End-to-end security

Security isn't an add-on layer — it's built into every line of code, every query, every RLS policy.

Encryption at rest

OAuth tokens and sensitive data encrypted with AES-256-GCM via a derived key (MAIL_TOKEN_ENC_KEY) with zero-downtime hot rotation.

Per-organization isolation

Postgres Row-Level Security on 100% of user tables. No query can cross organization boundaries, even with an app-layer bug.

Hash-chain audit

Every platform action (impersonation, suspension, admin access) is written to an append-only log chained with SHA-256 — tampering is detectable.

GDPR compliance

Signable DPA, subprocessor registry, incident notification workflow < 72h, on-demand export and deletion.

Automatic kill-switch

Send anomaly detection (bounces, spam) → automatic sending freeze on the affected org + internal Slack alert.

Infrastructure

Managed Postgres, Edge runtime on Cloudflare Workers, 7-day PITR backups, 99.9% uptime monitoring.

Certifications & compliance

  • ✓ GDPR — reachable DPO, public subprocessor registry
  • ✓ EU hosting (Cloudflare EU + Supabase eu-central-1)
  • ✓ ISO 27001 — in progress (Q4 2026)
  • ✓ SOC 2 Type II — roadmap 2027

Vulnerability disclosure? security@helixmail.com (PGP available).