Last updated: 8 June 2018
Data Center Security
We host our systems on cloud service providers that reflect our values around security. Those are:
We currently encrypt all data travelling between you and our services with transport layer security (TLS), sometimes referred to as SSL, its predecessor. We ensure that we are not using outdated and vulnerable standards with known attacks (SSL 3.0, for example). See our SSL Labs report card.
When software vulnerabilities are discovered, the responsible parties fix them and push new releases of that software. We make sure that we are using up-to-date versions of operating systems, kernels, packages, and libraries to avoid known vulnerabilities.
Two-Factor Auth and Security Keys
We require employees to use two-factor auth (2FA) whenever possible for the services we use as a business. We provide employees with Security Keys (FIDO U2F) and prefer these over time-based one time passwords and text message-based two-factor solutions. A compromised password does not mean a compromised login because cyber attackers would also need our physical hardware.
All employees at Helium undergo a series of criminal background checks upon hiring and every two years thereafter.
Employee access to Helium’s systems are granted on a need-to-know basis. This limits the scope of what can be compromised.
Internal Security Training and Policies
Helium maintains a set of internal security policies that all employees are required to understand and follow. These include strong passwords, full-disk encryption of business computers, email policies, limitations on data use and storage, etc.
Security-Minded Software Development Practices
Part of the security we provide is baked into how we create our software. We use industry best practices to create, review, test, deploy, and administer our products. Code is stored in version control systems that provide audit history and redundant storage. We review code before it is committed to production, providing a chain of trust involving more than one employee. Automated tests help ensure that code behaves as it should, even in abnormal cases.
We run daily backups of production systems to protect against catastrophic loss or human error.
Have security-related questions or concerns? Email us at firstname.lastname@example.org.