Welcome to Mabble Helix
Mabble Helix is a Fort Knox-grade privacy and compliance vault built for health-tech and data-sensitive industries. It provides the infrastructure that enables operators to meet HIPAA, GDPR, and CCPA/CPRA obligations without building that infrastructure themselves.
Who is Helix for?
| Role | What Helix gives you |
|---|---|
| Operators (tenants) | A turnkey Privacy Center, DSAR workflow, audit log, and compliance dashboard wired into your product via API or hosted UI. |
| End consumers | A branded, zero-cookie privacy form to file data requests; a versioned, always-accessible privacy notice at a stable URL. |
| Compliance teams | A continuously maintained audit trail anchored to Sigstore Rekor + S3 Object Lock (COMPLIANCE mode), with per-jurisdiction SLA tracking and automated BAA management. |
| Security teams | Row-level security on every tenant dataset, BYOK KMS, envelope encryption per record, and an immutable Merkle-anchored event log. |
Core surfaces (Phase 1 + 1.5 + 2)
Privacy Center
A hosted, per-tenant DSAR intake form and versioned privacy notice, served on the tenant's custom domain. No authentication is required for consumers to file a request or read the notice.
- DSAR public form —
https://<your-domain>/public/v1/privacy/dsar - Privacy notice —
https://<your-domain>/public/v1/privacy/notice - Versioned notice archive —
https://<your-domain>/public/v1/privacy/notice/v<N>
Operator Console
A session-authenticated UI at https://console.mabble.ai (or your self-hosted URL) where tenant admins manage DSARs, publish privacy notices, configure data retention policies, and inspect the audit log.
Helix API
RESTful + gRPC surfaces for server-side integration. Public endpoints (no auth, hostname-routed) handle consumer-facing operations. Authenticated endpoints require a capability token scoped to the operation.
Audit Anchoring
Every action in Helix is appended to a per-tenant Merkle tree whose root is anchored hourly to Sigstore Rekor (a public, transparency-log-based append-only ledger). Simultaneously, hourly digest objects are written to S3 Object Lock in COMPLIANCE mode, making them tamper-evident for the retention period required by HIPAA (6 years) and GDPR (varies by jurisdiction).
Security posture
Helix is designed around the principle that security controls are non-negotiable:
- No capability tokens in the browser — all capability tokens are server-side only.
- HTTP-only session cookies — browser-trust boundary enforced.
- Row-level security (RLS) — every Postgres query is tenant-scoped at the DB layer.
- BYOK KMS — tenants can supply their own AWS KMS key for envelope encryption.
- Zero cookies on public endpoints — DSAR form and privacy notice responses never set cookies.