers.
  • Dependency scanning on every PR; CRITICAL/HIGH vulnerabilities block merge.

Compliance

  • ISO 27001 control library implemented across infrastructure and application layers.
  • SOC 2 Type I — in progress (target: prior to v1.0.0 GA). Type II evidence collection ongoing.
  • Third-party penetration test — scheduled with a named firm (Cure53 / NCC Group / Bishop Fox) prior to v1.0.0 GA.
  • Jurisdictions covered: GDPR (EU), UK-GDPR, UAE PDPL, Saudi PDPL, CCPA (California), PIPEDA (Canada), DPDPA (India), PDPA (Singapore), Privacy Act (Australia), BDSG (Germany).
  • Per-tenant data residency: data remains in the configured region.

Monitoring & Response

  • 24/7 oncall rotation with PagerDuty escalation.
  • CloudWatch alarms on error rate, latency, queue depth, unauthorised access patterns.
  • Immutable audit log of all administrative and data-access events.
  • Documented runbooks for top 20 incident types; postmortems published for customer-impacting events.
  • Breach notification within 72 hours per GDPR Article 33 / UAE PDPL.

Responsible Disclosure

We welcome reports from security researchers. Please send vulnerability reports to security@helpmesh.io. We commit to:

  • Acknowledging your report within 2 business days.
  • Providing a status update within 7 business days.
  • Not pursuing legal action against good-faith researchers who follow our disclosure policy.

A machine-readable contact file is available at /.well-known/security.txt.

Contact

Security team: security@helpmesh.io
Security package requests (SOC 2, pentest letter, DPA): security@helpmesh.io