Data Processing Agreement

Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Helium Systems Ltd ("Processor", "we", "us") and the customer organisation ("Controller", "you") for the provision of the Helium Systems platform ("the Service"). This DPA sets out the terms under which we process personal data on your behalf in accordance with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018.

1. Definitions

Controller — The customer organisation that determines the purposes and means of processing personal data using the Service. This is you, the subscribing entity.
Processor — Helium Systems Ltd, which processes personal data on behalf of the Controller in the course of providing the Service.
Data Subject — An identified or identifiable natural person whose personal data is processed through the Service. This includes your customers, suppliers, employees, contacts, and end users.
Personal Data — Any information relating to a Data Subject, including names, email addresses, postal addresses, telephone numbers, transaction records, IP addresses, and any other data defined as personal data under applicable data protection legislation.
Sub-processor — A third-party service provider engaged by the Processor to assist in processing personal data on behalf of the Controller.
Data Protection Laws — The UK GDPR, the EU GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any successor or amending legislation.
Standard Contractual Clauses (SCCs) — The contractual clauses approved by the European Commission for the transfer of personal data to countries outside the EEA that do not have an adequate level of data protection.

2. Scope of Processing

2.1 Nature and Purpose

The Processor processes personal data solely for the purpose of providing the cloud-hosted SaaS platform described in the Terms of Service. Processing includes storage, retrieval, indexing, analysis, synchronisation with third-party integrations, and automated processing via AI-powered features, all as instructed by the Controller through their use of the Service.

2.2 Categories of Data Subjects

The personal data processed through the Service may relate to the following categories of Data Subjects:

The Controller's customers and prospective customers
The Controller's suppliers and their representatives
The Controller's employees, contractors, and team members
B2B portal buyers and wholesale contacts
Recipients of marketing communications
End users of the Controller's e-commerce channels

2.3 Types of Personal Data

The categories of personal data processed include:

Identity data (names, job titles, departments)
Contact data (email addresses, telephone numbers, postal addresses)
Transaction data (order details, purchase history, payment references)
Financial data (invoices, credit terms, account balances)
Employment data (roles, salaries, attendance records — for the Controller's team members)
Communication data (customer service conversations, supplier correspondence)
Technical data (IP addresses, browser metadata, authentication tokens)

2.4 Infrastructure

Personal data is stored and processed using Google Cloud Platform infrastructure, primarily in the europe-west1 (Belgium) region. The core storage services are:

Cloud Firestore — Primary application database for all structured data
Firebase Authentication — Identity and credential management
Cloud Storage for Firebase — File uploads, images, and document attachments
Google BigQuery — Analytics and aggregated reporting data

2.5 Duration

Processing shall continue for the duration of the agreement between the Controller and the Processor. Upon termination, Section 8 (Term and Termination) applies.

3. Processor Obligations

3.1 Lawfulness of Processing

The Processor shall:

Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law.
Immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data Protection Laws.
Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2 Security Measures

The Processor implements and maintains the following technical and organisational measures to ensure a level of security appropriate to the risk:

Encryption at rest — All data stored in Firestore, Cloud Storage, and BigQuery is encrypted using Google-managed encryption keys (AES-256).
Encryption in transit — All data transmitted between the Service and end users is encrypted using TLS 1.3 or later.
Access control — Role-based access control with 24 granular permission modules, each with four access levels (none, view, read, write).
Multi-tenancy isolation — Firestore security rules enforce organisation-level isolation, preventing cross-tenant data access.
Authentication — Firebase Authentication with support for email/password and Google OAuth. Optional TOTP multi-factor authentication.
Session management — 30-minute idle timeout and 24-hour maximum session duration.
Audit logging — Comprehensive logging of administrative actions with actor identification, timestamps, and affected entities.
API security — API keys are SHA-256 hashed at rest, with IP allowlisting, rate limiting, and automatic rotation capabilities.
Webhook security — Payload signing using HMAC-SHA256 to ensure integrity and authenticity.
Vulnerability management — Automated dependency scanning and security updates via CI/CD pipeline.
Error monitoring — Sentry error tracking with PII scrubbing to detect and respond to system anomalies.

3.3 Sub-processors

The Controller provides general written authorisation for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.

The Processor shall ensure that sub-processors are bound by data processing obligations no less protective than those set out in this DPA. The current list of sub-processors is set out in Section 9.

