Security & Trust

Last updated: June 29, 2026

Posture version v2026.05 · 10 implemented controls published

Every claim on this page is generated from a repo-tracked Control & Evidence Register. We map our controls against the frameworks customer compliance programs are governed by, not against marketing copy.

Posture statement

HelmIQ operates as a third-party service provider to SEC-registered investment advisers and their affiliates. Our security program is designed to support customer compliance with the Investment Advisers Act (Rule 206(4)-7 program), Reg S-P (Safeguards Rule, as amended May 2024), Section 204A and Rule 204A-1 (MNPI controls), and Adviser Rule 204-2 books-and-records retention. Where the customer maintains a broker-dealer affiliate, we additionally support Rule 17a-4 records retention. Our control catalogue cross-maps to SOC 2 (TSC 2017), NIST CSF 2.0, SIG Lite (Shared Assessments), ILPA's Due Diligence Questionnaire (Cyber/IT section), and AIMA's Illustrative Cybersecurity Questionnaire so vendor diligence can be completed by reference rather than by interview.

Frameworks & standards we map to

Mapped to means our control catalogue cross-references these frameworks. SOC 2 attestation, external penetration testing, and cyber-liability insurance are scheduled for our Tier B trust-signal phase, triggered by the first customer SOC 2 representation or $300K ARR, whichever first.

AIMA Cyber DDQILPA Cyber DDQNIST CSF 2.0SEC Reg S-PAdviser Rule 204-2SIG LiteSOC 2 (TSC 2017)

Implemented controls

Each control links to a control ID in our internal Register. Customer counsel may request the full internal posture report (including residual-risk dispositions, gap rows, and evidence pointers) under NDA.

HELM-LA-01

Logical access: organization scoping at API boundary

Tenant isolation is enforced at every API boundary. Helm uses a single org-scoping primitive that every customer-data read or write must traverse; cross-tenant access is structurally unreachable, not policy-gated.

SOC 2 (TSC 2017): CC6.1, CC6.3NIST CSF 2.0: PR.AA-01, PR.AA-05SEC Reg S-P: §248.30(a)(1)SIG Lite: G.1.1ILPA Cyber DDQ: IT-Sec-04AIMA Cyber DDQ: 3.2.1

HELM-EN-01

Encryption at rest: customer data + OAuth tokens

Customer data is encrypted at rest. OAuth tokens for connected accounts (Gmail, Calendar, Outlook, Twilio) are additionally envelope-encrypted at the application layer with AES-256-GCM before persistence, so a database-only compromise does not surface usable tokens.

SOC 2 (TSC 2017): CC6.6NIST CSF 2.0: PR.DS-01SEC Reg S-P: §248.30(a)(3)

HELM-EN-02

Encryption in transit: TLS + HSTS preload

All Helm traffic is encrypted in transit via TLS. HSTS is preloaded with a 2-year max-age and the includeSubDomains directive, so subdomain downgrades are rejected by the browser.

SOC 2 (TSC 2017): CC6.6, CC6.7NIST CSF 2.0: PR.DS-02SEC Reg S-P: §248.30(a)(3)

HELM-AU-01

Append-only audit log for privileged actions

Every privileged mutation in Helm (record creates and deletes, authentication events, AI-agent decisions, draft sends, data exports, membership changes) writes a row to an append-only audit log. The log is queryable for compliance review and supports SEC examination requests under Adviser Rule 204-2.

SOC 2 (TSC 2017): CC7.2, CC7.3NIST CSF 2.0: DE.CM-01SEC Reg S-P: §248.30(a)(2)Adviser Rule 204-2: 204-2(a)(7)

HELM-RL-01

Layered rate limiting on auth and sensitive endpoints

Helm enforces named rate-limit tiers across authentication, data export, and mutation endpoints. Failed login attempts trigger account lockout after 20 failures in 24 hours.

SOC 2 (TSC 2017): CC6.1, CC7.1NIST CSF 2.0: PR.AA-05SEC Reg S-P: §248.30(a)(2)

HELM-PW-01

Password hashing: bcrypt with cost factor 10

Passwords are stored as bcrypt hashes (cost factor 10). Authentication uses constant-time comparison. Password reset links are 256-bit random tokens, single-use, with a 30-minute TTL.

SOC 2 (TSC 2017): CC6.1NIST CSF 2.0: PR.AA-01SEC Reg S-P: §248.30(a)(3)

HELM-AI-01

AI processing: Zero Data Retention via gateway

Most AI inference runs through a unified gateway configured for Zero Data Retention: those requests reach only model providers that certify zero retention, are not retained by them, and a request no zero-retention provider can serve is refused rather than downgraded. Gateway ZDR governs upstream provider retention; the gateway's own encrypted request log is a separate, independently configurable control. Some features (the in-app assistant, call transcription, and semantic search) call OpenAI directly; OpenAI does not train on this data and retains it only within its standard abuse-monitoring window. In all cases no provider trains on customer data, and gateway ZDR enforcement is continuously verified by an internal probe.

