helpr
Sign in Get started

Visual Assist (Co-browse) Security

Zero-knowledge by design,
not by policy.

Visual Assist sessions are end-to-end encrypted using ECDH key exchange and AES-256-GCM. Your page content is never readable by our servers. There is no session recording, no content storage, and nothing to breach.

Visual Assist (Co-browse) Live Chat Security Email (Shared Inbox)

How it works

End-to-end encrypted in three steps.

Every co-browse session performs a fresh key exchange. No keys are ever reused.

1

Key exchange

Both the visitor's browser and the agent's browser generate ephemeral ECDH P-256 keypairs. They exchange public keys through our server. Private keys never leave the browser.

2

Key derivation

Each side independently derives an identical shared secret using ECDH, then derives the session encryption key using HKDF-SHA-256 with a unique per-session salt.

3

Encrypted streaming

All page content is encrypted with AES-256-GCM before transmission. Every message uses a fresh random IV and includes an authentication tag to detect tampering.

Zero knowledge

What the server sees vs. what it doesn't.

Our server routes encrypted payloads but cannot decrypt them. Here's exactly what's visible at each layer.

Server cannot access
  • Page HTML, CSS, and text content
  • User input and form data
  • Console logs and errors
  • Network request/response bodies
  • Annotations and drawings
  • Cursor positions and interactions
  • ECDH private keys
  • AES session keys
Server can access (metadata only)
  • Session ID and team ID
  • Session start/end timestamps
  • That events are flowing (not content)
  • Visitor consent status

Cryptographic standards

NIST-approved. No custom crypto.

All cryptographic operations use the W3C Web Crypto API backed by platform-native implementations. No third-party cryptographic libraries.

Key Exchange

ECDH P-256

NIST FIPS 186-4

Key Derivation

HKDF-SHA-256

NIST SP 800-56C

Bulk Encryption

AES-256-GCM

NIST SP 800-38D

Channel Auth

HMAC-SHA-256

FIPS 198-1

Key Exchange Protocol

Fresh keys. Every session.

Ephemeral ECDH keypairs are generated per session. The server relays wrapped keys but cannot unwrap them.

Agent Browser Helpr Server Visitor Browser
Generate ECDH P-256 keypair
key_offer {public key}
Generate ECDH P-256 keypair
Derive shared secret (ECDH)
Derive KEK via HKDF-SHA-256
key_answer {public key, wrapped session key}
Derive shared secret (ECDH)
Unwrap session key
AES-256-GCM encrypted channel

No session recording

Nothing to subpoena. Nothing to breach.

Visual Assist is live-only by design. When a session ends, all in-memory state is discarded. There is no replay, no server-side buffer, and no persistent storage of encrypted payloads.

  • No session replay capability
  • No server-side content buffer
  • No disk writes of session data
  • No data retention of page content
  • Session metadata retained for 90 days (audit only)

Beyond viewing

See their page. Debug their problems.

Visual Assist isn't just a screen viewer. Built-in developer tools give agents the same debugging power as the visitor's own browser — without asking them to open DevTools.

Console

Stream the visitor's JavaScript errors, warnings, and unhandled exceptions in real time. No more asking "do you see any errors?" — you already know.

Network

Record the visitor's API calls with method, status, timing, and response size. Spot the failing endpoint or slow request without a screen share.

Annotations

Draw, highlight, and point directly on the visitor's page. Guide them visually instead of describing where to click. Strokes render live on both sides.

Remote control

Click, scroll, and type on the visitor's page as if you were sitting at their desk. Requires separate interact consent — fully logged and revocable at any time.

Multi-agent

Multiple agents can cobrowse the same visitor simultaneously. Each agent maintains an independent encrypted channel — no shared keys, no key leakage between agents.

Access controls

Consent, authentication, and authorization.

Multiple layers of access control govern who can initiate sessions and what level of access they have.

Visitor consent

Configurable consent mode. Require explicit visitor approval before viewing, or use silent mode for seamless support. View and interact consent are independent toggles.

Channel authentication

Time-windowed HMAC-SHA-256 tokens with constant-time comparison. Strict channel format validation prevents injection.

Role-based access

Per-agent Visual Assist permission. Organization admins, team admins, and agents have distinct access levels.

Element blocking

Administrators designate page elements hidden from agents. Blocked content is excluded before encryption and never leaves the visitor's browser.

Session lifecycle

Automatic timeout after 30 minutes of inactivity. Stale session cleanup at 2 hours. Reconnection grace periods prevent premature termination.

Rate limiting

Per-connection event limits and per-IP connection caps. Message size limits and protocol validation on all endpoints.

Defense in depth

Two layers of encryption. Independent.

