Data Processing Agreement

Last Updated: April 9, 2025

This Data Processing Agreement ("DPA") establishes the terms under which Helium Development LLC processes personal data on behalf of its merchant customers in compliance with GDPR, CCPA, and other applicable data protection regulations.

How to execute this Data Processing Agreement ("DPA")

  1. Email privacy@heliumdev.com and include the myshopify.com domain of your store.
  2. We will send you a version which has been pre-signed on behalf of Helium. Sign and return to privacy@heliumdev.com.
  3. Upon both parties' receipt of the properly completed DPA, the document will become legally binding.

Data Processing Agreement

Based on the General Data Protection Regulation (GDPR) and European Commission Decision 2010/87/EU – Standard Contractual Clauses (Processors)

1. PARTIES AND BACKGROUND

  1. Merchant ("Merchant") has entered into an agreement with Helium Development LLC. ("Helium") (each a "Party" and collectively the "Parties") under which Helium has agreed to provide the Services in accordance with such agreement (the "Agreement"). This Data Processing Agreement (the "DPA") is incorporated into and forms part of the Agreement and shall be effective and replace any previously applicable data processing and security terms as of the effective date of the Agreement ("Effective Date").
  2. To the extent that Helium processes any Merchant Personal Data (as defined below) on behalf of the Merchant (or, where applicable, the Merchant Affiliate) in connection with the provision of the Services, the Parties have agreed that it shall do so on the terms of this DPA.

2. DEFINITIONS

  1. Capitalized terms used but not defined within this DPA shall have the meaning set forth in the Agreement. The following capitalized terms used in this DPA shall be defined as follows:

    "Affiliate" means an entity that, directly or indirectly, owns or controls, is owned or is controlled by, or is under common ownership or control with a Party and is a beneficiary of the Agreement;

    "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., including any amendments and any implementing regulations thereto that become effective on or after the Effective Date of this DPA;

    "Controller" means the Merchant as the entity which determines the purposes and means of the Processing of Personal Data.

    "Data Protection Laws and Regulations" means all laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom ("UK"), applicable to the Processing of Personal Data under the Agreement.

    "EEA" means the European Economic Area;

    "GDPR" means Regulation (EU) 2016/679 (the "EU GDPR") or, where applicable, the "UK GDPR" as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the UK European Union (Withdrawal) Act 2018 or, where applicable, the equivalent provision under Swiss data protection law;

    "Member State" means a member state of the EEA, being a member state of the European Union, Iceland, Norway, or Liechtenstein;

    "Merchant Personal Data" means the Personal Data processed by Helium on behalf of Merchant or Merchant Affiliate in connection with the provision of the Services;

    "Personal Data" means any information relating to an identified or identifiable individual or device, or is otherwise "personal data," "personal information," "personally identifiable information" and similar terms, and such terms shall have the same meaning as defined by applicable data protection laws;

    "Processor" means Helium as the natural or legal person, public authority, agency or other entity which Processes Personal Data on behalf of the Controller subject to this Addendum.

    "Security Documentation" means the Security page as amended from time to time, or as otherwise made available by the Processor to the Controller;

    "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to (including unauthorized internal access to), Merchant Personal Data;

    "Standard Contractual Clauses" or "SCCs" means Module Two (controller to processor) and/or Module Three (processor to processor) of the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914; and

    "Subprocessor" means Helium Affiliates and third-party processors appointed by Helium to process Merchant Personal Data.

  2. The terms "controller", "processor", "data subject", "process", and "supervisory authority" shall have the same meaning as set out in the GDPR. The terms "sell" and "service provider" shall have the same meaning as set out in the CCPA.

