Live Chat Visual Assist Platform Pricing Documentation Security
Sign in Request access
Live Chat Security

Encrypted at rest.
Hardened at every layer.

Visitor data encrypted with AES-256-GCM, passwords hashed with Argon2ID, sessions protected by a two-token architecture with rotation. Every API call signed, every action logged.

Visual Assist Live Chat Email
Encryption at rest

Sensitive data encrypted before it hits the database

Visitor PII — names, emails, phone numbers — is encrypted with AES-256-GCM before storage. Versioned keys support rotation without re-encrypting existing data.

AES-256-GCM

Authenticated encryption with random 16-byte IVs per record. GCM mode provides both confidentiality and tamper detection.

Versioned keys

Encryption keys are versioned and stored outside the database. Key rotation doesn't require bulk re-encryption — old versions decrypt existing data while new data uses the latest key.

PII isolation

Only sensitive visitor fields are encrypted — not message content. This keeps full-text search and analytics functional without exposing identity data.

Authentication

Four ways in. One standard of security.

Every authentication method uses the same two-token session architecture underneath.

Password

Argon2ID

Memory-hard hash with auto-upgrade from legacy bcrypt

Two-factor

TOTP

Google Authenticator compatible with encrypted backup codes

Passkeys

WebAuthn

FIDO2 hardware and biometric authentication with 5-minute challenge window

Magic links

One-time token

15-minute expiry, atomic consumption, no replay possible

Session architecture

Two-token rotation with replay detection

Sessions use a short-lived access token paired with a rotating refresh token. Reuse of an old refresh token revokes the entire token family.

Access token

  • 1-hour TTL, auto-refreshed
  • 256-bit cryptographic random
  • SHA-256 hashed before storage
  • In-memory cache for sub-millisecond validation

Refresh token

  • 24-hour TTL (30 days with remember-me)
  • Rotated on every use
  • 60-second grace window for concurrent requests
  • Token family tracking detects replay attacks
API security

Scoped keys. Signed requests. Rate limited.

API keys are encrypted at rest and scoped to specific permissions. Every webhook delivery is HMAC-signed. Abuse protection is built in at every level.

  • Publishable and secret keys with distinct prefixes
  • 6 granular scopes: chats, visitors, team, webhooks
  • Secret keys encrypted with AES-256-GCM before storage
  • Per-key and per-user rate limiting
  • Key rotation, revocation, and expiration support
  • Full audit trail: created, rotated, revoked with actor and IP
Webhook signaturesEvery delivery signed with HMAC-SHA-256. Auto-disabled after 100 consecutive failures.
Rate limitingLogin: 5/10s. Registration: 3/min. API: configurable per-key RPM with X-RateLimit headers.
Audit trail

Every action logged. Every session tracked.

Security events, session history, and API key lifecycle are logged with actor, IP, device, and timestamp. New-IP login detection triggers email alerts.

  • Login attempts (valid, invalid, 2FA failures)
  • Password changes and passkey enrollments
  • API key creation, rotation, and revocation
  • Active session monitoring with device and location
  • Per-session revocation (individual or all)
  • First-time IP detection with email notification
  • Account deletion with PII anonymization
Session monitoringEvery active session shows device, browser, OS, IP, location, ISP, and last activity.
GDPR complianceAccount deletion soft-deletes and anonymizes PII. Audit trail preserved with redacted identifiers.
FAQ

Frequently asked questions

Is chat data encrypted?
Yes. All visitor PII is encrypted at rest using AES-256-GCM with authenticated encryption. Encryption keys are versioned with rotation support.
How are passwords stored?
Agent passwords are hashed with Argon2ID, a memory-hard algorithm designed to resist GPU and ASIC brute-force attacks. Legacy accounts are automatically re-hashed on first login.
What two-factor authentication options are available?
TOTP authenticator apps (Google Authenticator, Authy, 1Password), WebAuthn passkeys (YubiKey, Touch ID, Windows Hello), or both. Magic link login is also available as a passwordless option.
How do sessions work?
Short-lived access tokens (1 hour) handle authentication, while rotating refresh tokens handle session continuity. If a refresh token is reused (indicating theft), the entire token family is revoked.
Are API requests authenticated?
Yes. The platform API uses HMAC-SHA-256 signed requests with timestamp validation to prevent replay attacks. Each API key is scoped with granular read/write permissions.
Does helpr detect suspicious login activity?
Yes. Email notifications are sent when a login occurs from a new IP address. The security dashboard shows all active sessions with device, location, and IP information.

Questions about security?

Contact our security team for architecture reviews, compliance documentation, or penetration test coordination.

Contact security team Request access