Security at Helperbird

Security Scans & Audits

We run multiple layers of automated security scanning on every release. These scans cover dependency vulnerabilities, static code analysis, and OWASP compliance checks.

npm audit

Every dependency is checked for known vulnerabilities using npm's built-in audit tool. We run this on every release across our API, extension, and website codebases. Production dependencies are prioritized — development-only tooling (build tools, test frameworks) is separated from production risk assessment.

ESLint security analysis

We run eslint-plugin-security across all JavaScript and Node.js code to catch common security anti-patterns including eval usage, non-literal require calls, regex denial of service, unsafe object property access, timing attacks, buffer overflows, and hardcoded credentials. Our most recent scan returned 0 errors and 10 low-risk warnings, all reviewed and assessed.

OWASP / njsscan

We use njsscan (powered by semgrep) for OWASP-aligned static analysis. This scans for injection vulnerabilities, insecure cryptography, hardcoded secrets, and other OWASP Top 10 issues. Our most recent scan returned a clean result with 0 findings.

CASA Tier 2 self-assessment

We have completed a CASA (Cloud Application Security Assessment) Tier 2 self-assessment covering dependency audits, static analysis, and secure coding practices. This is the assessment level required by Google for apps accessing user data.

Chrome Web Store review

Every version of the Helperbird extension passes Google's Chrome Web Store security review before it is published. This includes automated checks on permissions, content security policy, and code analysis.

Firefox Add-ons review

Every version submitted to Mozilla undergoes their add-on review process, which includes manual code review and automated security checks.

Runnable scan script

We maintain a runnable security scan script that any team member can execute locally. It runs npm audit, ESLint security checks, and njsscan in sequence and generates a full report. This ensures security scanning is part of our regular development workflow, not just a one-time event.

External Security Scanning

In addition to our internal scans, we use independent third-party scanning tools to verify our website security, SSL configuration, and overall security posture.

Mozilla Observatory

We scan helperbird.com with Mozilla Observatory, which checks HTTP security headers, SSL/TLS configuration, cookie security, content security policies, and other web security best practices. Results are publicly available at observatory.mozilla.org.

Qualys SSL Labs

We test our SSL/TLS configuration with Qualys SSL Labs, which performs a deep analysis of certificate validity, protocol support, key exchange, cipher strength, and known vulnerabilities like BEAST, POODLE, and Heartbleed. Results are publicly available at ssllabs.com.

OWASP ZAP

We use OWASP ZAP (Zed Attack Proxy), an open source web application security scanner maintained by the OWASP Foundation. ZAP performs automated vulnerability scanning including injection testing, cross-site scripting detection, security misconfiguration checks, and other OWASP Top 10 assessments against our web properties.

Google Lighthouse

We run Google Lighthouse audits on helperbird.com to assess best practices, security headers, HTTPS usage, and safe browsing compliance. Lighthouse is built into Chrome DevTools and is an industry-standard tool for web quality assessment.

Snyk Open Source

We use Snyk to scan our dependency tree for known vulnerabilities, license compliance issues, and outdated packages. Snyk provides deeper analysis than npm audit, including fix recommendations and vulnerability paths.

Data Handling & Privacy

Helperbird is designed to process everything locally in your browser. We do not collect, store, or transmit your personal data unless a feature explicitly requires it.

No personal data stored

The extension does not collect names, browsing history, page content, or any personally identifiable information. Your settings, notes, and highlights are stored locally in your browser or synced via your browser's built-in sync if you enable it.

Email used only for subscription verification

If you use Helperbird Pro, your email is used solely to verify your subscription status through Stripe. We do not store or process your email beyond this check. You can also use a subscription key instead, which requires no email at all.

No cookies or tracking

Helperbird does not use cookies, third-party tracking scripts, analytics, or any form of user tracking in the extension.

No third-party data sharing

We do not sell, share, or transfer any user data to third parties. Ever.

Minimal permissions

The extension requests only the permissions it needs to function: activeTab, storage, contextMenus, scripting, and sidePanel. We do not request access to all your browsing data or history.

Data retention and uninstall

All your settings, notes, and highlights are stored locally in your browser. When you uninstall Helperbird, that data is removed with the extension. We do not retain any user data on our servers after uninstallation.

