Trust Center
F500-grade security, compliance, and operational transparency
Last updated: 2026-05-15 · Live status refreshed every 60s
●Live System Status(empirically measured · refresh 60s)
System
✓ Healthy
version b8ae1b6
Dependencies
4/4 OK
supabase · stripe · resend · sentry
Doctrine Invariants
83/22 active
LOI I/II/III + F7 axioms
Audit Trail 24h
516 events
⚠ 78 critical
GDPR Article 32 RLS coverage : 100% (91/91 base tables, evidence verified empirically). Empirical monitoring : cron 06:00 UTC daily + synthetic-monitor close-loop with auto-rollback (SOC 2 CC9.1).
Compliance Posture
| Framework | Status | Target audit | Key controls |
|---|---|---|---|
| SOC 2 Type II | Principles-aligned | Q3 2026 | CC6.1 MFA, CC6.6 audit logs, CC7.2 monitoring |
| ISO 27001 | Principles-aligned | Q4 2026 | A.5 policies, A.9 access control, A.12 operations |
| GDPR | Compliant | continuous | Art. 6 lawful basis, Art. 28 processor agreements, Art. 32 technical measures |
| PCI DSS | Out of scope (Stripe handles) | N/A | No card data stored or transmitted |
For audit reports under NDA, contact trust@helix-core.io
Sub-Processors
We use the following sub-processors. Customers are notified 30 days before any change. Full DPA available at /legal/dpa.
| Sub-processor | Purpose | Region | Certifications |
|---|---|---|---|
| Vercel | Edge hosting + CDN | Global (Frankfurt-eu-central-1 primary) | SOC 2 Type II, ISO 27001 |
| Supabase | PostgreSQL + Auth + Storage | EU (eu-central-1) | SOC 2 Type II, HIPAA-ready |
| Stripe | Payment processing | EU/US | PCI DSS Level 1, SOC 1/2/3 |
| Sentry | Error monitoring | EU | SOC 2 Type II, ISO 27001 |
| Resend | Transactional email | EU/US | SOC 2 Type II |
| Anthropic | LLM inference (cascade recos) | US | SOC 2 Type II |
Technical Controls
Operational Transparency
- Uptime SLO: 99.95% (see /legal/sla)
- Data residency: EU-primary (Frankfurt). Customer-requested US/APAC available on Enterprise plans.
- Incident response: Status page + Sentry alerts. Customer notification within 24h of confirmed incident.
- Penetration testing: Annual third-party audit + continuous internal red-team via F7 doctrine.
- Vulnerability disclosure: security@helix-core.io (48h acknowledgment SLA)
Backup & Disaster Recovery
Helix Core opère une architecture de sauvegarde 4-sources avec restauration testée. SLO RTO < 4h, RPO < 24h.
| Source | Mécanisme | Fréquence | Rétention |
|---|---|---|---|
| 1 · Code source | GitLab origin + Mac local mirrors (multi-branches) | Chaque commit | Illimitée |
| 2 · Base de données | Supabase PITR + cron backup-sovereign (03:00 UTC quotidien) | Daily | 30 jours |
| 3 · Infrastructure | Vercel env vars (sensitive) + Stripe Dashboard config + script infra-snapshot.sh (T4-S7) | Daily snapshot | 90 jours |
| 4 · Docs + Secrets | macOS Keychain + FileVault + Proton Drive E2E (AES-256 + RSA-4096) — sync sync-to-protondrive.sh cron 23h00 | Daily 23h00 UTC | Illimitée |
- Restore runbook :
/docs/DR-RUNBOOK.md— étape-par-étape DB restore + Vercel redeploy + Stripe re-link, vérifié trimestriellement (T4-S7) - Restauration testée : Last drill 2026-Q1 — DB restore
23m12s(RTO target <4h confortablement) - Encryption multi-couches : Layer 1 git-crypt commercial docs · Layer 2 Proton Drive E2E · Layer 3 FileVault Mac · Layer 4 Supabase PostgreSQL + RLS
- Sovereignty : artifacts confidentiels KEU restent Mac → Proton Drive, exposition Git externe uniquement sur ordre explicite Régent (doctrine Pilier 7)