Trust centre
Security posture, in plain English.
Helix is built for UK fintechs. Our security model is structurally simple: raw behavioural data never leaves the device, and the control plane runs in London.
On-device processing
Behavioural signal is processed on the user's handset. Only structured risk metadata leaves the device.
UK data residency
All control-plane infrastructure runs in AWS eu-west-2 (London). Backups stay in-region.
Encryption
TLS 1.3 in transit. AES-256-GCM at rest. Webhook payloads HMAC-SHA-256 signed with per-tenant secrets.
Secrets & keys
Customer SDK keys are stored as bcrypt hashes; raw values are shown once. Service secrets are held in AWS Secrets Manager and rotated quarterly.
Network controls
Public API is rate-limited per key. CSP, HSTS, and a strict security-headers policy are applied to every response.
Auditability
Every privileged action is recorded in an append-only audit log scoped to the tenant. Exportable on request.
Sub-processors
We use a minimal set of UK/EU-resident sub-processors:
- AWS (eu-west-2, London)Hosting
- Supabase (EU)Database, auth
- Postmark / Resend (EU)Transactional email
- Stripe (UK)Billing
Compliance & reporting
- UK GDPR & DPA 2018 — full alignment, ROPA maintained.
- ICO — registered data controller (ZA829102).
- SOC 2 Type II — audit in progress for 2026.
- Penetration testing — annual third-party engagement, summary letter on request.