Security

How we protect your data and the platforms you connect.

Helix acts on your behalf across sensitive systems: email, social, CRM, ad accounts, analytics. We built the platform with a security-first architecture from day one. Below are the practices that keep your data, your credentials, and your reputation safe.

OAuth-only platform connections

Helix never asks for the passwords of your tools. All connections to Gmail, LinkedIn, Reddit, your CRM, and your ad platforms use OAuth authorization flows managed by Composio. You authorize access in the platform's own UI; we receive only a scoped access token. You can revoke any connection at any time from the operator portal.

No credential storage

We store OAuth access tokens, not usernames or passwords. Tokens are encrypted at rest. Even in the event of a breach, raw platform credentials cannot be extracted from our systems.

Row-level security

Our database uses Supabase with row-level security enforced at the database layer on every table. Queries from one organization are incapable of returning data belonging to another organization, even if there were a bug at the application layer.

Approval-first by design

No outreach, content, or community reply sends in your name without explicit approval from an authorized operator. Every send is logged, attributable, and reversible up to the moment of dispatch.

Encryption in transit

All communication between your browser, our servers, our database, and the third-party platforms we connect to uses TLS 1.2 or higher. We enforce HTTPS-only access with HSTS headers.

Encryption at rest

All data stored in Supabase is encrypted at rest using AES-256. Database backups are also encrypted.

Authentication

Operator authentication is managed by Supabase Auth. Passwords are hashed using bcrypt. Session tokens are short-lived and rotated regularly. SSO support is on the roadmap for enterprise engagements.

Payment security

Payments are processed by Stripe. Helix never sees or stores your card details. All billing data lives in Stripe's PCI-compliant infrastructure.

Organization isolation

Each organization is a separate tenant. Your data (company profile, prospects, drafts, signals, content, approvals) is logically and cryptographically isolated from other organizations' data. Service engagements add a second layer of access control restricting operator visibility to assigned clients.

Audit log

Every action taken by an agent and every approval, edit, or rejection by an operator is recorded in an audit log scoped to your organization. The log is queryable from the portal and exportable on request.

Data deletion

When you delete your account, all associated data is deleted immediately via cascading database deletes. Your authentication record is also deleted, permanently revoking login access. Encrypted backups are purged on a rolling 30-day schedule.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@getlatest.ai before disclosing publicly. We aim to respond within 24 hours and will work with you to resolve the issue quickly.