The following rules govern the gathering and use of client data:

• Administrative tasks are exclusively performed over SSH tunnels

• Database replication between PostgreSQL servers are exclusively performed over SSH tunnels

• Web applications can only be accessed over HTTPS

• Mobile applications can only access back-end services over HTTPS

• SSH tunnels use protocol version 2 with at least 1024-bit AES encryption

• Web and mobile applications use SSL RSA 2048 bits / SHA256 with RSA

• General application data is not encrypted on disk.

• Password stores for services such as MPesa are 128-bit AES encrypted

• Access to and modification of specific data through Helium web and mobile apps, SMS and e-mail are strictly enforced by the platform implementation of business rules provided by the client. This is further enforced by an extensive user acceptance testing process.

• Access to databases schemas with client data is limited to the Helium DevOps team, application developers and support staff.

• Employees are required to formally agree to no sharing, leaking or discussion of client data with outside parties except if it is in a written request/order from the client and has been approved by the relevant protocols.