Skip to Content

Data Processing Agreement (DPA)

Between:

HELGION Digital LLC, 3833 Powerline Road Suite 201, Fort Lauderdale, FL 33309, USA

(“Processor”)

and the customer (“Controller”).

1. Subject and Duration

1.1. This DPA governs the processing of personal data by the Processor on behalf of the Controller in accordance with Art. 28 GDPR.
1.2. Processing is performed for:

  • operation of the HELGION Customer Portal (SaaS)

  • execution of IT services (development, migration, consulting, support, administration)

  • communication, documentation, error analysis, and security tasks

1.3. Duration corresponds to the underlying service agreement.

2. Nature and Purpose of Processing

The Processor processes data solely:

  • to perform the contract

  • to provide portal access

  • to execute technical services

  • to ensure security, communication, and documentation

No processing for the Processor’s own purposes.

3. Types of Data and Categories of Data Subjects

3.1. Data Types

  • names and contact information

  • business emails

  • account and login data (hashed)

  • logs and activity data

  • project and ticket data

  • chat and communication history

  • documents and uploaded files

3.2. Data Subjects

  • customers and employees

  • portal users

  • contacts involved in IT service projects

4. Obligations of the Processor

The Processor agrees to:

  • process data only on documented instruction

  • implement appropriate security measures

  • ensure confidentiality of personnel

  • maintain secure access restrictions

  • assist in compliance with GDPR requirements

  • notify Controller of incidents

5. Obligations of the Controller

The Controller is responsible for:

  • lawful data collection and transfer

  • providing required information to data subjects

  • maintaining account and access controls

  • internal compliance measures

6. Subprocessors

The Controller authorizes the use of these subprocessors:

6.1. Hetzner Online GmbH (EU)
  • EU-based hosting for portal and customer data.
6.2. Microsoft 365 Europe Tenant
  • Email, file storage, Teams communication.
  • EU data residency + SCC (US parent company).
6.3. Google Ireland / Google LLC
  • Analytics (only with user consent).
  • Transfers governed by SCC.
  • Additional subprocessors may be added with notice.

7. International Data Transfers (U.S.)

Transfers may occur due to:

  • HELGION’s corporate location (USA)

  • optional use of Google Analytics

  • use of Microsoft as a US-based provider

All transfers use:

  • Standard Contractual Clauses (SCC)

  • encryption

  • restricted access

8. Technical and Organizational Measures (TOMs)

Measures include:

  • TLS encryption

  • MFA and RBAC

  • access logging

  • secure hosting environments

  • regular updates

  • vulnerability management

  • data minimization

  • firewalls and intrusion detection

9. Rights of Data Subjects

The Processor assists the Controller with:

  • access requests

  • deletion and correction

  • portability

  • restrictions and objections

10. Data Breach Notification

The Processor will:

  • notify the Controller without delay (within 48h)

  • provide incident details

  • assist with mitigation

  • support regulatory notifications

11. Deletion or Return of Data

Upon termination:

  • data exports are provided upon request

  • all data will be deleted following retention periods

  • backups are overwritten according to policy

12. Audits and Inspections

The Controller may:

  • request documentation

  • review security measures

  • conduct audits (virtual preferred; onsite only by agreement)

13. Final Provisions

  • This DPA forms part of the master agreement.

  • Amendments require written form.

  • Governing law and jurisdiction follow the main contract (Florida, USA).