Security Posture
Mabble Helix is designed from the ground up for HIPAA-grade (and beyond) security. Every architectural decision is evaluated against a "Fort Knox" standard: the control must be correct by construction, not by convention.
Core security principles
1. Tenant isolation at every layer
Every Postgres query runs under a tenant-scoped Row-Level Security (RLS) policy. The application layer enforces tenant context before any query executes; the database enforces it again as a second line of defense. Cross-tenant data access is structurally impossible — not merely prohibited by convention.
2. No capability tokens in the browser
Helix capability tokens (used for server-to-server integrations) are never sent to or stored in a browser. This is a hard architectural boundary. Browser-facing authentication uses HTTP-only, SameSite=Strict session cookies only. The threat model treats the browser as an untrusted endpoint for sensitive credentials.
3. Envelope encryption with BYOK KMS
All sensitive vault records are envelope-encrypted:
- A per-record Data Encryption Key (DEK) encrypts the record content.
- The DEK is encrypted with a Key Encryption Key (KEK) stored in AWS KMS.
- Tenants can supply their own KMS key (Bring Your Own Key — BYOK), meaning Mabble LLC cannot decrypt tenant data without the tenant's KMS key.
- Post-quantum wrap is on the roadmap (CRYSTALS-Kyber KEK wrap).
4. Immutable audit log
Every state-changing event (and significant read events) in Helix produces an audit record. Audit records are:
- Appended to a per-tenant Merkle tree in memory.
- Anchored hourly to Sigstore Rekor (a public, append-only transparency log) so any gap or tampering is detectable.
- Written to S3 Object Lock in COMPLIANCE mode, preventing deletion or overwrite for the configured retention period.
See Audit Anchoring for the full mechanism.
5. Defense-in-depth at the network layer
- All traffic is TLS 1.2+. TLS 1.0 and 1.1 are disabled.
Strict-Transport-Security: max-age=31536000; includeSubDomainsis set on all responses.- CloudFront WAF rules (managed + custom) protect all public-facing endpoints.
- Public DSAR and notice endpoints set no cookies, emit no
Set-Cookieheaders.
Key security controls catalog
| Control | Implementation |
|---|---|
| Row-Level Security | Postgres RLS policy on every tenant table; enforced at DB layer |
| Envelope encryption | Per-record DEK encrypted with tenant KEK via AWS KMS |
| BYOK KMS | Tenants supply their own KMS key ARN; Helix wraps DEKs with it |
| Audit log | Append-only per-tenant Merkle tree; hourly Sigstore Rekor + S3 Object Lock anchoring |
| Session security | HTTP-only, SameSite=Strict cookies; no capability tokens in browser |
| MFA | TOTP + WebAuthn passkey supported; enforceable per-tenant |
| Zero cookies on public endpoints | Hard constraint in DSAR and privacy notice handlers |
| ETag-based caching | Privacy notice ETag is SHA-256(content) — busted on publish, never stale |
| Tenant identity from Host | No query-param or body-based tenant selection on public endpoints |
| Transport security | TLS 1.2+; HSTS; CloudFront WAF |
| Distroless container | Go binary deployed in a distroless ECS image; no shell, no package manager |
| Secrets management | All secrets in AWS Secrets Manager; no plaintext in env vars or config files |
HIPAA technical safeguards (§164.312)
| Safeguard | How Helix satisfies it |
|---|---|
| Access control (§164.312(a)) | RBAC with per-capability authorization; RLS prevents lateral movement |
| Audit controls (§164.312(b)) | Immutable Merkle-anchored audit log; every access to PHI is logged |
| Integrity (§164.312(c)) | Envelope encryption + S3 Object Lock; audit log Merkle proofs |
| Person authentication (§164.312(d)) | Session-based auth; MFA enforced per policy |
| Transmission security (§164.312(e)) | TLS 1.2+ on all endpoints; HSTS |
Vulnerability management
- Dependencies are pinned and scanned on every CI run.
- Go modules use
go.sumfor supply-chain verification. - Container images are built from a distroless base; no shell surface area.
- SBOM generation is automated per release.
Responsible disclosure
To report a security vulnerability, email security@mabble.ai. Do not open a public GitHub issue. We follow a 90-day coordinated disclosure timeline.