Data Processing Agreement

Last updated: June 29, 2026

This Data Processing Agreement (DPA) describes how HelmIQ processes personal data on behalf of a customer firm. It forms part of our Terms of Service and applies whenever HelmIQ processes personal data as a processor on your instructions.

1. Roles

For the data your firm loads into HelmIQ (contacts, companies, deals, notes, email and call content), your firm is the controller and HelmIQ is the processor. HelmIQ processes that data only to provide the service and only on your documented instructions, which include these Terms and your use of the product's features.

2. Scope of processing

• Subject matter: provision of the HelmIQ CRM and its features.
• Duration: the term of your subscription, plus the retention windows in section 8.
• Nature and purpose: storing, organizing, analyzing, and transmitting the data so you can manage relationships and deals.
• Types of data: business contact details, deal and company records, communications content, and usage metadata.
• Categories of data subjects: your team members, your contacts, counterparties, and other individuals your firm chooses to record.

3. Our obligations as processor

• Process personal data only on your documented instructions.
• Ensure personnel authorized to process the data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (see section 5), consistent with Article 32 of the GDPR.
• Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations. We aim to acknowledge a documented data-subject request within ten business days and to assist within the timeframe your applicable law requires.
• Not sell the data and not use it to train AI models.

4. Sub-processors

You authorize HelmIQ to engage the sub-processors listed on our Security page (database, hosting, email, voice, payments, AI inference). We impose data-protection terms on each that are no less protective than this DPA. We will notify firm owners before adding a new sub-processor that handles customer data, and you may object on reasonable data-protection grounds; if we cannot resolve the objection, you may terminate the affected service.

5. Security measures

HelmIQ maintains, at minimum: TLS in transit with HSTS; AES-256-GCM encryption of integration tokens and two-factor secrets at rest; database encryption at rest; per-organization tenant isolation enforced server-side on every request; rate limiting and account lockout on authentication; an append-only audit log of privileged actions; and bcrypt password hashing. The current control catalogue, mapped to SOC 2, NIST CSF, and SEC Reg S-P, is published on our Security page.

6. Personal data breach notification

If HelmIQ becomes aware of a personal-data breach affecting your data, we will notify you without undue delay, and in any event within 72 hours of confirming the breach. Our notice will describe, to the extent known, the nature of the breach, the data and individuals affected, the likely consequences, and the measures taken or proposed. This commitment supports your own regulatory notification duties, including under the GDPR and SEC Regulation S-P.

7. International transfers

Where this DPA covers transfers of EEA or UK personal data to the United States, the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable) are incorporated by reference and apply to those transfers. See our GDPR statement for more.

8. Return and deletion

On termination you may export your data for 30 days. After that we delete live data, and we delete or anonymize residual copies within a reasonable period, except records we must retain under financial-services or tax law, which are stored separately. You may also request deletion at any time in Settings or by email.

9. Audits

On reasonable request and under NDA, we will make available the information necessary to demonstrate compliance with this DPA, including our control catalogue, sub-processor list, and pre-answered diligence questionnaires (SIG Lite, ILPA, AIMA). Where a customer requires a third-party attestation we do not yet hold, our trust-signal roadmap on the Security page describes when it is scheduled.

To execute a counter-signed DPA (with Standard Contractual Clauses) for your procurement file, write to jack@helmiq.net. Postal address: 30 N Gould Street, Sheridan, WY 82801, United States.

This published DPA is a baseline for review and is not legal advice. The binding agreement is the version executed between your firm and HelmIQ.