Back to Helen

Privacy, in plain English.

Last reviewed June 2026.

What Helen is

Helen is a public, unauthenticated demo of a SIEM agent. You connect your SIEM with your own credentials, ask a question, and Helen answers. There is no account, no sign-in, no profile.

What we do not store

  • Your SIEM credentials.
  • Your SIEM hostname.
  • Your questions or any text you type.
  • Helen's answers.
  • Any persistent identifier for you, your company, or your browser.

What stays in your browser

Credentials. When you connect a SIEM, your credential payload is encrypted with an AES-GCM key generated by window.crypto.subtle on first use. The key is non-extractable and lives only in memory on the current tab; the ciphertext lives in sessionStorage and is wiped automatically when the tab closes.

Consent. Your privacy acknowledgement (and the optional anonymous telemetry checkbox) is stored as a small JSON document in localStorage so we don’t have to ask again on the next visit.

What flows through Helen’s server

Each chat request sends your credentials, the SIEM you chose, and your question to helen-api. The server holds them in memory only for the duration of the request. Credential variables are explicitly set to None in a finally block when the request ends. There is no database in the request path, no logging of credentials or prompts, and no caching layer.

Anonymous telemetry (opt-in)

If you tick the “help improve Helen” checkbox during the privacy gate, we initialize Sentry on the client and forward a single header (X-Helen-Telemetry-Consent: 1) with each request so the server can do the same. Telemetry payloads are scrubbed: prompts, answers, credentials, and SIEM hostnames are removed before any event leaves the browser or the server. You can flip this off at any time by clearing your browser storage for this site.

Lead capture (optional)

After Helen’s first answer, we may show a small card asking if you’d like us to email you when Helen is production-ready. This is the only piece of data that ever gets persisted on our side. It lives in an isolated append-only store and is never co-mingled with chat code.

How to verify all of this

  1. Open DevTools » Network before clicking “Try Helen”.
  2. Connect a SIEM with intentionally fake credentials.
  3. Confirm the only outbound calls are to helen-api and (optionally) to Sentry if you opted in.
  4. Inspect sessionStorage » helen.siem.v1: it’s ciphertext + IV, not your raw credentials.
  5. Close the tab and reopen. The encryption key is gone, the ciphertext is gone, and you’ll be prompted to reconnect.

Contact

Questions, audits, or a security report? Email security@joon.co.