Security

Security posture for regulated financial oversight.

This page explains the security boundary, deployment model, and access scope for compliance, risk, legal, and operations teams.

Identity

Microsoft Entra ID for authenticated product access

Operators authenticate through Entra, with tenant-scoped access tied to the deployment they actually use.

Hosting

Managed application components and secrets boundary

The product is built around Azure Static Web Apps, Functions, Table Storage, Blob Storage, Key Vault, and App Insights.

Review controls

Background QA by default, stricter holdbacks optional

Clear evidence can publish automatically, while QA sampling and optional holdbacks support controlled review environments.

What the public website does not do

The public site at helioslabs.app is the informational website for DecisionTrail. It does not expose client content, protected product behavior, or customer evidence.

Product access stays scoped

The sign-in path routes operators into the authenticated application, where access is tied to the agreed tenant and deployment boundary.

Your data stays in your environment. Helios never takes custody.

DecisionTrail runs with deployment isolation by default. No shared data layer and no message storage in Helios infrastructure.

Deployment architecture showing Helios system coordination separated from client-owned messages, timelines, QA workflows, and audit exports.

What Helios can and cannot access

What Helios can access

deployment identity
system health
required metadata

What Helios cannot access

messages
timelines
exports
decision content

Request a walkthrough Review sample report