SOC 2 (TSC 2017): CC6.1, C1.1NIST CSF 2.0: PR.DS-01, GV.SC-07SEC Reg S-P: §248.30(a)(2)

HELM-RE-01

Data retention and deletion lifecycle

Customer data follows a defined retention and deletion lifecycle. Deleted records move to a 30-day recoverable state and are then purged by scheduled jobs. On termination, data can be exported for 30 days and is then deleted, except records we are required to retain for financial-services recordkeeping.

SOC 2 (TSC 2017): CC6.5, C1.2NIST CSF 2.0: PR.DS-03SEC Reg S-P: §248.30(a)(1)Adviser Rule 204-2: 204-2(e)(1)

HELM-BR-01

Backups and point-in-time recovery

Customer data is backed up continuously through our managed database provider, which supports point-in-time recovery. A formally documented and periodically tested disaster-recovery runbook with published recovery-time and recovery-point objectives is on our Tier B roadmap.

SOC 2 (TSC 2017): A1.2, A1.3NIST CSF 2.0: RC.RP-01, PR.DS-11SEC Reg S-P: §248.30(a)(4)

HELM-IR-01

Incident response and coordinated disclosure

Helm operates a coordinated vulnerability disclosure process and commits to notifying affected customers within 72 hours of confirming a breach. An append-only audit log supports incident investigation. A formally documented incident-response runbook and periodic tabletop exercise are on our Tier B roadmap.

SOC 2 (TSC 2017): CC7.3, CC7.4, CC7.5NIST CSF 2.0: RS.MA-01, RS.AN-01, DE.AE-02SEC Reg S-P: §248.30(a)(3)

Subprocessors

HelmIQ uses the following subprocessors to deliver the service. We update this list within 30 days of any change. Each subprocessor's SOC 2 attestation status is verified during our annual security-program review.

Subprocessor	Purpose	Region
Neon	Managed Postgres: primary application database	AWS us-east (default)
Vercel	Application hosting: compute, edge, build	Global edge; primary US
Concentrate	AI gateway: single entry point for all model inference; routes to downstream providers under enforced Zero Data Retention; native web search	US
Anthropic	AI inference: Claude models, accessed via the Concentrate gateway under ZDR (not Anthropic-direct)	US
OpenAI	AI inference: gpt-4o-mini via the Concentrate gateway under ZDR; plus Whisper audio transcription (no-retention endpoint, OpenAI-direct)	US
Twilio	Voice + SMS: call recording, dial-out, transcription pipeline trigger	US
Google Workspace (Gmail + Calendar OAuth)	Customer-authorized OAuth grants; we read on behalf of customer; we do not host customer Gmail data	Customer's Google region
Microsoft 365 (Outlook + Calendar + OneDrive/Teams OAuth)	Customer-authorized OAuth grants; we read and act on behalf of the customer; we do not host customer mailbox data	Customer's Microsoft region
Zoom	Video meeting provider used to create user-authorized meeting links for scheduled meetings and calendar invites; identifies the authorized Zoom user. No access to recordings, transcripts, or chat.	Customer's Zoom region
Resend	Transactional + platform email delivery (system notifications, booking and reminder fallback) when a firm has no own mailbox connected	US
Cloudflare R2	Object storage for uploaded documents and call recordings (encrypted at rest), when configured	US / auto (Cloudflare)
Stripe	Billing: payment processing for Helm subscription	US

Vendor diligence bundle

Pre-answered SIG Lite, ILPA Cyber DDQ, and AIMA Cyber DDQ responses are available under NDA. The same NDA covers release of our internal posture report, which includes residual-risk dispositions, gap rows, and evidence pointers to our codebase. Email jack@helmiq.net with the questionnaire format you need and we'll route a response within one business day.

Security disclosure & contact

HelmIQ welcomes coordinated disclosure of security issues from researchers, customers, and counterparties. Our default disclosure window is 90 days from initial report.

Security contact: jack@helmiq.net
RFC 9116 file: /.well-known/security.txt
Machine-readable posture: /security/posture.json

Trust-signal roadmap

We publish our roadmap so customers know what's present today and what's scheduled. Each milestone is anchored to a measurable trigger so we don't over-invest before customer revenue justifies the cost.

Today (Tier A): public Trust Center, written control catalogue cross-mapped to seven frameworks, NDA-gated vendor DDQ bundle on request, RFC 9116 disclosure, security headers + audit-log infrastructure.
Tier B(triggered at first customer SOC 2 representation or $300K ARR): SOC 2 Type I attestation, external penetration test, cyber-liability + tech E&O insurance binding, fractional CISO retainer.
Tier C (12 months post-Type I): SOC 2 Type II, hosted GRC tooling, customer-facing reference calls.

This page is a generated projection of HelmIQ's Control & Evidence Register. Source of truth lives in version control and changes here are auditable from git history.