Security & Access Model

Helm is designed so that sensitive data never lands on technician machines, credentials never leave Helm Cloud, and every session is ephemeral by default.

Phase 1: Secure Agent Communication

In Phase 1, helm-agent on each endpoint initiates an outbound WebSocket connection over TLS to Helm Cloud. The endpoint phones home — no inbound ports need to be opened on customer networks.

All communication is encrypted in transit (TLS 1.3)
API keys are stored exclusively in Helm Cloud, never on endpoints or technician devices
helm-agent authenticates via a unique device token issued during enrollment

Phase 3: Zero-Trust Mesh Networking

In Phase 3, Helm introduces Headscale (open-source WireGuard coordination) for a full zero-trust mesh network:

No public ports on any endpoint
WireGuard tunnels between helm-agent and Helm Cloud
ACL policies control which technicians can reach which endpoints
Network segmentation by client, site, or device group

Ephemeral Sessions via KASM

Every technician session runs in a disposable KASM container:

Nothing persists after disconnect — no files, no credentials, no history
No data is stored on the technician’s device
Session isolation prevents cross-contamination between clients
Compliance is a default property of the architecture, not an afterthought

No Credentials on Tech Machines

Because Helm runs entirely in the browser via KASM:

There are no cached passwords, tokens, or certificates on technician hardware
Offboarding a technician means disabling their account — there is nothing to clean up on their device
Lost or stolen laptops do not expose client environments

API Key Management

All integration credentials (RMM, PSA, CIPP, LLM provider keys) are stored and managed in Helm Cloud:

Encrypted at rest
Scoped per organization
Accessible only during active, authenticated sessions