Scalable. Secure. Reliable.
The world’s leading mobile apps trust Helpshift with all of their support needs.
At Helpshift, we continuously strive to ensure the wellbeing of our customers’ data in terms of its security, availability and confidentiality, through the adoption of industry best practices and compliance standards requirements.
- Scalability – No Demand is Too High
Helpshift utilizes an elastic infrastructure to automatically increase capacity based on demand. This allows us to support one billion devices and 80 million conversations per year. Scaling to thousands of agents isn’t an issue because no extensive training is necessary and onboarding takes just minutes.
As secure as it Gets
On a periodic basis Helpshift undergoes external assessments and audits which helps us attest and certify ourselves against standard Industry frameworks for Information security and Data Privacy such as ISO27001, SOC2 (Type2), HIPAA. Helpshift is also compliant with requirements of GDPR, CCPA and COPPA. Our product also contains features that allow for full anonymous data collection (to adhere to requirements of certain regulations like COPPA).
- Software you can trust
We monitor our production services 24/7. We build resilience into our stateless, service-oriented architecture to enable fault isolation, loose coupling, and simpler testing. We cluster service instances so traffic goes unaffected. Load balancing also ensures that capacity can be added effortlessly when required, without affecting currently served production traffic.
- Data Center Security
Helpshift processes all electronic data in compliance with applicable laws and regulations for the purpose of providing its services to Customers. Our servers are hosted on a cloud environment which adheres to industry standard security compliance requirements and privacy policies.
Helpshift’s Cloud environment incorporates features that align with multiple compliance requirements, such as data encryptions, network management policies, DDoS mitigation techniques, etc. We also have a dedicated operations team that is in charge of monitoring and ensuring network infrastructure security through their periodic maintenance activities.
- Endpoint Security
At Helpshift we ensure data and device security by hardening all endpoint devices with password protection and encryption. Employees are periodically trained on security and privacy best practices with respect to the compliance requirements followed at Helpshift. Endpoints are updated remotely with the latest software and firmware updates on a periodic basis to ensure up-to-date security.
- Data encryption, Application and Network security
Helpshift uses industry best standards to ensure that data at rest and in transit is encrypted. Our internal networks are also protected and all devices are hardened before they are issued. Access restrictions apply on the corporate networks and to devices that contain sensitive information.
- Privacy Policy
Ensuring and maintaining Data privacy of our customers is one of our top priorities, and we are committed to ensure that our products and services comply with the relevant and applicable privacy laws. Helpshift has formally defined policies in place that ensure user consent from data subjects prior to data collection and usage. We also employ techniques such as pseudonymisation to de-reference end user identities from their data, which allows an additional layer of security when processing Customer data. You can read more about our Privacy policy at www.helpshift.com/legal/privacy.
- Organizational Policies
Helpshift has defined formal policies at an organizational level that govern the security of its employees, customers and devices. We ensure that our corporate environment remains secure without having to dilute the comfort or efficiency of our employees. Our employees periodically undertake security assessment and training to refresh their knowledge about Helpshift policies and security best practices.
- Responsible Disclosure of Security/Privacy Vulnerability
Security is always at the top of our minds. We want to honor and value the security researcher community to aid us in maintaining our security posture. As part of this commitment, we want to set out some do’s and don’ts for responsible disclosure of vulnerabilities.
Please contact [email protected] if you find any potential vulnerability in a *.helpshift domain, which meets the below criteria.
- You can expect an acknowledgment from our team within 8 hours, or within 48 hours if you contact us on a weekend or holiday.
- Helpshift defines the severity of a reported issue based on its impact and ease of exploitation.
- It may take us 3 days or more to validate a reported vulnerability.
- When conducting testing, you must not violate our privacy policy, modify/delete user data, conduct brute forcing/ rate limiting attacks or impact user experience.
- Please treat information about any potential vulnerability that you may report as highly confidential. You should never disclose this to the public without our permission
What we expect in the report
- Brief explanation that should detail the threat vector
- Impact of the vulnerability. Does it affect a domain, a privilege, platform components, user privacy etc. Please feel free to devise it the way you deem fit and per your understanding of the impact.
- Proof Of Concept (steps to reproduce). A visual POC would be very nice, using screen recording.
- Your handle or name/alter ego for due recognition. You will be featured on our security page.
- You will also duly be compensated for vulnerabilities that we construe as very high impact. (No, not in cryptocurrency!!)
Bugs we would like to see
- Injections (XSS/CSV/HTML)
- Request Forgery (SSRF and CSRF)
- Server misconfigurations (public S3 etc.)
- Broken Authorisation
- Vulnerabilities found in third party components that we use
Bugs that will be considered as false positives/invalid. Please refraining from reporting:
- Rate limiting, brute force/DDOS attack
- Automated scans
- Open redirections
- Vulnerabilities that require physical access to be realised.
- Phishing / Spamming (including issues related to SPF/DKIM/DMARC)
- Metadata (EXIF, geolocation etc.) not masked on content such as images.
- Self-XSS
- Any bug without a proof of concept and explanation
If you have a bug that satisfies the above criteria, please reach out to [email protected].