Security & Compliance

Infrastructure & Architecture

TheHelpFlow runs on Amazon Web Services (AWS) across multiple Availability Zones within a primary region (US-East-1). All production workloads are containerised using Amazon ECS Fargate and orchestrated through infrastructure-as-code managed in Terraform. There are no persistent servers that can drift from defined state — every deployment is immutable.

Our database layer uses Amazon Aurora (PostgreSQL-compatible) in a multi-AZ configuration with automated failover. Point-in-time recovery is enabled with a 35-day retention window. Read replicas are deployed in separate AZs for both performance and resilience. Attachments and media files are stored in S3 with versioning and cross-region replication enabled.

All inbound traffic passes through AWS CloudFront (CDN) and AWS Shield Advanced for DDoS mitigation before reaching application load balancers. Web application firewall (WAF) rules block common OWASP Top 10 attack patterns. Our infrastructure is isolated in a dedicated VPC with private subnets; no production services have direct public internet exposure.

Encryption

In transit: All communication between clients and TheHelpFlow uses TLS 1.2 or TLS 1.3. We enforce HSTS with a 1-year max-age, preload, and includeSubdomains. TLS 1.0 and 1.1 are blocked. Certificate management is automated through AWS Certificate Manager with auto-renewal.

At rest: All database storage volumes, S3 buckets, and backup snapshots are encrypted using AES-256 with keys managed through AWS Key Management Service (KMS). Encryption keys are rotated automatically every 12 months. Enterprise customers may supply their own Customer Master Keys (BYOK) for an additional layer of control over data sovereignty.

Application-level encryption: Particularly sensitive fields (e.g. API credentials, OAuth tokens for third-party integrations) are encrypted at the application layer with distinct per-tenant keys before storage, providing defence-in-depth against database-layer compromise.

Access Control

TheHelpFlow enforces the principle of least privilege throughout the organisation and platform:

• Production access: Only a small number of engineers have production database access, gated behind hardware-based MFA and a zero-trust jump host. All sessions are recorded and require manager approval via an access request workflow.
• Role-based access control (RBAC): Within the platform, granular role assignments (Admin, Agent, Viewer, custom roles) control what data and features each user can access. Permissions are enforced both in the UI and at the API layer.
• API authentication: The public API uses short-lived JWT bearer tokens issued via OAuth 2.0. API keys (for integrations) are scoped to specific permissions and can be rotated or revoked instantly.
• Employee access: Employee access to customer data requires a documented business justification, manager approval, and is logged in our immutable audit trail. Customer data is never accessed for purposes other than providing the Service.

Monitoring & Threat Detection

Our security engineering team operates a continuous monitoring programme:

• Real-time security information and event management (SIEM) using AWS Security Hub, GuardDuty, and CloudTrail aggregated into a centralised logging pipeline.
• Anomaly detection alerts fire on unusual login patterns, bulk data exports, privilege escalation attempts, and abnormal API call volumes.
• Uptime monitoring checks every endpoint every 60 seconds from six global vantage points; automated PagerDuty escalation fires within 60 seconds of any degradation.
• Dependency vulnerability scanning runs on every code commit via GitHub Advanced Security and Dependabot. Critical CVEs trigger an immediate patch requirement tracked in our security board.

Incident Response

TheHelpFlow maintains a formal Incident Response Plan reviewed annually and tested via tabletop exercises. Our process follows the NIST SP 800-61 framework:

1. Detection & triage: Automated alerts and on-call engineers identify and classify incidents within minutes.
2. Containment: Affected systems are isolated or rolled back without delay.
3. Eradication & recovery: Root cause is identified, removed, and the service is restored from clean state.
4. Post-incident review: A written blameless post-mortem is completed within 5 business days, with a public summary published on our status page for incidents affecting customers.

Breach notification: In the event of a personal data breach, we will notify affected customers without undue delay and, where required, within 72 hours (GDPR Article 33). We maintain a breach log and support customers in meeting their own notification obligations.

Vulnerability Disclosure

We welcome responsible disclosure from the security research community. If you believe you have found a security vulnerability in TheHelpFlow:

• Email support@thehelpflow.com with a detailed description of the issue and steps to reproduce.
• Please do not access, modify, or delete data that does not belong to you.
• We will acknowledge receipt within 2 business days and provide a resolution timeline based on severity.
• We will not take legal action against researchers acting in good faith under this policy.
• We offer recognition in our Security Hall of Fame and, for qualifying reports, monetary bounties through our private bug bounty programme.

Sub-Processors

We use the following categories of sub-processors to deliver the Service:

• Amazon Web Services (AWS): Cloud infrastructure, storage, and computing — US and EU regions.
• Stripe: Payment processing and PCI-DSS compliance — US.
• Postmark (ActiveCampaign): Transactional email delivery — US.
• Twilio: SMS and voice channel integrations — US/EU.
• Cloudflare: CDN, DDoS protection, and WAF — global edge network.
• DataDog: Application performance monitoring — US. Processed data is anonymised metrics only.

The complete and current sub-processor list, including DPAs for each, is maintained at support@thehelpflow.com. We provide 30 days' notice of any addition or change to our sub-processor list.

Data Residency

By default, all customer data is stored in AWS US-East-1 (Northern Virginia, USA). Enterprise customers may elect one of the following data residency configurations at no additional cost:

• EU: AWS eu-west-1 (Ireland) — suitable for GDPR compliance without Standard Contractual Clauses for intra-EU transfers.
• APAC: AWS ap-southeast-1 (Singapore).

Data residency elections are made at account setup or through a migration process handled by our Customer Success team. Cross-region replication is disabled for accounts with data residency restrictions.

Employee Security

Security practices extend to our team. All employees complete security awareness training at onboarding and annually thereafter. Engineering and security staff receive role-specific training including OWASP, secure coding practices, and social engineering awareness. Background checks are conducted for all employees in accordance with applicable local law. Access is de-provisioned within 4 hours of an employee's departure.

---

Report a Vulnerability

Found something? We appreciate it. Email our security team at support@thehelpflow.com with PGP encryption if needed (our public key is published on keys.openpgp.org). For low-severity issues, you may also use the in-app feedback form and select "Security concern" as the topic.

Thank you for helping keep TheHelpFlow and our customers' data safe.

---

Related: Privacy Policy · Terms of Service