All connections use TLS for transport encryption. On top of that, Visual Assist adds application-layer AES-256-GCM encryption. Compromising TLS alone does not expose page content.

Transport Layer — TLS 1.2+
Application Layer — AES-256-GCM (end-to-end)
Page Content

Industry comparison

How helpr compares.

Most co-browse solutions rely on TLS only and store session recordings server-side.

helpr Typical solutions
Encryption E2E AES-256-GCM TLS only (server decrypts)
Session recording None (by design) Server-side recording
Server content access Zero-knowledge Full access
Key management Ephemeral per-session Shared or server-managed
Data at rest None Recordings stored
Consent model Configurable (explicit or silent) Varies

FAQ

Frequently asked questions.

Can helpr see our customers' screens?
No. Screen data is encrypted end-to-end between the visitor's browser and the agent's browser using ECDH key exchange + AES-256-GCM. Our servers route the encrypted payloads but cannot decrypt them. This is a zero-knowledge architecture — we never have access to plaintext screen content.
Does helpr record co-browse sessions?
No. There is no session recording, no replay capability, and no server-side storage of screen content. Once a co-browse session ends, the encrypted data and ephemeral keys are discarded. Nothing persists.
Is helpr GDPR compliant?
Yes. Because screen data is end-to-end encrypted and never readable by our servers, helpr acts as a data processor with minimal data exposure. We do not store, index, or process any personal data visible on the visitor's screen. Co-browse sessions process no personal data server-side beyond the encrypted ciphertext, connection metadata (IP, timestamp), and session identifiers. We support data processing agreements (DPAs) on request.
Does the visitor need to install anything?
No. The visitor's browser runs a lightweight JavaScript snippet (the helpr widget) that captures DOM changes. There is no browser extension, download, or plugin required. The agent also uses a standard web browser — no desktop software needed.
Does helpr require visitor consent?
helpr supports both consent-based and silent modes. In consent mode, visitors see a prompt before a co-browse session begins. In silent mode, the session can start without an explicit prompt — useful for internal tools or authenticated portals where consent is captured at a platform level. You choose the mode that matches your compliance requirements.
Can agents control the visitor's browser?
Only with explicit visitor consent. When an agent requests remote control, the visitor sees a prompt and must approve before the agent can interact with their page. Agents can then click, scroll, and type on the visitor's behalf. All remote actions are end-to-end encrypted using the same ECDH + AES-256-GCM channel. The visitor can revoke remote control at any time.
What annotation tools are available during a session?
Agents have access to a full annotation toolkit: freehand pencil, highlighter, straight lines, rectangles, and circles — plus a click pointer for guiding visitors and scroll sync for navigating together. All annotation data is end-to-end encrypted through the same ECDH + AES-256-GCM channel as the screen data — our servers never see what is being drawn or where. Annotations render in real time on both the agent's and visitor's screens.
What data leaves the visitor's browser?
The visitor's browser sends encrypted DOM snapshots and incremental mutations over WebSocket. Because the payload is encrypted before it leaves the browser, only the agent's browser (which holds the matching private key) can decrypt it. Our servers see encrypted binary data, connection metadata, and nothing else.
Can we mask or exclude sensitive fields?
Yes. helpr includes a visual element picker — open your site in config mode, click on any element to exclude, and the CSS selector is saved automatically. No code changes required. You can also manually enter selectors (e.g. .credit-card-field, #ssn-input) for more precise control. Blocked elements are never captured, never encrypted, and never sent — they are excluded at the source before anything leaves the visitor's browser.
How does helpr handle multiple agents in one session?
Each agent performs an independent ECDH key exchange with the visitor's browser, producing a unique shared secret per agent. Agents cannot decrypt each other's traffic. If an agent leaves the session, their key is discarded and they lose access immediately — no re-keying required for the remaining participants.
What happens if our server is compromised?
An attacker who compromises the helpr server would see encrypted WebSocket traffic they cannot decrypt, connection metadata (IPs, timestamps), and session identifiers. They would not have access to screen content, DOM data, or anything visible on the visitor's page. The encryption keys exist only in the browsers and are never transmitted to the server.
Does helpr work with Content Security Policy (CSP)?
Yes. The helpr widget needs connect-src wss://ws.helpr.so and connect-src wss://assist.helpr.so in your CSP. We provide exact directives in our developer documentation. The widget does not require unsafe-eval.
Can we get a penetration test or security audit?
Yes. Contact [email protected] to coordinate penetration testing, request our latest audit report, or schedule an architecture review with our security team.

Questions? Need an audit?

Contact our security team for architecture reviews, compliance documentation, or penetration test coordination.

Contact security Get started