We publish where we are. We do not claim what we haven’t earned.
Summary
| Standard | Status | Notes |
|---|---|---|
| GDPR | Operational | Data subject requests, DPA self-serve at /dpa, sub-processors at /sub-processors |
| HIPAA mode | Operational | Per-org toggle. Gates session timing, audit detail, encryption requirements |
| SOC 2 Type II | Readiness on roadmap | We run the controls. Audit not yet completed. We will not claim certification until we have it |
| ISO 27001 | Under evaluation | Targeting 2026 |
| CCPA | Operational | CCPA-specific requests routed through the same flow as GDPR |
| PCI-DSS | Self-assessment (SAQ A) | Cardholder data is processed by the payment gateway (Stripe), not stored by Helios |
GDPR
Helios is GDPR-aware by design:
- Right of access — full data export via the SaaS console or API.
- Right to rectification — every record editable by the data subject.
- Right to erasure — account deletion via SaaS console; 30-day grace.
- Right to portability — export in CSV and JSON.
- Right to object — opt-out of telemetry; opt-out of email marketing.
- DPO contact — to be appointed before commercial launch.
- EU representative — to be appointed.
- Lawful basis catalogued at /privacy §3.
- DPA self-serve at /dpa.
- Sub-processors at /sub-processors, with 30-day notice on changes.
HIPAA
Helios offers a HIPAA mode that can be enabled per organization. When enabled:
- Stricter session expiry (12-hour cookies, 15s session-cache).
- Tighter audit detail on PII access.
- Email-OTP 2FA disabled (passkeys / TOTP only).
- Password minimum length raised to 12 characters.
- Audit-export defaults turned on.
BAA: customers requiring a Business Associate Agreement should contact legal@heliosworks.com. Available on Enterprise tier.
SOC 2 (in progress)
We run the controls described in our Security page. We have not yet completed a SOC 2 Type II audit. We will not claim certification until we have one.
What we’re doing:
- Quarterly internal control review.
- Vulnerability disclosure program (/security).
- Audit-log integrity verification.
Timeline: audit kickoff targeted for Q3 2026, with Type II observation period through Q1 2027 if all goes well.
ISO 27001
Under evaluation for 2026. We will publish a more specific timeline once we’ve selected an audit partner.
CCPA
California residents’ rights are honored through the same data subject request flow as GDPR. The “do not sell” right is moot — Helios does not sell personal data.
PCI-DSS
Cardholder data is not stored or processed by Helios. Payment processing flows through Stripe (or your configured gateway). We self-assess under SAQ A, applicable to merchants that fully outsource payment processing.
Contact
- Compliance questions: legal@heliosworks.com
- Security: security@heliosworks.com
- Get on the BAA waitlist: include “HIPAA BAA request” in the subject line