{
  "version": "v2026.05",
  "controls": [
    {
      "id": "HELM-LA-01",
      "title": "Logical access — organization scoping at API boundary",
      "status": "implemented",
      "frameworks": {
        "soc2": [
          "CC6.1",
          "CC6.3"
        ],
        "nist_csf_2": [
          "PR.AA-01",
          "PR.AA-05"
        ],
        "reg_s_p": [
          "§248.30(a)(1)"
        ],
        "sig_lite": [
          "G.1.1"
        ],
        "ilpa_ddq": [
          "IT-Sec-04"
        ],
        "aima_ddq": [
          "3.2.1"
        ]
      },
      "disclosure": "Tenant isolation is enforced at every API boundary. Helm uses a single\norg-scoping primitive that every customer-data read or write must traverse;\ncross-tenant access is structurally unreachable, not policy-gated.\n"
    },
    {
      "id": "HELM-EN-01",
      "title": "Encryption at rest — customer data + OAuth tokens",
      "status": "implemented",
      "frameworks": {
        "soc2": [
          "CC6.6"
        ],
        "nist_csf_2": [
          "PR.DS-01"
        ],
        "reg_s_p": [
          "§248.30(a)(3)"
        ]
      },
      "disclosure": "Customer data is encrypted at rest. OAuth tokens for connected\naccounts (Gmail, Calendar, Outlook, Twilio) are additionally\nenvelope-encrypted at the application layer with AES-256-GCM\nbefore persistence, so a database-only compromise does not\nsurface usable tokens.\n"
    },
    {
      "id": "HELM-EN-02",
      "title": "Encryption in transit — TLS + HSTS preload",
      "status": "implemented",
      "frameworks": {
        "soc2": [
          "CC6.6",
          "CC6.7"
        ],
        "nist_csf_2": [
          "PR.DS-02"
        ],
        "reg_s_p": [
          "§248.30(a)(3)"
        ]
      },
      "disclosure": "All Helm traffic is encrypted in transit via TLS. HSTS is\npreloaded with a 2-year max-age and the includeSubDomains\ndirective, so subdomain downgrades are rejected by the browser.\n"
    },
    {
      "id": "HELM-AU-01",
      "title": "Append-only audit log for privileged actions",
      "status": "implemented",
      "frameworks": {
        "soc2": [
          "CC7.2",
          "CC7.3"
        ],
        "nist_csf_2": [
          "DE.CM-01"
        ],
        "reg_s_p": [
          "§248.30(a)(2)"
        ],
        "rule_204_2": [
          "204-2(a)(7)"
        ]
      },
      "disclosure": "Every privileged mutation in Helm — record creates and deletes,\nauthentication events, AI-agent decisions, draft sends, data\nexports, membership changes — writes a row to an append-only\naudit log. The log is queryable for compliance review and\nsupports SEC examination requests under Adviser Rule 204-2.\n"
    },
    {
      "id": "HELM-RL-01",
      "title": "Layered rate limiting on auth and sensitive endpoints",
      "status": "implemented",
      "frameworks": {
        "soc2": [
          "CC6.1",
          "CC7.1"
        ],
        "nist_csf_2": [
          "PR.AA-05"
        ],
        "reg_s_p": [
          "§248.30(a)(2)"
        ]
      },
      "disclosure": "Helm enforces named rate-limit tiers across authentication,\ndata export, and mutation endpoints. Failed login attempts\ntrigger account lockout after 20 failures in 24 hours.\n"
    },
    {
      "id": "HELM-PW-01",
      "title": "Password hashing — bcrypt with cost factor 10",
      "status": "implemented",
      "frameworks": {
        "soc2": [
          "CC6.1"
        ],
        "nist_csf_2": [
          "PR.AA-01"
        ],
        "reg_s_p": [
          "§248.30(a)(3)"
        ]
      },
      "disclosure": "Passwords are stored as bcrypt hashes (cost factor 10).\nAuthentication uses constant-time comparison. Password reset\nlinks are 256-bit random tokens, single-use, with a\n30-minute TTL.\n"
    }
  ]
}