Data Processing Agreement (DPA)
Helix-Core SAS · GDPR Art. 28 · v1.0 · 2026-05-08
1. Parties
This Data Processing Agreement ("DPA") is entered into between :
- Controller : the Customer (your Fortune 500 organization)
- Processor : Helix-Core SAS (the "Service Provider")
2. Subject matter and duration
Helix-Core processes Customer's data solely to provide AaaS (Agents-as-a-Service) cascade functionality. Duration : term of the Service Agreement.
3. Categories of data subjects
- Customer's employees with platform access
- Customer's leads and prospects (B2B contact data)
4. Categories of personal data
- Identification : email, name, company
- Behavioral : platform usage, agent activations, cascade interactions
- Financial (if connected) : Stripe metrics aggregated (no card data)
5. Sub-processors
Helix-Core uses the following sub-processors (with binding GDPR/SCC contracts) :
- Vercel Inc. (USA) — hosting + edge functions — SCC + DPF certified
- Supabase Inc. (USA, EU regions) — PostgreSQL + Storage — SCC + DPF certified
- Sentry, Inc. (USA) — error monitoring — SCC + DPF certified
- Stripe Inc. (USA) — payment processing — SCC + DPF + PCI-DSS Level 1 certified
- Resend (USA) — transactional email — SCC + DPF certified
6. Technical and organizational measures (Art. 32)
- Encryption at rest (AES-256) + in transit (TLS 1.3)
- Row-Level Security (RLS) Postgres policies on all client_* tables
- Multi-Factor Authentication for admin endpoints
- Audit logging via unified_audit_log + Sentry
- Doctrine F7 invariants enforced (8 invariants runtime BD)
- Backups daily 3am UTC + disaster recovery monthly test
7. Data subject rights
Helix-Core supports Customer in fulfilling :
- Right to access (Art. 15) — endpoint /api/v1/admin/data-export
- Right to rectification (Art. 16) — admin dashboard
- Right to erasure (Art. 17) — endpoint /api/v1/admin/data-delete
- Right to portability (Art. 20) — JSON+CSV export within 72h SLA
8. Breach notification (Art. 33-34)
Helix-Core notifies Customer of any personal data breach within 72 hours via email + audit_log entry severity=critical.
9. International transfers
For data residing in non-EU regions, Helix-Core relies on EU Standard Contractual Clauses (SCC) 2021/914 + Data Privacy Framework (DPF) certifications.
10. Audits
Customer may audit Helix-Core compliance once per year (or upon material breach) with 30 days notice.
Signature
Pour signature électronique : legal@helix-core.io
Helix-Core retournera la version signée sous 5 jours ouvrés.
Helix-Core SAS · 2026-05-08 · DPA v1.0 · GDPR Art. 28 compliant