Data Processing Addendum

• “Controller,” “Processor,” “Data Subject,” and “Personal Data” have the meanings given in applicable data-protection laws (including the GDPR and CCPA/CPRA).
• “Customer Data” means personal data Helm processes on your behalf to provide the Service — for example, your customers' names, addresses, phone numbers, email addresses, job history, and messages.
• “Subprocessor” means a third party engaged by Helm to process Customer Data.

For Customer Data, you are the Controller (or a processor acting for another controller) and Helm is your Processor. Helm processes Customer Data only on your documented instructions, which include your use of the Service and this DPA, unless required to act otherwise by law (in which case we will notify you where permitted). With respect to your own account data, Helm acts as a controller, as described in our Privacy Policy.

Helm processes Customer Data to provide, secure, maintain, and improve the Service; to send the communications you configure; and to provide support. You are responsible for the accuracy of Customer Data and for having a lawful basis to collect it and to contact your customers (including consent for marketing messages).

Helm ensures that personnel authorized to process Customer Data are bound by appropriate confidentiality obligations and access it only as needed to provide the Service.

You authorize Helm to engage Subprocessors to provide the Service. The current list of Subprocessors is maintained in our Privacy Policy. Helm imposes data-protection obligations on each Subprocessor that are no less protective than this DPA and remains responsible for their performance. We will provide a means to be notified of material changes to the list so you may object on reasonable grounds.

Helm maintains technical and organizational measures designed to protect Customer Data, including encryption in transit, hashed credentials, access controls, and tenant isolation so that one business's data is not accessible to another. No system is perfectly secure, and you are responsible for safeguarding your own login credentials.

The Service lets you access, correct, export, and delete Customer Data directly. Taking into account the nature of the processing, Helm will provide reasonable assistance to help you respond to Data Subject requests and to meet your obligations under applicable law.

Helm will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably available to help you meet any notification obligations.

The Service is operated from the United States. Where Customer Data is transferred from a region with transfer restrictions, the parties will rely on an appropriate transfer mechanism (such as the Standard Contractual Clauses) to the extent required by applicable law.

On termination of your account, you may export Customer Data from the Service. After a reasonable period, Helm will delete or anonymize Customer Data, except where retention is required by law or for legitimate business purposes such as backups, which are cycled out on a rolling basis.

Helm will make available information reasonably necessary to demonstrate compliance with this DPA. Any audit will be conducted on reasonable notice, no more than once per year (absent a regulator requirement or a suspected breach), and subject to confidentiality.

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA is incorporated into and forms part of the Terms.