Compliance Overview
Mabble Helix is designed to help operators meet their obligations under HIPAA, GDPR, CCPA/CPRA, and related frameworks. This page maps the relevant regulatory requirements to the Helix features that address them.
This is not legal advice. Operators remain responsible for their own compliance posture and should engage qualified counsel for jurisdiction-specific obligations.
HIPAA
HIPAA applies to Covered Entities and their Business Associates when handling Protected Health Information (PHI). Helix acts as a Business Associate when processing PHI on behalf of a Covered Entity operator. A BAA is required before processing PHI — see Business Associate Agreement.
Privacy Rule (45 CFR Part 164, Subpart E)
| Requirement | Section | Helix feature |
|---|---|---|
| Individual right of access to PHI | §164.524 | DSAR public form (request type: access); operator console DSAR workflow |
| Individual right to request amendment | §164.526 | DSAR form (request type: amend); operator console amendment workflow |
| Accounting of disclosures | §164.528 | Immutable audit log; per-tenant Merkle-anchored event trail |
| Notice of Privacy Practices (NPP) | §164.520 | Hosted, versioned privacy notice; all versions archived permanently |
| Minimum necessary access | §164.502(b) | Row-Level Security; RBAC with least-privilege capability model |
| Administrative safeguards | §164.308 | Role-based access; audit logging; workforce training (operator responsibility) |
Security Rule (45 CFR Part 164, Subpart C)
| Safeguard | Section | Helix feature |
|---|---|---|
| Access control | §164.312(a)(1) | Session-based auth; RBAC; capability tokens scoped per operation |
| Unique user identification | §164.312(a)(2)(i) | Per-user UUIDs; session tracking |
| Automatic logoff | §164.312(a)(2)(iii) | Configurable session TTL per tenant policy |
| Encryption and decryption | §164.312(a)(2)(iv) | Envelope encryption per record; BYOK KMS |
| Audit controls | §164.312(b) | Merkle-anchored immutable audit log; Sigstore Rekor + S3 Object Lock |
| Integrity | §164.312(c)(1) | S3 Object Lock (COMPLIANCE) for audit digests; ETag-verified privacy notices |
| Person authentication | §164.312(d) | MFA (TOTP + WebAuthn passkey); session cookies (HTTP-only, SameSite=Strict) |
| Transmission security | §164.312(e)(2)(ii) | TLS 1.2+ enforced; HSTS; no PHI in URLs |
Breach Notification Rule (45 CFR Part 164, Subpart D)
| Requirement | Section | Helix feature |
|---|---|---|
| Breach detection | §164.400 | Audit log anomaly detection (roadmap); immutable event trail provides forensic baseline |
| BAA breach notification obligations | §164.410 | Covered by BAA; Mabble's incident response procedures |
GDPR
GDPR applies to operators who process personal data of individuals in the EU/EEA. Helix acts as a Data Processor; the operator is the Data Controller.
Data Subject Rights (Chapter III)
| Right | Article | Helix feature |
|---|---|---|
| Right to be informed | Art.13, 14 | Hosted privacy notice with version history; stable URL |
| Right of access | Art.15 | DSAR form (type: access); operator console fulfillment workflow |
| Right to rectification | Art.16 | DSAR form (type: amend) |
| Right to erasure | Art.17 | DSAR form (type: erasure); crypto-shred DEK on erasure (roadmap) |
| Right to restriction | Art.18 | DSAR form (type: restrict) |
| Right to data portability | Art.20 | DSAR form (type: portability) |
Controller obligations
| Obligation | Article | Helix feature |
|---|---|---|
| Records of processing activities | Art.30 | Audit log provides per-tenant event history |
| Data protection by design and default | Art.25 | RLS; minimum-necessary access; envelope encryption; no cookies on public surfaces |
| Data breach notification (72h) | Art.33 | Audit log provides forensic timeline; Mabble incident response SLA in DPA |
| DPA (Data Processing Agreement) | Art.28 | Available on request; contact legal@mabble.ai |
| International transfers | Art.46 | Helix operates in AWS us-east-1; Standard Contractual Clauses (SCCs) available |
Accountability (Art.5(2))
Helix's Merkle-anchored audit log, with Sigstore Rekor anchoring and S3 Object Lock COMPLIANCE storage, provides the technical foundation for demonstrating accountability — every data processing action is permanently and tamper-evidently recorded.
CCPA / CPRA
The California Consumer Privacy Act (CCPA) and its amendment the California Privacy Rights Act (CPRA) apply to operators who process personal information of California residents and meet the statutory thresholds.
| Right | CCPA/CPRA Section | Helix feature |
|---|---|---|
| Right to know / access | §1798.100 | DSAR form (type: access); jurisdiction: us |
| Right to delete | §1798.105 | DSAR form (type: erasure) |
| Right to correct | §1798.106 | DSAR form (type: amend) |
| Right to data portability | §1798.100(d) | DSAR form (type: portability) |
| Right to opt-out of sale/sharing | §1798.120 | Operator-level configuration (not a Helix-managed consent surface in Phase 1; roadmap) |
| Right to limit sensitive personal information use | §1798.121 | Roadmap |
CCPA response deadline: 45 days (extendable to 90 with consumer notice). Select jurisdiction us on the DSAR form.
Canada (PIPEDA / Law 25)
| Right | Helix feature |
|---|---|
| Access to personal information | DSAR form; jurisdiction: ca |
| Correction | DSAR form (type: amend) |
| Withdrawal of consent | Operator-level workflow |
Response deadline: 30 days. Quebec Law 25 (Bill 64) aligns broadly with GDPR.
Other jurisdictions
Helix Phase 1 DSAR intake supports: us, eu, uk, ca, au, in, br. The jurisdiction code affects SLA tracking within the operator console. Additional jurisdiction support is added based on operator demand.
Compliance contacts
- BAA / DPA requests: legal@mabble.ai
- Security inquiries: security@mabble.ai
- DSAR (about Mabble itself as a company): privacy@mabble.ai