Security

We take privacy very seriously here at Helium. You can trust that the services we provide will stay safe with us.


Last updated: 8 June 2018

As mentioned in our privacy policy, we understand the responsibility we have in managing your data. We have a set of security policies that reflect that. We continue to evolve and add to these as we work harder to secure your information.

Data Center Security

We host our systems on cloud service providers that reflect our values around security. Those are:

Encryption

We currently encrypt all data travelling between you and our services with transport layer security (TLS), sometimes referred to as SSL, its predecessor. We ensure that we are not using outdated and vulnerable standards with known attacks (SSL 3.0, for example). See our SSL Labs report card.

Up-to-Date Software

When software vulnerabilities are discovered, the responsible parties fix them and push new releases of that software. We make sure that we are using up-to-date versions of operating systems, kernels, packages, and libraries to avoid known vulnerabilities.

Two-Factor Auth and Security Keys

We require employees to use two-factor auth (2FA) whenever possible for the services we use as a business. We provide employees with Security Keys (FIDO U2F) and prefer these over time-based one time passwords and text message-based two-factor solutions. A compromised password does not mean a compromised login because cyber attackers would also need our physical hardware.

Role-based access

Employee access to Helium’s systems are granted on a need-to-know basis. This limits the scope of what can be compromised.

Internal security training and policies

Helium maintains a set of internal security policies that all employees are required to understand and follow. These include strong passwords, full-disk encryption of business computers, email policies, limitations on data use and storage, etc.

Security-minded software development practices

Part of the security we provide is baked into how we create our software. We use industry best practices to create, review, test, deploy, and administer our products. Code is stored in version control systems that provide audit history and redundant storage. We review code before it is committed to production, providing a chain of trust involving more than one employee. Automated tests help ensure that code behaves as it should, even in abnormal cases.

Backups

We run daily backups of production systems to protect against catastrophic loss or human error.