helpr
Sign in Get started

Live Chat Security

Encrypted at rest.
Hardened at every layer.

Visitor data encrypted with AES-256-GCM, passwords hashed with Argon2ID, sessions protected by a two-token architecture with rotation. Every API call signed, every action logged.

Visual Assist (Co-browse) Live Chat Security Email (Shared Inbox)

Encryption at rest

Sensitive data encrypted before it hits the database.

Visitor PII — names, emails, phone numbers — is encrypted with AES-256-GCM before storage. Versioned keys support rotation without re-encrypting existing data.

AES-256-GCM

Authenticated encryption with random 16-byte IVs per record. GCM mode provides both confidentiality and tamper detection.

Versioned keys

Encryption keys are versioned and stored outside the database. Key rotation doesn't require bulk re-encryption — old versions decrypt existing data while new data uses the latest key.

PII isolation

Only sensitive visitor fields are encrypted — not message content. This keeps full-text search and analytics functional without exposing identity data.

Authentication

Four ways in. One standard of security.

Every authentication method uses the same two-token session architecture underneath.

Password

Argon2ID

Memory-hard hash with auto-upgrade from legacy bcrypt

Two-factor

TOTP

Google Authenticator compatible with encrypted backup codes

Passkeys

WebAuthn

FIDO2 hardware and biometric authentication with 5-minute challenge window

Magic links

One-time token

15-minute expiry, atomic consumption, no replay possible

Session architecture

Two-token rotation with replay detection.

Sessions use a short-lived access token paired with a rotating refresh token. Reuse of an old refresh token revokes the entire token family.

Access token
  • 1-hour TTL, auto-refreshed
  • 256-bit cryptographic random
  • SHA-256 hashed before storage
  • In-memory cache for sub-millisecond validation
Refresh token
  • 24-hour TTL (30 days with remember-me)
  • Rotated on every use
  • 60-second grace window for concurrent requests
  • Token family tracking detects replay attacks

API security

Scoped keys. Signed requests. Rate limited.

API keys are encrypted at rest and scoped to specific permissions. Every webhook delivery is HMAC-signed. Abuse protection is built in at every level.

  • Publishable and secret keys with distinct prefixes
  • 6 granular scopes: chats, visitors, team, webhooks
  • Secret keys encrypted with AES-256-GCM before storage
  • Per-key and per-user rate limiting
  • Key rotation, revocation, and expiration support
  • Full audit trail: created, rotated, revoked with actor and IP

Webhook signatures

Every delivery signed with HMAC-SHA-256. Header: X-Helpr-Signature. Constant-time verification recommended. Auto-disabled after 100 consecutive failures.

Rate limiting

Login: 5 attempts per 10 seconds. Registration: 3 per minute. API: configurable per-key RPM with X-RateLimit headers. Second-precision sliding windows.

Audit trail

Every action logged. Every session tracked.

Security events, session history, and API key lifecycle are logged with actor, IP, device, and timestamp. New-IP login detection triggers email alerts.

  • Login attempts (valid, invalid, 2FA failures)
  • Password changes and passkey enrollments
  • API key creation, rotation, and revocation
  • Active session monitoring with device and location
  • Per-session revocation (individual or all)
  • First-time IP detection with email notification
  • Account deletion with PII anonymization

Session monitoring

Every active session shows device, browser, OS, IP, location, ISP, and last activity. Agents can revoke any session individually or all at once.

GDPR compliance

Account deletion soft-deletes and anonymizes PII. Audit trail preserved with redacted identifiers. No ghost data.

Visual Assist

Co-browse security is a different beast.

Visual Assist uses end-to-end ECDH + AES-256-GCM encryption where even our servers can't see the visitor's page. No session recording. Zero knowledge.

Visual Assist (Co-browse) security

FAQ

Frequently asked questions.

Is chat data encrypted?
Yes. All visitor personally identifiable information (names, emails, phone numbers, custom data) is encrypted at rest using AES-256-GCM with authenticated encryption. Message content is stored in the database and protected by encryption at the infrastructure level. Encryption keys are versioned with rotation support.
How are passwords stored?
Agent passwords are hashed with Argon2ID, a memory-hard algorithm designed to resist GPU and ASIC brute-force attacks. We never store plaintext passwords. Legacy accounts from platform migrations are automatically re-hashed to Argon2ID on first login.
What two-factor authentication options are available?
Agents can enable TOTP authenticator apps (Google Authenticator, Authy, 1Password, etc.), WebAuthn passkeys (YubiKey, Touch ID, Windows Hello), or both. Backup codes are generated during 2FA setup for account recovery. Magic link login via email is also available as a passwordless option.
How do sessions work?
helpr uses a two-token session architecture. Short-lived access tokens (1 hour) handle authentication, while longer-lived refresh tokens handle session continuity. Refresh tokens are rotated on each use. If a refresh token is reused (indicating theft), the entire token family is revoked, logging out all sessions for that device.
Are API requests authenticated?
Yes. The platform API uses HMAC-SHA-256 signed requests with timestamp validation to prevent replay attacks. Each API key is scoped with granular read/write permissions and has independent rate limits. Keys can be rotated or revoked instantly.
How are webhooks secured?
Every outbound webhook is signed with HMAC-SHA-256 using a per-team secret. The signature, timestamp, and request body are included so your server can verify authenticity and reject replayed or tampered requests.
Is helpr GDPR compliant?
Yes. Visitor PII is encrypted at rest, chat transcripts can be exported or deleted on request, and the audit trail tracks all data access. We support data processing agreements (DPAs) and can provide documentation for your compliance team on request.
What happens when an agent leaves the company?
Org admins can remove agents from teams, which immediately revokes their access. All active sessions for the removed agent are terminated. The audit trail retains a record of their past activity for compliance purposes.
Does helpr detect suspicious login activity?
Yes. helpr sends email notifications when a login occurs from a new IP address. The security dashboard shows all active sessions with device, location, and IP information. Agents can revoke individual sessions or all sessions at once.
Can we get a penetration test or security audit?
Yes. Contact [email protected] to coordinate penetration testing, request our latest audit report, or schedule an architecture review with our security team.

Questions? Need an audit?

Contact our security team for architecture reviews, compliance documentation, or penetration test coordination.

Contact security Get started