Data residency
Helix is a UK-built vendor selling to UK-regulated banks and fintechs. The business plan (§1, §3) commits to keeping behavioural data on-device and keeping all server-side processing inside the UK / EEA. This document is the formal answer banks ask for during vendor due-diligence (CAIQ §DSI, SIG §H).
What we process server-side
The control plane stores only the following:
| Data | Source | Retention |
|---|---|---|
| Aggregated risk events (score + signal weights, no raw biometric) | Bank's mobile app via SDK → REST | 13 months rolling |
| Audit log entries (hash-chained, append-only) | Control plane actions | 7 years |
| API key hashes (SHA-256) | Issued in-app | Until revoked |
| Webhook delivery records (status code, payload SHA-256) | Outbound delivery | 13 months |
| CSP violation reports | Browser → /api/public/csp-report | 90 days |
| Profiles, tenants, user roles | Sign-up flow | Lifetime of account |
What we never store server-side: keystroke timings, accelerometer samples, swipe coordinates, touch pressure, gyroscope traces, screen content, contact list, location, or any raw biometric signal. These stay on the device in the iOS/Android SDK's encrypted enclave (Android Keystore / iOS Secure Enclave) and are discarded after each scoring window.
Where the data lives
| Layer | Provider | Region | UK-adequacy |
|---|---|---|---|
| Postgres + auth | Supabase (managed by Lovable Cloud) | EU (Frankfurt — eu-central-1) | Yes (UK-EU adequacy decision, June 2021) |
| Static assets / SSR | Cloudflare Workers — EU + UK PoPs | EEA + UK | Yes |
| Email (transactional) | Resend (EU region) | EEA | Yes |
No data flows to US-hosted infrastructure. Lovable's edge proxy is a pass-through; we do not enable any US-only Workers binding.
Verifying region
- Lovable Cloud → Connectors → Lovable Cloud → Database settings —
confirm region reads
eu-central-1(or another EEA region). dig +short project--<id>.lovable.app— Cloudflare resolves to anycast; PoP selection is determined by client geo.- Run from a UK office:
curl -sI https://helixsecure.co.uk/ | grep -i 'cf-ray' # cf-ray suffix encodes the colo (e.g. LHR for London).
Cross-border transfers
There are none in production. If a future feature requires a US-hosted sub-processor (e.g. an LLM provider), it must:
- Be added to a sub-processor list published at
/legal/subprocessors. - Operate under SCCs + a UK Addendum (or successor mechanism).
- Be flagged in this document with the data categories transferred.
GDPR / UK-GDPR posture
- Lawful basis: legitimate interest (fraud prevention) for risk events; contract for control-plane account data.
- Data subject rights: handled by the bank as data controller; Helix is processor.
- DPIA: Helix provides a template DPIA Annex to every customer in the onboarding pack.
- ICO registration: Helix Security Limited is registered with the
UK ICO (registration number to be added on incorporation — see
docs/deployment-checklist.md).
Changing the region
Migrating Postgres to a different region is destructive and requires:
- Customer notification ≥ 30 days in advance.
- Updated DPA addendum.
- Update to this document and the public sub-processor list.