Are you SOC 2, ISO 27001, HIPAA, or PCI-DSS compliant?

No. We do not claim SOC 2, ISO 27001, HIPAA, or PCI-DSS compliance, and we currently hold none of these attestations. We only claim certifications we have actually obtained. If we ever obtain one, we will name it on this page and link to evidence.

Do you have a bug bounty?

We do not operate a paid bug bounty today. We do acknowledge serious reports sent to info@helperg.com with the subject line 'security'.

Do you support multi-factor authentication?

Where our ecosystem products offer accounts, MFA support depends on the product surface and the sign-in provider in use. helperg.com itself has no user accounts.

What happens to my OAuth tokens if I disconnect a provider?

The stored token is deleted when you disconnect the account in our product, when your account is deleted, or when the provider revokes the grant. Revoking the connection at the provider also invalidates the token we hold.

Where is helperg.com hosted?

helperg.com is a static site hosted on Netlify. It has no application server and no user accounts. Ecosystem products run on managed platforms listed at /subprocessors.html.

Security

Q: How do I report a security issue?

Email info@helperg.com with a description of the issue and steps to reproduce. Adding 'security' to the subject line helps routing. Please give us a reasonable window to investigate and fix before public disclosure.

Last updated: May 28, 2026

First published 2026-05-28. This is the initial Security page. It describes our current posture; we will note material changes here when they happen.

1. Our approach

HELPERG LLC is a small operator. We design for least access, narrow OAuth scopes, and recoverability rather than for marketing claims. This page describes what we actually do today, not what we wish we did. Where a control is not yet in place, we say so plainly, including in §10 below. Our goal is a posture that a careful reader — a developer, a security-curious user, or a customer evaluator — can verify against how our products actually behave.

2. Account security

helperg.com itself has no user accounts. It is a public marketing site; there is nothing to sign into here.

Where our ecosystem products do have accounts, password requirements follow modern guidance: a reasonable minimum length, no upper bound that prevents passphrases, and rejection of obviously compromised passwords where the sign-in provider supports it. Several ecosystem products support provider-managed sign-in (for example, Sign in with Google on the products that offer it), which lets you reuse your existing identity provider's controls — including MFA — rather than managing another password.

Sessions expire after a period of inactivity appropriate to the product. Where the sign-in surface offers multi-factor authentication, we surface it and recommend enabling it. You are responsible for keeping your credentials, devices, and recovery options secure on your end.

3. OAuth and connected platforms

When a feature in an ecosystem product needs to act on your behalf at a third-party platform — for example X, Bluesky, Telegram, Google, or GitHub — we use OAuth. We request the minimum scopes the feature needs and rely on the provider's consent screen rather than asking for your password.

You can revoke the connection at the provider at any time. Revocation invalidates the stored token immediately and the affected feature stops working until you reconnect. We do not use OAuth tokens to perform actions you did not initiate or implicitly authorize through your use of a feature. If a product surface ever needs a broader scope, it asks for that scope on its own consent screen — not silently.

4. Access tokens and secrets

Access tokens, refresh tokens, and similar provider-issued credentials are stored in managed cloud databases that encrypt data at rest. Access is restricted to systems and personnel that need it to operate the feature. Operator access is limited to maintenance and incident response and is not used to browse user content.

Provider credentials we hold for our own infrastructure (deploy keys, API keys, database credentials) are stored in the secret-management features of the hosting platforms we use, not in source control. We rotate provider credentials when warranted — for example on suspected exposure, on personnel change, or when an upstream provider recommends rotation. Tokens belonging to a user are deleted on disconnect, on account deletion, or on provider revocation, as described in §3 and in the Privacy Policy.

5. Infrastructure

helperg.com is a static site hosted on Netlify. There is no application server, no database, and no user accounts attached to this domain. The build output is plain HTML, CSS, JavaScript, and images served over Netlify's CDN.

Our ecosystem products run on managed platforms — application hosting, managed databases, managed authentication, and similar — rather than on machines we operate ourselves. The current authoritative list of subprocessors is published at /subprocessors.html. Encryption in transit (TLS) is provided by those platforms; encryption at rest for stored data is provided by the managed database layer.

6. Data handling and retention

The full data-handling and retention provisions live in the Privacy Policy; this page does not restate them. Two points worth repeating because they are security-relevant: stored OAuth tokens are deleted on disconnect, account deletion, or provider revocation; and deletion requests can be sent to info@helperg.com from the address tied to the account. Where a product surface offers in-product deletion, that is the fastest path.

7. Backups and recovery

Ecosystem products with persistent storage keep backups for a limited window so we can recover from data loss, corruption, or an operational mistake. Backups are held by the same managed cloud database providers that hold the live data and inherit their encryption-at-rest controls.

Because backups exist, deleted data may persist in a backup for a short period after deletion from the live database, until that backup is rotated out on its normal schedule. If you delete an account, the live record is removed promptly; the residual backup window closes on its own.

8. Code and dependencies

We update dependencies on a routine cadence and respond to known vulnerabilities in upstream packages — typically by upgrading to the patched release, or by removing the dependency where the maintenance burden is no longer worth it. Where a managed platform issues a runtime upgrade we follow it.

The static-site code for helperg.com is open to inspection at the production URLs — view-source on any page shows exactly what the browser executes. Ecosystem product code is not all public, but the third-party services it talks to are listed at /subprocessors.html.

9. Responsible disclosure

If you find a vulnerability, email info@helperg.com with a description and steps to reproduce. Adding security to the subject line helps routing. Please give us a reasonable window to investigate and ship a fix before public disclosure.

We do not currently operate a paid bug bounty program. We will acknowledge serious reports and credit reporters who would like to be credited. We ask that you do not test in ways that degrade service for other users, access data that is not your own, or run automated scanners against production beyond what is necessary to demonstrate the issue.

10. What we do not claim

This section is deliberate. Trust pages tend to over-promise, and the most useful thing we can do here is be specific about what we are not claiming.

We do not claim SOC 2, ISO 27001, HIPAA, or PCI-DSS compliance, or any audit or certification we have not actually obtained. We currently hold none of these. If we ever obtain one, we will name it on this page and link to evidence.
We do not claim "military-grade" encryption, "100% secure" systems, "fully anonymous" usage, or "we never access" / "we never see" your data. Those phrases are usually marketing, and they are not honest descriptions of how any real operator works.
We do not claim guarantees no system can make. We describe reasonable technical and organizational measures and the realistic limits of those measures. A determined attacker, a compromised upstream provider, or a subpoena are all real possibilities, and we will not pretend otherwise.
This page reflects our current state honestly. If you find something here that contradicts how we actually operate, please tell us at info@helperg.com and we will fix the page or fix the behavior, whichever is wrong.

11. Contact for security matters

HELPERG LLC
30 N Gould St Ste N, Sheridan, WY 82801, USA
Email: info@helperg.com (subject line "security" helps routing)

See also our Privacy Policy, Terms of Use, Cookie Policy, and Subprocessors pages.