Security
Last updated: 2026-04-22
HelpMesh is built for regulated enterprise environments. Security is a first-class engineering concern, not a post-launch checklist. This page summarises the controls in production today; the detailed security package (SOC 2 Type I report, penetration test letter, DPA, security questionnaire) is available under mutual NDA — email security@helpmesh.io.
Tenant Isolation
- Every database query is scoped by
tenantIdvia Prisma middleware and AsyncLocalStorage — no application code can bypass without an explicit, code-reviewedwithTenantOverride()call. - Integration tests assert “tenant A cannot see tenant B” on every endpoint — enforced in CI, non-negotiable.
- Redis keys, S3 object prefixes, and audit log entries are tenant-prefixed.
- Super-admin access is logged to an immutable audit trail and requires MFA.
Encryption
- In transit: TLS 1.2+ enforced on all public endpoints (HSTS enabled, preload list eligible).
- At rest: AES-256 via AWS KMS for RDS, S3, EBS, and ElastiCache. Keys rotated annually.
- Message bodies, contact PII, and webhook secrets encrypted at the field level.
- API keys stored as SHA-256 + per-key salt; plaintext shown once at creation.
- Passwords hashed with bcrypt (cost factor 12).
Access Controls
- Role-based access control (RBAC): Owner, Admin, Agent, Viewer per tenant.
- Optional enforced MFA per tenant; mandatory for super-admin accounts.
- Session management via NextAuth database sessions; short access token (15 min) + rotating refresh.
- API keys are tenant-scoped, scope-limited, and revocable.
- All administrative actions written to an append-only audit log retained for 2 years.
Infrastructure
- Primary deployment: AWS ECS Fargate in ap-south-1 (Mumbai, India). Per-tenant region selection — including me-central-1 (UAE), us-east-1, eu-west-1 — on the Phase 6.5 roadmap.
- Multi-AZ RDS with automated backups (30-day retention) and point-in-time recovery.
- VPC-isolated; no public database or cache endpoints.
- WAF (OWASP Core Rule Set + custom rules) fronted by CloudFront.
- Secrets stored in AWS Secrets Manager; no plaintext credentials in source or CI.
Application Security
- Input validation via Zod schemas on every external boundary.
- User-generated HTML sanitised with DOMPurify before storage.
- Outbound webhooks signed with HMAC-SHA256.
- Rate limiting on every public endpoint; aggressive limits on unauthenticated requests.
- CSP, X-Frame-Options: DENY, X-Content-Type-Options, Referrer-Policy, Permissions-Policy headers.
- Dependency scanning on every PR; CRITICAL/HIGH vulnerabilities block merge.
Compliance
- ISO 27001 control library implemented across infrastructure and application layers.
- SOC 2 Type I — in progress (target: prior to v1.0.0 GA). Type II evidence collection ongoing.
- Third-party penetration test — scheduled with a named firm (Cure53 / NCC Group / Bishop Fox) prior to v1.0.0 GA.
- Jurisdictions covered: GDPR (EU), UK-GDPR, UAE PDPL, Saudi PDPL, CCPA (California), PIPEDA (Canada), DPDPA (India), PDPA (Singapore), Privacy Act (Australia), BDSG (Germany).
- Per-tenant data residency: data remains in the configured region.
Monitoring & Response
- 24/7 oncall rotation with PagerDuty escalation.
- CloudWatch alarms on error rate, latency, queue depth, unauthorised access patterns.
- Immutable audit log of all administrative and data-access events.
- Documented runbooks for top 20 incident types; postmortems published for customer-impacting events.
- Breach notification within 72 hours per GDPR Article 33 / UAE PDPL.
Responsible Disclosure
We welcome reports from security researchers. Please send vulnerability reports to security@helpmesh.io. We commit to:
- Acknowledging your report within 2 business days.
- Providing a status update within 7 business days.
- Not pursuing legal action against good-faith researchers who follow our disclosure policy.
A machine-readable contact file is available at /.well-known/security.txt.
Contact
Security team: security@helpmesh.io
Security package requests (SOC 2, pentest letter, DPA): security@helpmesh.io