Security & Trust
Posture version v2026.05 · 6 implemented controls published
Every claim on this page is generated from a repo-tracked Control & Evidence Register. We map our controls against the frameworks customer compliance programs are governed by — not against marketing copy.
Posture statement
Helm IQ operates as a third-party service provider to SEC-registered investment advisers and their affiliates. Our security program is designed to support customer compliance with the Investment Advisers Act (Rule 206(4)-7 program), Reg S-P (Safeguards Rule, as amended May 2024), Section 204A and Rule 204A-1 (MNPI controls), and Adviser Rule 204-2 books-and-records retention. Where the customer maintains a broker-dealer affiliate, we additionally support Rule 17a-4 records retention. Our control catalogue cross-maps to SOC 2 (TSC 2017), NIST CSF 2.0, SIG Lite (Shared Assessments), ILPA's Due Diligence Questionnaire (Cyber/IT section), and AIMA's Illustrative Cybersecurity Questionnaire so vendor diligence can be completed by reference rather than by interview.
Frameworks & standards we map to
Mapped to means our control catalogue cross-references these frameworks. SOC 2 attestation, external penetration testing, and cyber-liability insurance are scheduled for our Tier B trust-signal phase, triggered by the first customer SOC 2 representation or $300K ARR — whichever first.
Implemented controls
Each control links to a control ID in our internal Register. Customer counsel may request the full internal posture report (including residual-risk dispositions, gap rows, and evidence pointers) under NDA.
HELM-LA-01
Logical access — organization scoping at API boundary
Tenant isolation is enforced at every API boundary. Helm uses a single org-scoping primitive that every customer-data read or write must traverse; cross-tenant access is structurally unreachable, not policy-gated.
HELM-EN-01
Encryption at rest — customer data + OAuth tokens
Customer data is encrypted at rest. OAuth tokens for connected accounts (Gmail, Calendar, Outlook, Twilio) are additionally envelope-encrypted at the application layer with AES-256-GCM before persistence, so a database-only compromise does not surface usable tokens.
HELM-EN-02
Encryption in transit — TLS + HSTS preload
All Helm traffic is encrypted in transit via TLS. HSTS is preloaded with a 2-year max-age and the includeSubDomains directive, so subdomain downgrades are rejected by the browser.
HELM-AU-01
Append-only audit log for privileged actions
Every privileged mutation in Helm — record creates and deletes, authentication events, AI-agent decisions, draft sends, data exports, membership changes — writes a row to an append-only audit log. The log is queryable for compliance review and supports SEC examination requests under Adviser Rule 204-2.
HELM-RL-01
Layered rate limiting on auth and sensitive endpoints
Helm enforces named rate-limit tiers across authentication, data export, and mutation endpoints. Failed login attempts trigger account lockout after 20 failures in 24 hours.
HELM-PW-01
Password hashing — bcrypt with cost factor 10
Passwords are stored as bcrypt hashes (cost factor 10). Authentication uses constant-time comparison. Password reset links are 256-bit random tokens, single-use, with a 30-minute TTL.
Subprocessors
Helm IQ uses the following subprocessors to deliver the service. We update this list within 30 days of any change. Each subprocessor's SOC 2 attestation status is verified during our annual security-program review.
| Subprocessor | Purpose | Region |
|---|---|---|
| Neon | Managed Postgres — primary application database | AWS us-east (default) |
| Vercel | Application hosting — compute, edge, build | Global edge; primary US |
| Anthropic | AI inference — Claude models via @anthropic-ai/sdk | US |
| OpenAI | AI inference — gpt-* and search-preview models via openai SDK | US |
| Twilio | Voice + SMS — call recording, dial-out, transcription pipeline trigger | US |
| Google Workspace (Gmail + Calendar OAuth) | Customer-authorized OAuth grants; we read on behalf of customer; we do not host customer Gmail data | Customer's Google region |
| Stripe | Billing — payment processing for Helm subscription | US |
Vendor diligence bundle
Pre-answered SIG Lite, ILPA Cyber DDQ, and AIMA Cyber DDQ responses are available under NDA. The same NDA covers release of our internal posture report, which includes residual-risk dispositions, gap rows, and evidence pointers to our codebase. Email security@helmcrm.com with the questionnaire format you need and we'll route a response within one business day.
Security disclosure & contact
Helm IQ welcomes coordinated disclosure of security issues from researchers, customers, and counterparties. Our default disclosure window is 90 days from initial report.
- Security contact: security@helmcrm.com
- RFC 9116 file: /.well-known/security.txt
- Machine-readable posture: /security/posture.json
Trust-signal roadmap
We publish our roadmap so customers know what's present today and what's scheduled. Each milestone is anchored to a measurable trigger so we don't over-invest before customer revenue justifies the cost.
- Today (Tier A): public Trust Center, written control catalogue cross-mapped to seven frameworks, NDA-gated vendor DDQ bundle on request, RFC 9116 disclosure, security headers + audit-log infrastructure.
- Tier B— triggered at first customer SOC 2 representation or $300K ARR: SOC 2 Type I attestation, external penetration test, cyber-liability + tech E&O insurance binding, fractional CISO retainer.
- Tier C — 12 months post-Type I: SOC 2 Type II, hosted GRC tooling, customer-facing reference calls.
This page is a generated projection of Helm IQ's Control & Evidence Register. Source of truth lives in version control and changes here are auditable from git history.