3.4 Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include:

A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
The name and contact details of the Processor's data protection point of contact.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

4. Data Subject Rights

4.1 Assistance with Requests

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

Subject Access Requests (SARs) — The Service provides a built-in SAR compiler (Settings > Privacy & GDPR) that collates all personal data held about a Data Subject across all collections into a downloadable report.
Right to erasure — The Service includes an automated erasure engine that removes or anonymises personal data across Firestore, BigQuery, Meilisearch indices, and third-party integrations upon request.
Right to data portability — The Service supports data export in structured JSON and XLSX formats via the export features and GDPR tools.
Right to rectification — The Controller may correct personal data directly through the Service interface.
Right to restrict processing — The Processor shall implement processing restrictions as instructed by the Controller.

4.2 Response Timeframes

The Processor shall respond to Controller requests for assistance within 5 business days. Where a Data Subject contacts the Processor directly, the Processor shall promptly redirect the request to the Controller.

5. International Data Transfers

5.1 Primary Data Location

All primary application data is stored in the European Union, specifically in Google Cloud's europe-west1 (Belgium) region. This applies to Firestore, Cloud Storage, BigQuery, and Cloud Functions.

5.2 Transfers Outside the EEA

Certain sub-processors are located in the United States or process data through infrastructure that may be located outside the EEA. Where personal data is transferred to a country that does not benefit from an adequacy decision by the European Commission or the UK Secretary of State, the Processor ensures that appropriate safeguards are in place, specifically:

EU Standard Contractual Clauses (SCCs) — Module 3 (Processor-to-Sub-processor) as adopted by the European Commission Decision 2021/914, together with the UK International Data Transfer Addendum.
Supplementary measures — Including encryption in transit and at rest, pseudonymisation where feasible, and contractual commitments from sub-processors regarding government access requests.

5.3 Transfer Impact Assessment

The Processor has conducted transfer impact assessments for each sub-processor located outside the EEA and will make summaries available to the Controller upon request.

6. Audit Rights

6.1 Controller Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Data Protection Laws. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

6.2 Audit Procedures

Audits shall be conducted with reasonable prior notice of at least 30 days, unless a data breach or regulatory investigation necessitates shorter notice.
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by the Processor.
The Controller may conduct no more than one audit per calendar year, unless required by a supervisory authority or following a data breach.

6.3 Certifications and Reports

Where available, the Processor shall provide relevant security certifications, penetration testing summaries, and compliance reports as an alternative to on-site audits, where the Controller reasonably considers these to be sufficient.

7. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, where required under Article 35 or 36 of the UK GDPR or EU GDPR, taking into account the nature of the processing and the information available to the Processor.

8. Term and Termination

8.1 Duration

This DPA shall remain in effect for the duration of the Controller's subscription to the Service. It shall automatically terminate when the underlying service agreement is terminated or expires.

8.2 Data Return and Deletion

Upon termination of the service agreement, the Processor shall:

Make available to the Controller all personal data processed on behalf of the Controller, in a structured, commonly used, and machine-readable format (JSON or XLSX), upon request made within 30 days of termination.
Delete all personal data processed on behalf of the Controller within 30 days of termination, unless retention is required by applicable law (e.g. financial records for tax compliance must be retained for 7 years).
Provide written confirmation of deletion upon request.

8.3 Survival

The obligations in this DPA relating to confidentiality, data security, and cooperation with regulatory authorities shall survive termination of this DPA.

9. Sub-processors

The following sub-processors are currently engaged by the Processor to assist in providing the Service:

Sub-processor	Purpose	Data Processed	Location
Google Cloud Platform (Firebase)	Infrastructure, authentication, database, file storage, serverless compute	All application data	EU (europe-west1, Belgium)
Google BigQuery	Analytics, reporting, ETL pipelines	Aggregated business metrics, activity logs	EU (europe-west1, Belgium)
Anthropic (Claude AI)	AI-powered features (Nucleus AI, content generation, compliance documents)	Query context, business data summaries	US (Anthropic infrastructure)
Postmark (ActiveCampaign LLC)	Transactional and marketing email delivery	Recipient email addresses, message content, engagement metadata	US
Stripe Inc.	Payment processing (POS terminal, subscription billing)	Payment card tokens, transaction amounts, customer references	US / EU
Meilisearch	Full-text search indexing	Product names, customer names, order references, supplier names	EU (self-hosted)
Sentry (Functional Software Inc.)	Error monitoring and performance tracking	Error stack traces, request metadata (PII scrubbed)	EU (eu.sentry.io)

The Controller will be notified at least 30 days in advance of any changes to this list. Notifications will be sent to the email address registered to the Controller's organisation administrator account.

10. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party may limit its liability for breaches of Data Protection Laws to the extent that such limitation is not permitted by applicable law.

11. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Contact

Helium Systems Ltd
Data Protection Officer
Email: dpo@heliumsystems.app