Scalable. Secure. Reliable.

The world’s leading mobile apps trust Helpshift with all of their support needs.

At Helpshift, we continuously strive to ensure the wellbeing of our customers’ data in terms of its security, availability and confidentiality, through the adoption of industry best practices and compliance standards requirements. 

Scalability – No Demand is Too High

Helpshift utilizes an elastic infrastructure to automatically increase capacity based on demand. This allows us to support one billion devices and 80 million conversations per year. Scaling to thousands of agents isn’t an issue because no extensive training is necessary and onboarding takes just minutes.

As secure as it Gets

On a periodic basis Helpshift undergoes external assessments and audits which helps us attest and certify ourselves against standard Industry frameworks for Information security and Data Privacy such as ISO27001, SOC2 (Type2), HIPAA, GDPR, CCPA. Our product also contains features that allow for full anonymous data collection (to adhere to requirements of certain regulations like COPPA). Our services are hosted on Amazon Web Services which is compliant with PCI-DSS, SOC 1/2/3, ITAR, EU-US, and NIST.

Software you can trust

We monitor our production services 24/7. We build resilience into our stateless, service-oriented architecture to enable fault isolation, loose coupling, and simpler testing. We cluster service instances so traffic goes unaffected. Load balancing also ensures that capacity can be added effortlessly when required, without affecting currently served production traffic

Data Center Security

Helpshift processes all electronic data in compliance with applicable laws and regulations for the purpose of providing its services to Customers. Our servers are hosted on Amazon Web Services (AWS) which adhere to industry standard security compliance requirements and privacy policies. 

The AWS architecture incorporates features that align with multiple compliance requirements, such as data encryptions, network management policies, DDoS mitigation techniques, etc. We also have a dedicated operations team that is in charge of monitoring and ensuring network infrastructure security through their periodic maintenance activities.

Our data centers are located in the Virginia region in the USA. AWS is the industry leader in the provision of web-based services and ensures maximum physical security of its data center locations. Find out more about security at AWS at: https://aws.amazon.com/security/

Endpoint Security

At Helpshift we ensure data and device security by hardening all endpoint devices with password protection and encryption. Employees are periodically trained on security and privacy best practices with respect to the compliance requirements followed at Helpshift. Endpoints are updated remotely with the latest software and firmware updates on a periodic basis to ensure up-to-date security.

Data Encryption

All customer data, at rest and in transit, is encrypted. Data at rest is encrypted with 256 bit Advanced Encryption Standard (AES) while data in transit through Helpshift is encrypted with TLS1.2 standard over all our services.

Privacy Policy

Ensuring and maintaining Data privacy of our customers is one of our top priorities, and we are committed to ensure that our products and services comply with the relevant and applicable privacy laws. Helpshift has formally defined policies in place that ensure user consent from data subjects prior to data collection and usage. We also employ techniques such as pseudonymisation to de-reference end user identities from their data, which allows an additional layer of security when processing Customer data.  You can read more about our Privacy policy at www.helpshift.com/legal/privacy

Organizational Policies

Helpshift has defined formal policies at an organizational level that govern the security of its employees, customers and devices. We ensure that our corporate environment remains secure without having to dilute the comfort or efficiency of our employees.  Our employees periodically undertake security assessment and training to refresh their knowledge about Helpshift policies and security best practices.

Application and network security

Helpshift uses industry best standards to ensure that data at rest and in transit is encrypted. We apply AES256 bit encryption over data at rest, while data in transit is protected using TLS1.2 protocol. Our internal networks are also protected via WPA2 standards, and all devices are hardened before they are issued. Access restrictions apply on the corporate networks and to devices that contain sensitive information.

Software Development cycle

Helpshift has a formally documented Software Development Lifecycle (SDLC) policy that ensures mandatory code reviews for every release, as well as QA and Security tests to ensure that the end product is shipped without bugs or issues. 

Risk Management

The internal audit team maintains a Risk repository where we identify and document known risks, along with plans to mitigate or treat those risks. The Risk repository is periodically maintained and kept up to date.

Responsible Disclosure of Security/Privacy Vulnerability

Security is always at the top of our minds. We want to honor and value the security researcher community to aid us in maintaining our security posture. As part of this commitment, we want to set out some do’s and don’ts for responsible disclosure of vulnerabilities.

Please contact [email protected] if you find any potential vulnerability in a *.helpshift domain, which meets the below criteria.

  • You can expect an acknowledgment from our team within 8 hours, or within 48 hours if you contact us on a weekend or holiday.
  • Helpshift defines the severity of a reported issue based on its impact and ease of exploitation.
  • It may take us 3 days or more to validate a reported vulnerability.
  • When conducting testing, you must not violate our privacy policy, modify/delete user data, conduct brute forcing/ rate limiting attacks or impact user experience.
  • Please treat information about any potential vulnerability that you may report as highly confidential. You should never disclose this to the public without our permission

What we expect in the report

  • Brief explanation that should detail the threat vector
  • Impact of the vulnerability. Does it affect a domain, a privilege, platform components, user privacy etc.  Please feel free to devise it the way you deem fit and per your understanding of the impact.
  • Proof Of Concept (steps to reproduce).  A visual POC would be very nice, using screen recording.
  • Your handle or name/alter ego for due recognition. You will be featured on our security page.
  • You will also duly be compensated for vulnerabilities that we construe as very high impact. (No, not in cryptocurrency!!)

Bugs we would like to see                                                           

  • Injections (XSS/CSV/HTML)
  • Request Forgery (SSRF and CSRF)
  • Server misconfigurations (public S3 etc.)
  • Broken Authorisation
  • Vulnerabilities found in third party components that we use

Bugs that will be considered as false positives/invalid. Please refraining from reporting:

  • Rate limiting, brute force/DDOS attack
  • Automated scans
  • Open redirections
  • Vulnerabilities that require physical access to be realised.
  • Phishing / Spamming (including issues related to SPF/DKIM/DMARC)
  • Metadata (EXIF, geolocation etc.) not masked on content such as images.
  • Self-XSS
  • Any bug without a proof of concept and explanation

If you have a bug that satisfies the above criteria, please reach out to [email protected].

Ready to do this?