HELIXML INC. DATA PROCESSING AGREEMENT Last updated August 27th 2024
This Data Processing Agreement for HelixML Inc. Services (“DPA”) forms a part of the software subscription agreement or other written agreement between HelixML Inc. (“Helix”) and Customer (“Agreement”) regarding Helix’s subscriptions and/or products or services provided by Helix and ordered by Customer (the “Service”) in accordance with the Agreement. All contacts regarding this DPA must be made to: [email protected].
Capitalized terms shall have the meaning set out below. Any capitalized terms not defined in this DPA shall have the meaning set out in the Agreement or as otherwise defined in the applicable data protection laws and regulations:
“Breach Event”: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored, or otherwise processed by Helix.
“CCPA” refers to the California Consumer Privacy Act of 2018 and its implementing regulations, as well as the California Privacy Rights Act of 2020.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer” means the entity using the Helix Services that has executed an Agreement, which references this DPA.
“Processing”: any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Personal Data”: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, which may be supplied to and Processed by Processor on behalf of the Controller pursuant to or in connection with the Agreement.
“Processor”: Helix as the legal person who processes the Personal Data on behalf of the Customer.
“Standard Contractual Clauses”: (i) the Standard Contractual Clauses approved by the Commission Decision 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“GDPR”) and (ii) the International Data Transfer Agreement issued by the Information Commissioner’s Office in the United Kingdom (“UK SCCs”).
“Sub-Processor”: an entity engaged by the Processor exclusively for the Processing activities to be carried out pursuant to or in connection with the Agreement on behalf of the Controller and in accordance with its instructions, as transmitted by the Controller.
2.1. Unless otherwise agreed in writing, this DPA will take effect on the date of the Agreement’s effective date and, notwithstanding its expiry, remain in effect until, and automatically expire upon, deletion of all Personal Data by Helix as described in this DPA.
2.2. This DPA applies when Personal Data is Processed by Helix as part of the provision of the Service, as further specified in the Agreement and the applicable order form, quote or equivalent document.
2.3. The parties acknowledge and agree that the European data protection legislation, such as GDPR will apply to the processing of Controller Personal Data if, for example: i) the processing is carried out in the context of the activities of an establishment of Controller in the territory of the EEA; and/or ii) the Controller provides data that is personal data relating to Data Subjects who are in the EEA and the processing relates to the offering to them of goods or services in the EEA or the monitoring of their behavior in the EEA.
2.4. The Parties acknowledge and agree that non-European data protection legislation, such as the CCPA or the Brazilian Lei Geral de Proteção de Dados, may also apply to the processing of Controller Data.
2.5. The terms of this DPA will apply irrespective of whether the European data protection legislation or non-European data protection legislation applies to the processing of Controller data.
3.1. To the extent that the GDPR or other privacy Laws and regulations with analogous terms apply to Helix’s Processing of Personal Data on behalf of the Customer under the Agreement, Helix is the Processor to the Customer, who can act either as the controller or processor of Personal Data, as those or analogous terms are defined under applicable legislation.
3.2. To the extent that the CCPA applies to Helix Processing of Personal Data on behalf of Customer under the Agreement, (a) Customer is the “Business” and Helix is the “Service Provider”; (b) Helix will Process Personal Data solely on behalf of Customer and for the specific business purposes set forth in the Agreement; and (c) Helix will not retain, use, disclose, or otherwise Process such Personal Data for any purpose other than for the specific purpose of performing the Service as specified in the Agreement.
3.3. Helix will process the Personal Data in accordance with the Customer’s instructions and applicable laws: (a) to provide the Service, (b) as documented in the Agreement, including this DPA; and (c) as further documented in any other written instructions given by Customer and acknowledged by Helix as constituting instructions for purposes of this DPA. Helix will comply with all lawful and reasonable Controller instructions. If Helix cannot comply with an instruction, it will notify the Customer without undue delay.
3.4. The nature and purpose of the Processing and the type of Personal Data and categories of Data Subjects about whom Personal Data shall be processed are determined by Customer, based on Customer’s use of the Services and the Personal Data that Customer chooses to upload to the Service(s) or otherwise provide to Helix for the purpose of Processing. The categories of Data Subjects may include Customer’s employees, staff, vendors, end users, or the Personal Data of any other Individuals whom Customer chooses to provide to Helix under the Agreement. Details of the data processing are further described in Appendix 1.
3.5. At Customer’s request, Helix will reasonably support the Customer or any Data Controller in dealing with requests from Data Subjects or regulatory authorities regarding Helix’s processing of Personal Data under this DPA. Where requested to do so by the Customer, Helix shall disclose the information reasonably required to demonstrate compliance with the applicable data protection Laws, including the necessary information for the Customer to carry out a privacy impact assessment of the Services and implement mitigation actions agreed by the Parties to address privacy risks which may have been identified.
3.6. Helix shall, upon request, make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and/or the necessary information for the Controller to carry out a privacy impact assessment of the Service and in implementing mitigation actions agreed by the Parties to address privacy risks which may have been identified.
3.7. Upon termination of the Agreement for whatever reason, and upon Customer’s written request made within thirty (30) days after such termination, Helix will (as applicable) return to Customer or destroy all Personal Data. After such 30-day period, Helix will destroy such Personal Data.
4.1. Helix will implement and maintain technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access (“Security Measures”). Those are further described in Appendix 2. Helix may update or modify the Security Measures from time to time at its discretion, provided that such updates and modifications do not result in the degradation of the overall security of the Service.
4.2. Helix will take appropriate steps to ensure compliance with the Security Measures by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Helix maintains a list of Sub-processors available on request.
4.3. Helix will assist Customer in ensuring compliance with any of its obligations in respect of security of Personal Data and Breach Events.
4.4. Helix shall notify Customer without undue delay but in no event later than seventy-two (72) hours after becoming aware of any Breach Event.
5.1. Customer acknowledges and agrees that Helix may engage Sub-Processor(s) in the performance of the Service(s) on Customer’s behalf. All Sub-Processors to whom Helix transfers Personal Data are bound by substantially the same material obligations as Helix undertakes under this DPA and provide adequate guarantees of security and compliance. Helix will be liable for the acts and omissions of its Sub-Processors to the same extent that Helix would be liable if performing the Service directly, under the terms of the Agreement.
5.2. The current Sub-Processors are listed as per Section 4.2 above. Helix may use new Sub-Processors provided it notifies the Customer in advance of any changes to the list of Sub-Processors in place on the effective date. If Customer has a legitimate reason, Customer may object to Helix’s use of a Sub-Processor, by notifying Helix in writing