Trust portal — System plane

We don't move your data.
We move with it.

Every Mabble Helix deployment publishes its trust posture as machine-readable artifacts. Download what your auditors need below — signed, dated, and reproducible.

Artifacts

PDF

BAA cover letter

Business Associate Agreement cover sheet under HIPAA §164.504(e). Send-ready.

baa-cover-letter.pdf

PDF

DPA cover letter

Data Processing Addendum under GDPR Article 28, EU + UK + Swiss.

dpa-cover-letter.pdf

PDF

SCC Module 2 cover

Standard Contractual Clauses controller-to-processor with Schrems II TIA.

scc-module-2-cover-letter.pdf

PDF

DPIA template

Data Protection Impact Assessment scaffold, GDPR Article 35 / WP248 rev.01.

dpia-template.pdf

PDF

Breach notification runbook

HIPAA §164.408 + GDPR Art.33/34; 72-hour clock; pre-drafted statements.

breach-notification-runbook.pdf

PDF

Vendor risk matrix

Our sub-processor inventory, tiered and scored, refreshed quarterly.

vendor-risk-matrix.pdf

CSV

CAIQ v4.0.3 responses (CSV)

Cloud Security Alliance questionnaire, import directly into your TPRM.

caiq-responses.csv

PDF

CAIQ v4.0.3 responses (PDF)

Same CAIQ responses, prose form. 17 sections covering 100+ questions.

caiq-responses.pdf

PDF

SIG-Lite responses

Shared Assessments SIG-Lite, 129 questions across 17 sections.

sig-lite-responses.pdf

PDF

HECVAT-Lite responses

Higher-Ed VAT-Lite for university and academic-medical-center buyers.

hecvat-lite-responses.pdf

Ready to sign a BAA?

Mail our sales team with your company details and we'll send the countersigned BAA within one business day.

Request signed BAA

What we ship 

# Trust mechanisms — every cluster, every region

audit.merkle              per-tenant Merkle tree; six-year retention; no TRUNCATE path
audit.rekor               Sigstore Rekor anchors; transparency log; reproducible verification
audit.evidence_pack       Ed25519-signed export bundles for auditor handoff

crypto.aes_256_gcm        authenticated encryption per record
crypto.byok               customer-managed keys; AWS KMS / GCP KMS / Azure Key Vault
crypto.crypto_shred       GDPR Article 17 satisfied by destroying the wrapping key
crypto.pq_hybrid_wrap     post-quantum hybrid wrap on the roadmap (X-Wing)

dsar.intake               HIPAA §164.524 + GDPR Article 15 + CCPA §1798.100 workflows
dsar.fulfilment           days, not quarters; audit trail end-to-end

infra.tenant_isolation    row-level security; capability tokens; 60s scope
infra.zero_data_movement  processing co-located with storage; explicit egress only
infra.observability       OpenTelemetry; logs scrubbed of PHI before write