Reviewer note: Structural shell. Counsel review required before launch — particularly Annex II (technical/organizational measures) cross-references with /security, and Annex III (sub-processors) cross-references with /sub-processors.
How to execute this DPA
- Download the PDF version:
helios-dpa-v1.pdf(TODO: link). - Counter-sign and return to legal@heliosworks.com.
- We counter-counter-sign and email back the executed copy within 5 business days.
- The executed DPA supplements your existing Terms of Service. If you don’t have a master agreement yet, sign up at /signup first.
If you’re an enterprise customer, your account team can pre-fill your tenant + entity details and walk you through.
1. Parties
This Data Processing Agreement is between Helios Works (“Processor”) and the customer signing this agreement (“Controller”).
2. Scope
This DPA governs the Processor’s processing of Controller’s Personal Data when providing the Helios service.
3. Subject matter
The Processor processes Personal Data on behalf of the Controller to deliver the Helios platform per the Terms of Service at /terms.
4. Duration
For the term of the Terms of Service plus the data-retention period at /security#audit.
5. Nature and purpose of processing
Hosting, transmission, storage, retrieval, modification, and deletion of Personal Data as necessary to provide the Service.
6. Categories of data subjects
End-users and operators of the Controller’s organization.
7. Categories of personal data
Identification data, contact data, professional information, content created in the Service, and audit-log metadata.
8. Obligations of the Processor
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel processing the data are bound by confidentiality.
- Implement appropriate technical and organizational measures (Annex II).
- Engage sub-processors only with prior authorization (Annex III; updates announced 30 days in advance).
- Assist the Controller in responding to data subject requests (per /privacy §5).
- Notify the Controller of personal-data breaches within 72 hours of becoming aware.
- Delete or return all Personal Data on termination, subject to legal-retention exceptions.
9. International transfers
Personal Data may be transferred outside the EEA / UK based on Standard Contractual Clauses (SCCs) Module 2 (controller-to-processor), with supplementary measures as documented in Annex II.
10. Sub-processors
The Processor’s sub-processors are listed at /sub-processors. Material changes are notified 30 days in advance.
11. Annex I — Description of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Helios service |
| Duration | Term of the underlying agreement + retention per /security#audit |
| Nature & purpose | Hosting / transmission / storage / retrieval / modification / deletion |
| Type of data | Identification, contact, professional, content, audit metadata |
| Categories of data subject | End-users and operators of the Controller |
12. Annex II — Technical & organizational measures
Summarized; the full description is at /security:
- Pseudonymization & encryption — TLS 1.3 in transit; AES-256-GCM at rest for secrets.
- Confidentiality — role-based access; permission catalog; audit log.
- Integrity — every action audit-logged with input/output hash.
- Availability — managed Postgres backups; status published at status.heliosworks.com.
- Resilience — incident-response plan with 72-hour breach notification.
- Testing & assessment — quarterly internal review; vulnerability disclosure at /security.
13. Annex III — Authorized sub-processors
Maintained at /sub-processors.
14. Signature
Signed by the parties on the date executed. Electronic signature is acceptable.