Helpium

Security and Data Privacy

Account SettingsUpdated March 26, 2026

Security and Data Privacy

Data Encryption

All data is encrypted in transit using TLS 1.2+. Database connections use encrypted channels. Sensitive fields like bearer tokens are stored securely.

Authentication Security

  • Dashboard access: Protected by session-based authentication with CSRF protection
  • API access: Widget API uses workspace-specific API keys. Agent API uses Sanctum token authentication
  • Password security: Passwords are hashed using bcrypt with appropriate cost factors
  • Team invitations: Invitation links are single-use and expire automatically

API Key Security

Your widget API key (widget_key) is designed to be public — it's embedded in your website's JavaScript. It only grants access to customer-facing endpoints (search, chat, widget settings). It cannot access your dashboard, agent tools, or admin functions.

Bearer Token Security

When using AI Actions with Customer Bearer authentication, tokens are stored on the customer record and only sent to the URLs you configure in your AI Actions. Helpium never sends bearer tokens to any third-party service.

Best practices:

  • Create dedicated Sanctum tokens for Helpium with minimal scopes
  • Set token expiration to match your session lifetime
  • Rotate tokens when customers log out

Data Ownership

You own your data. Helpium stores conversations, articles, and customer information on your behalf. You can export all your data at any time from Settings → Data Export.

AI and Data Processing

  • AI features use OpenAI's API for embeddings and chatbot responses
  • Conversation messages sent to the AI are processed in real-time and not stored by OpenAI for training
  • Article embeddings are generated once and cached in your database
  • AI Actions only send data to endpoints you configure

Workspace Isolation

Each workspace is completely isolated. Data from one workspace is never accessible to another. All database queries are scoped by workspace ID using automatic global scopes.

Best Practices for Workspace Admins

  1. Invite only trusted team members. All agents can see all conversations in the workspace
  2. Use strong passwords. Enforce strong passwords for all team members
  3. Review AI Actions regularly. Audit the external endpoints your AI is calling
  4. Monitor API usage. Check your usage dashboard for unexpected spikes
  5. Keep your widget key private in server-side configuration when possible, even though it only grants customer-level access

Was this article helpful?

Related Articles

Need more help?

Our support team is available to assist you with any questions.

Contact Support