Infrastructure & Architecture

Our backend runs on AWS with a serverless architecture, meaning there are no long-running servers to compromise. Every function executes in an isolated environment and scales automatically.

AWS Lambda (serverless)

All API functions run on AWS Lambda. Each invocation runs in its own isolated container with no shared state between requests. There is no persistent server to attack.

AWS CloudFront CDN

Content is delivered through AWS CloudFront, which provides DDoS protection, TLS encryption in transit, and edge caching for fast global delivery.

HTTPS everywhere

All traffic between the extension and our services is encrypted via TLS. There is no unencrypted communication.

Environment-based secrets

All API keys, credentials, and sensitive configuration are stored in environment variables. No secrets are hardcoded in the codebase.

Manifest V3

Helperbird is built on Chrome's Manifest V3 platform, the latest and most secure extension architecture. MV3 eliminates remote code execution, enforces a strict content security policy, and replaces persistent background pages with short-lived service workers. This significantly reduces the attack surface compared to older Manifest V2 extensions.

Stripe for payments

All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We never see or store credit card numbers or payment details.

Compliance

Helperbird is used in thousands of schools and organizations. We align with the privacy and security frameworks that matter most to education and enterprise buyers.

FERPA aligned

We do not access, use, or disclose any education records. The extension does not collect student data. Our architecture is designed to respect student privacy at every level. Read our full compliance statement.

COPPA aligned

We do not collect personal information from children under 13. The free version requires no login. For Pro features, a subscription key can be used instead of an email address.

CASA Tier 2

We have completed a CASA Tier 2 self-assessment, which is the cloud application security assessment required by Google for apps that access user data. This covers static analysis, dependency auditing, and secure coding practices.

WCAG 2.2 Level AA

Our extension, website, and Google Workspace add-on are all tested against WCAG 2.2 Level AA. See our full standards report.

Google's User Data Policy

We comply with Google's User Data Policy and Limited Use requirements for both the Chrome Web Store and Google Workspace Marketplace.

Development & Team Practices

Security is part of how we build, not something we bolt on afterward.

Two-factor authentication

All team members use two-factor authentication on every account with access to code, infrastructure, or user-facing services.

Secure coding practices

Our codebase follows secure coding guidelines. ESLint security rules run on every build. No eval, no dynamic require, no hardcoded secrets, no unsafe regex patterns.

Code review

All changes are reviewed before they ship. Security-sensitive changes receive additional scrutiny.

Regular updates

Dependencies are kept up to date. We monitor for new vulnerabilities and patch quickly when they are discovered.

Data breach plan

We have a documented data breach response plan that outlines immediate actions to protect users in the unlikely event of a security incident.

Web Store Reviews & Audits

Every version of Helperbird is reviewed by the browser stores before it reaches users. These are independent security and policy reviews that we pass on every release.

Chrome Web Store

Google reviews every extension update for malware, policy violations, permission misuse, and content security policy compliance before publishing. Helperbird has maintained a clean record since its first release.

Microsoft Edge Add-ons

Microsoft runs their own review process on every submission, checking for security issues, policy compliance, and functionality before listing.

Firefox Add-ons (AMO)

Mozilla's review process includes automated scanning and manual code review by their review team. Helperbird passes both stages on every release.

Apple App Store (Safari)

The Safari version is distributed through the Apple App Store and undergoes Apple's app review process, which includes privacy and security checks.

Google Workspace Marketplace

Our Google Docs and Slides add-on is reviewed by Google for OAuth scope compliance, data handling, and privacy policy adherence before each update is published.

For IT Teams & Administrators

If you are evaluating Helperbird for your school or organization, here is what you need to know.

Managed deployment

Helperbird can be deployed and configured via Google Admin Console, Microsoft Intune, Jamf, and other MDM tools. See our deployment guide.

JSON policy configuration

Administrators can control which features are enabled, disable specific features across an organization, and set domain exclusion lists through JSON policies. See our JSON policy guide.

No network dependencies for core features

Most Helperbird features work entirely offline. Font changes, color adjustments, overlays, spacing, and other visual modifications happen locally in the browser without any network requests.

Domain whitelisting

For organizations with strict network policies, we provide a list of domains to whitelist. See our whitelist guide.