Legal

Data Processing Agreement

Last updated · 5 May 2026

This Data Processing Agreement (DPA) forms part of the Helix Master Subscription Agreement and applies wherever Helix processes personal data on the Customer's behalf as a processor under UK GDPR Article 28.

1. Subject matter and duration

The subject matter is the provision of the Helix Service. Duration is co-terminous with the Master Subscription Agreement.

2. Nature and purpose of processing

Processing of pseudonymous risk-event metadata generated by the Helix SDK on End-User devices, for the purpose of fraud prevention and behavioural-anomaly detection in the Customer's mobile applications.

3. Categories of data subjects and personal data

  • Data subjects — the Customer's End-Users.
  • Categories — pseudonymous user/device identifiers, risk scores, decision metadata, application context. No raw behavioural biometrics are transmitted to the processor.

4. Sub-processors

Customer authorises Helix to engage the sub-processors listed on the trust centre. Helix gives 30 days' prior notice of changes; Customer may object on reasonable grounds.

5. International transfers

Personal data is stored in the UK (AWS eu-west-2). Where any transfer outside the UK is required, the parties will rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs.

6. Security measures

Helix implements the technical and organisational measures described on the trust centre, including encryption in transit and at rest, access controls, audit logging, and a documented incident response process. Helix will notify Customer of a personal data breach without undue delay and in any event within 72 hours of becoming aware.

7. Data subject rights and assistance

Helix will provide reasonable assistance to Customer in responding to data subject requests, ICO investigations, and Article 35 DPIAs.

8. Audit

Customer may audit Helix's compliance once per year on 30 days' notice, or more frequently following a personal data breach. Customer accepts SOC 2 reports and pen-test summaries in lieu of on-site audits where reasonable.

9. Return or deletion

On termination Helix will, at Customer's option, return or delete personal data within 30 days, save where retention is required by law.

10. Liability

Liability under this DPA is governed by the limitation of liability provisions in the Master Subscription Agreement.

A signable PDF of this DPA is available on request from dpo@helixsecure.co.uk.