Data Processing Addendum

Subject matter

Helm processes Personal Data to enable:

• Staffing workflows and Guide matching;
• Availability checks and conflict prevention;
• Event scheduling and coordination;
• Communication between Agencies, Guides, and passengers;
• Operational features of the Helm platform.

Nature and purpose

The processing enables Controllers (Agencies and Guides) to coordinate events, manage bookings, communicate with passengers, and deliver tour/event services through the Helm platform.

Categories of data subjects

• Guides and Agency personnel;
• Passengers/tourists whose data is provided by Agencies for event coordination;
• Other individuals whose data Controllers provide through the Service.

Types of personal data

As described in the Privacy Policy, including account information, calendar signals, booking/operations data, passenger data (names, contact information, preferences, special requirements), and related metadata.

Duration

Processing occurs for the duration of the Controller's active use of the Service and until deletion/return of data as required by this DPA, applicable law, or the Terms of Service.

Documented instructions

Helm shall process Personal Data only in accordance with the Controller's documented instructions, including:

• The Terms of Service;
• This DPA;
• The Privacy Policy;
• Settings, configurations, and instructions provided through the Service interface; and
• Written instructions reasonably provided by the Controller.

Processing purposes

Processing is limited to the purposes set out in Section 2 and the Privacy Policy. Helm will not process Personal Data for any purpose incompatible with the Controller's instructions.

Controller responsibilities

Controllers are responsible for:

• Ensuring they have a lawful basis for providing Personal Data to Helm;
• Providing necessary notices to data subjects;
• Obtaining required consents;
• Ensuring instructions comply with applicable law;
• Responding to data subject requests related to data they control.

Unlawful instructions

If Helm believes an instruction violates applicable data protection law, Helm will promptly inform the Controller. Helm may suspend processing until the instruction is confirmed or modified.

Aggregated data for improvements

Helm may use aggregated, pseudonymized, or anonymized data derived from the Service (where individual users cannot be identified) to improve Helm's features, reliability, security, and overall Service performance. This is Controller activity by Helm for its own purposes, not Processor activity under this DPA.

Confidentiality

Ensure that personnel authorized to process Personal Data:

• Are bound by appropriate confidentiality obligations (whether contractual or statutory);
• Receive appropriate training on data protection; and
• Access Personal Data only as necessary to perform their duties.

Security

Implement and maintain appropriate technical and organizational measures to protect Personal Data, including:

• Encryption of data in transit (TLS/HTTPS) and at rest where appropriate;
• Access controls, authentication, and authorization mechanisms;
• Restricted production data access to trained personnel;
• Regular security assessments, monitoring, and incident response procedures;
• Physical and environmental security for data centers (via hosting subprocessors);
• Backup and disaster recovery capabilities.

The security measures are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature of the data.

Subprocessors

Helm may engage Subprocessors to assist in providing the Service, subject to the obligations in Section 5 below.

Assistance with data subject rights

Helm will provide reasonable assistance to Controllers in responding to requests from data subjects to exercise their rights under GDPR or equivalent laws, including:

• Access, correction, deletion, restriction, portability, and objection requests.

Controllers must submit such requests through Helm's support channels (support@helmkit.com) with sufficient information to identify the relevant data and data subject.

Assistance with compliance

Helm will provide reasonable assistance to Controllers in:

• Ensuring compliance with obligations under GDPR Articles 32-36 (security, breach notification, data protection impact assessments, and prior consultation);
• Providing information necessary to demonstrate compliance with this DPA.

Data deletion and return

Upon termination of the Service or at the Controller's request, Helm will:

• Delete or return all Personal Data processed on behalf of the Controller, at the Controller's choice; and
• Delete existing copies unless storage is required by applicable law.

Deletion requests must be submitted through support@helmkit.com. Helm will confirm completion within a reasonable timeframe, subject to legal retention requirements.

Authorization

By using the Service, Controllers provide general authorization for Helm to engage Subprocessors to assist in providing the Service, subject to the requirements below.

Current subprocessors

Helm currently engages the following Subprocessors:

• Stripe (payments & subscription processing);
• Vercel (hosting, CDN, edge infrastructure);
• Sentry (error monitoring and logging);
• Bokun (booking data synchronization);
• Knock & Resend (notification delivery);
• Pinecone (vector database for matching/ranking features);
• OpenAI & Anthropic (machine learning inference for matching/ranking features, where used).

