What this page is for

This page is the practical security baseline for all Helixiora employees and contractors.

What you should do

  • Enable MFA or 2FA on every work system that supports it before doing normal work. This is mandatory for 1Password, Google Workspace, Slack, GitHub, and client systems that support MFA.
  • Use 1Password for all work-related passwords and secrets instead of browser-remembered passwords.
  • Keep devices updated, with full-disk encryption enabled, a screensaver/lock that triggers in under 5 minutes, and a firewall that is turned on.
  • Use only approved storage and sharing tools for company or client data.
  • Follow client-specific handling requirements and NDAs.
  • Complete security onboarding, refreshers, and any client-required security awareness steps that apply to your work.
  • Use AI tools with judgment on data handling, cost, and client restrictions.
  • Report suspected incidents immediately.

Day-one security habits

  • Finish MFA or 2FA setup on day one instead of postponing it until a system prompts you later.
  • Use a separate work browser profile when possible so company and client sessions do not mix with personal browsing.
  • If a client system cannot meet this baseline, raise it immediately rather than silently accepting the weaker setup.

Security awareness

Security awareness at Helixiora is part of normal work, not a once-a-year checkbox.

  • Read this page during onboarding and review material updates when the handbook changes.
  • Complete any client-required security training or attestations before working in that environment.
  • Treat phishing, suspicious links, unexpected MFA prompts, and unusual access requests as reportable security signals.
  • Ask when a situation is unclear instead of making a quiet guess with sensitive data or access.

Leads may run refreshers, reminders, or ad hoc awareness check-ins when risk, client expectations, or recent incidents make that necessary.

Who owns or approves it

The Technology lead (Walter) owns technical security standards and incident response. The People lead (Robin) owns employee-facing policy updates and security-related process communication.

Where to go in the tool stack

  • 1Password for passwords and account secrets
  • Approved storage/collaboration systems for data sharing
  • AI & Experimentation for the company expectation around AI usage and spend
  • Engineering Starter Kit for the standard engineer laptop and account baseline
  • Technology lead (Walter), or People lead (Robin) if Walter is unavailable, for device and account incidents

What happens if something goes wrong

If you suspect account compromise, data leakage, or device theft, report it immediately using the incident path and follow containment instructions before attempting self-recovery. If you are unsure what to do in a specific situation, ask the Technology lead (Walter) first, or the People lead (Robin) if Walter is unavailable.

Security incident response process

Helixiora uses a simple incident response path so problems are escalated quickly and handled consistently.

  1. Report the incident immediately to the Technology lead (Walter), or to the People lead (Robin) if Walter is unavailable. Use the fastest practical route.
  2. Preserve the situation and follow containment instructions. That may include locking a session, disconnecting a device, rotating credentials, or stopping use of a system.
  3. The Technology lead assesses severity, affected systems or data, client impact, and any notification or contractual obligations.
  4. Helixiora coordinates recovery actions, such as access review, credential rotation, device replacement, data restoration, or client communication.
  5. After the incident is contained, Helixiora records lessons learned and updates controls, setup guidance, or handbook wording where needed.

Prompt reporting is mandatory. Reporting early will never be treated as the problem; hiding or delaying a known security issue is.