Data Processing Agreement (DPA) - HelmOS

1. Scope & Roles

1.1 Relationship

• You are the Controller: You determine what data to process and why
• We are the Processor: We process data only on your documented instructions
• This DPA applies to all Personal Data processed through HelmOS

1.2 Data Categories Processed

Categories of Data Subjects:

• Your employees and users
• Your clients and counterparties
• Vessel owners and buyers
• Ship brokers and intermediaries
• Contact persons at maritime companies

Categories of Personal Data:

• Identity data: Names, titles, job roles
• Contact data: Email addresses, phone numbers, business addresses
• Communications: Email content, message threads, call notes
• Business data: Company affiliations, deal involvement, vessel interests
• Professional data: Maritime expertise, transaction history

2. Security Measures (Article 32 GDPR)

Technical Measures:

• Encryption: TLS 1.3 in transit, AES-256 at rest
• Access controls: Role-based access, multi-factor authentication
• Database security: Row-level security, prepared statements
• Network security: Firewalls, DDoS protection, intrusion detection
• Backup encryption: All backups encrypted with separate keys

Organizational Measures:

• Security policies: Written security procedures and incident response plans
• Employee training: Annual data protection and security training
• Access reviews: Quarterly review of access permissions
• Vendor management: Security assessments of all sub-processors
• Penetration testing: Annual third-party security audits

3. Security Incidents

If we become aware of a Personal Data breach:

• Notification: We will notify you within 24 hours of becoming aware
• Details provided: Nature of the breach, affected Data Subjects, likely consequences, measures taken
• Cooperation: We will cooperate with your investigation and remediation
• Documentation: We will document all breaches and remediation steps

4. Data Subject Rights

We will assist you in responding to Data Subject requests:

• Access (Article 15): Export data in machine-readable format
• Rectification (Article 16): Correct inaccurate data via platform
• Erasure (Article 17): Delete data via account deletion or data removal tools
• Portability (Article 20): Export data in JSON/CSV format
• Restriction (Article 18): Temporarily suspend processing
• Objection (Article 21): Opt out of specific processing activities

5. Sub-processors

Current Sub-processors:

6. International Data Transfers

6.1 Transfer Mechanisms

For EU/UK customers:

• Standard Contractual Clauses: EU Commission SCCs (Module 2: Controller-to-Processor)
• UK Addendum: UK International Data Transfer Addendum where applicable
• Adequacy Decisions: We rely on adequacy decisions where available

6.2 Data Localization (Enterprise Option)

Enterprise customers can request:

• EU-only processing: Data never leaves EU
• UK-only processing: Data never leaves UK
• On-premises deployment: Self-hosted option (Enterprise only)

7. Data Retention & Deletion

• Active accounts: Data retained indefinitely while account active
• Deleted accounts: Data purged within 90 days
• Backups: Retained 30 days, then permanently deleted
• Audit logs: Retained 7 years for compliance

8. Contact for Data Protection

Data Protection Officer: privacy@helm-os.com

Security Incidents: security@helm-os.com

GDPR Requests: gdpr@helm-os.com

Mailing Address:
HelmOS Ltd
[Your Address]
[City, Postal Code]
[Country]