Security is not an afterthought
CodeHelm is designed from the ground up with security as the first priority. Here's exactly how we protect your data, credentials, and access.
Credential Security
- API keys encrypted at rest using AES-256
- Keys never logged or exposed after initial entry
- Keys visible only within the owning workspace
- HMAC-SHA256 hashing for service API keys
Authentication
- Argon2id password hashing
- JWT access tokens (short-lived) + refresh token rotation (RTR)
- Replay attack detection: revoked token reuse revokes full session
- Redis-backed rate limiting with account lockout
No AI Traffic Proxying
- Your prompts never touch CodeHelm servers
- API keys connect directly from orchestration engine to provider
- Zero token markup — you pay your provider directly
- No training on your code or prompts
Audit & Compliance
- Append-only audit log for all workspace actions
- Run history immutably stored with full metadata
- Structured logging to Loki + Prometheus observability stack
- SOC2 Type II-ready design (audit in progress)
Access Control
- Role-based access: Owner, Admin, Member, Viewer
- Per-workspace isolation — no cross-workspace data leakage
- GitHub App permissions: minimal scope, revocable at any time
- SSO / SAML available on Enterprise plan
Infrastructure Security
- All traffic TLS 1.3 encrypted in transit
- PostgreSQL and Redis bound to localhost — no public exposure
- Docker containers run as non-root users
- Pinned Docker image versions — no :latest tags
Responsible disclosure
If you discover a security vulnerability in CodeHelm, please report it responsibly. We take all reports seriously and aim to respond within 24 hours.
Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and address them.
security@ottili.one