Security Policy
Last updated: March 2026
Infrastructure Security
- Hosting: Vercel edge network with global CDN, automatic DDoS mitigation, and TLS 1.3 encryption
- Database: Supabase (PostgreSQL) with Row Level Security (RLS) enforced on all tables
- Authentication: Supabase Auth with secure session cookies, PKCE flow, and role-based access control
- Secrets Management: All credentials stored as Vercel environment variables, never committed to source code
Application Security
- Content Security Policy: Strict CSP headers enforced on all pages
- HSTS: HTTP Strict Transport Security with 2-year max-age and subDomain inclusion
- Input Validation: All API inputs validated and sanitized server-side
- Rate Limiting: Applied to all payment and authentication endpoints
- Webhook Verification: HMAC-SHA256 signature validation on all incoming webhooks (Stripe, Triple-A)
Payment Security
- Card Payments: Processed entirely by Stripe (PCI DSS Level 1 certified). Helix Core never handles or stores card numbers
- Crypto Payments: Processed by Triple-A (MAS-licensed, Singapore). On-chain verification with automated settlement
- Idempotency: Duplicate payment processing prevented via database-level deduplication
Audit & Monitoring
- Audit Logs: All sensitive operations logged with actor, action, timestamp, and IP address
- Error Tracking: Real-time error monitoring via Sentry with automated alerting
- Access Controls: Three-tier role system (client, expert, admin) with middleware-enforced route protection
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly to security@helix-core.io. We commit to acknowledging reports within 48 hours and providing updates on remediation progress.
Please do not publicly disclose vulnerabilities until we have had an opportunity to address them.
Compliance
Helix Core is designed with GDPR, SOC 2 Type II, and ISO 27001 principles in mind. We maintain data processing agreements with all sub-processors and provide data protection impact assessments upon request.