Subprocessor obligations

Helm ensures that Subprocessors:

• Are bound by written agreements imposing data protection obligations equivalent to those in this DPA;
• Implement appropriate security measures;
• Process Personal Data only for the purposes instructed by Helm.

Helm remains liable to Controllers for Subprocessor performance.

Changes to subprocessors

Helm may add or replace Subprocessors from time to time. Material changes to Subprocessors will be communicated through the Service or by email where feasible.

If a Controller objects to a new Subprocessor on reasonable data protection grounds, the Controller may:

• Request information about the Subprocessor's data protection practices;
• Terminate the Service in accordance with the Terms of Service if the objection cannot be resolved.

Transfers outside the EEA

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States and other jurisdictions where Helm or its Subprocessors operate.

Safeguards

Where Personal Data is transferred outside the EEA, Helm ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (where applicable);
• Adequacy decisions where the destination country has been deemed adequate by the European Commission;
• Other mechanisms permitted by applicable law.

Documentation

Controllers may request information about transfer mechanisms and safeguards by contacting privacy@helmkit.com.

Cooperation

Helm will assist Controllers in fulfilling requests from data subjects to exercise their rights under GDPR or equivalent local laws, including:

• Right of access (Art. 15);
• Right to rectification (Art. 16);
• Right to erasure (Art. 17);
• Right to restriction of processing (Art. 18);
• Right to data portability (Art. 20);
• Right to object (Art. 21).

Request handling

• Data subjects should direct requests to the Controller in the first instance;
• If Helm receives a data subject request directly, Helm will promptly forward it to the relevant Controller (where identifiable);
• Controllers must submit assistance requests through support@helmkit.com with sufficient information to locate and process the relevant data.

Timeframes and fees

Helm will provide assistance within a reasonable timeframe to enable Controllers to respond to data subjects within applicable legal deadlines (generally one month under GDPR).

Helm does not charge fees for routine assistance. Complex or voluminous requests may incur reasonable fees to be agreed in advance.

Notification obligation

Helm will notify Controllers without undue delay upon becoming aware of a personal data breach affecting data processed on behalf of that Controller.

Notification contents

Notifications will include, to the extent known:

• Description of the nature of the breach (categories and approximate numbers of data subjects and records affected);
• Contact point for further information (privacy@helmkit.com);
• Likely consequences of the breach;
• Measures taken or proposed to address the breach and mitigate harm.

Investigation and cooperation

Helm will investigate breaches, take reasonable steps to mitigate harm, and cooperate with Controllers in their assessment of notification obligations to supervisory authorities and data subjects under applicable law.

No delayed notification

This notification obligation does not relieve Controllers of their own obligations to assess and report breaches to authorities and data subjects as required by law.

Information provision

Helm will make available to Controllers information necessary to demonstrate compliance with the obligations in this DPA and GDPR Article 28.

Audit rights

Controllers have the right to conduct audits (or engage an independent auditor to conduct audits) to verify Helm's compliance with this DPA, subject to:

• Reasonable advance notice (at least 30 days);
• No more than one audit per year (unless required by law or following a breach);
• Confidentiality obligations and security requirements;
• Reasonable scheduling to minimize disruption to Helm's operations;
• Controller bearing the costs of the audit.

Audit reports and certifications

Helm may provide audit reports, certifications (e.g., SOC 2, ISO 27001, if obtained), or summaries in lieu of on-site audits where these adequately demonstrate compliance.

Supervisory authority inspections

Helm will cooperate with supervisory authority inspections as required by law.

GDPR liability allocation

Under GDPR Article 82:

• Helm as Processor is liable for damages caused by processing only where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside or contrary to lawful instructions from the Controller;
• Helm is not liable for damages caused by processing performed in accordance with the Controller's lawful instructions.

Limitation

Subject to Section 10.1 and applicable law, Helm's liability under this DPA is subject to the limitations and exclusions in the Terms of Service, except that:

• Helm cannot exclude or limit liability for gross negligence, willful misconduct, fraud, or violations that cannot be limited under applicable law;
• The liability cap in the Terms of Service does not apply to breaches directly attributable to Helm's failure to implement required security measures.