3. INTERACTION WITH THE AGREEMENT

  1. This DPA supplements and (in case of contradictions) supersedes the Agreement with respect to any processing of Merchant Personal Data.
  2. With respect to Merchant Affiliates, by entering into the Agreement Merchant warrants it is duly authorised to enter into this DPA for and on behalf of any such Merchant Affiliates and, subject to clause 3.3, each Merchant Affiliate shall be bound by the terms of this DPA as if they were the Merchant.
  3. Merchant warrants that it is duly mandated by any Merchant Affiliates on whose behalf Helium processes Merchant Personal Data in accordance with this DPA to (a) enforce the terms of this DPA on behalf of the Merchant Affiliates, and to act on behalf of the Merchant Affiliates in the administration and conduct of any claims arising in connection with this DPA; and (b) receive and respond to any notices or communications under this DPA on behalf of Merchant Affiliates.
  4. The Parties agree that any notice or communication sent by Helium to Merchant shall satisfy any obligation to send such notice or communication to a Merchant Affiliate.

4. ROLE OF THE PARTIES

  1. The Parties acknowledge and agree that:
    1. for the purposes of the GDPR, Helium acts as "processor" or "subprocessor." Helium's function as processor or subprocessor will be determined by the function of Merchant:
      1. In general, Merchant functions as a controller, whereas Helium functions as a processor.
      2. In certain cases, Merchant functions as a processor on behalf of Merchant's customers where Merchant and Merchant's customer have concluded a data processing agreement in relation to the processing of Personal Data of Merchant's customers; and
  2. for the purposes of the CCPA, Helium will act as a "service provider" in its performance of its obligations pursuant to the Agreement.

5. DETAILS OF DATA PROCESSING

  1. The details of data processing (such as subject matter, nature and purpose of the processing, categories of Personal Data and data subjects) are described in the Agreement and in Schedule 2.
  2. Merchant Personal Data will only be processed on behalf of and under the instructions of Merchant and in accordance with applicable law. The Agreement and this DPA shall be Merchant's instructions for the processing of Merchant Personal Data.
  3. If Merchant's instructions will cause Helium to process Merchant Personal Data in violation of applicable law or outside the scope of the Agreement or the DPA, Helium shall promptly inform Merchant thereof, unless prohibited by applicable law (without prejudice to the SCCs).
  4. Helium is permitted to anonymize Merchant Personal Data through a reliable industry standard anonymization procedure and use such anonymized data for its own business purposes, including for research, development of new products and services, and security purposes.
  5. Helium may store and process Merchant Personal Data anywhere Helium or its Subprocessors maintain facilities, subject to clause 6 of this DPA.

6. SUB-PROCESSORS

  1. Merchant grants Helium general authorisation to engage Subprocessors, subject to clause 6.2, from an agreed list, as well as Helium's current Subprocessors as of the Effective Date.
  2. Helium shall (i) enter into a written agreement with each Subprocessor imposing data protection obligations no less protective of Merchant Personal Data than Helium's obligations under this DPA to the extent applicable to the nature of the services provided by such Subprocessor; and (ii) remain liable for each Subprocessor's compliance with the obligations under this DPA.
  3. Helium shall provide Merchant with at least thirty (30) days' notice of any proposed changes to the Subprocessors it uses to process Merchant Personal Data (including any addition or replacement of any Subprocessors) which notification may be via email (or in-application notice). Merchant may object to Helium's use of a new Subprocessor (including when exercising its right to object under clause 9(a) of the SCCs) by providing Helium with written notice of the objection within ten (10) days after Helium has provided notice to Merchant of such proposed change (an "Objection"). In the event Merchant objects to Helium's use of a new Subprocessor, Merchant and Helium will work together in good faith to find a mutually acceptable resolution to address such Objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, either party may, as its sole and exclusive remedy, terminate the Agreement by providing written notice to the other party. During any such Objection period, Helium may suspend the affected portion of the Services.

7. DATA SUBJECT RIGHTS REQUESTS

  1. As between the Parties, Merchant shall have sole discretion and responsibility in responding to the rights asserted by any individual in relation to Merchant Personal Data ("Data Subject Request").
  2. Helium will forward to Merchant without undue delay any Data Subject Request received by Helium or any Subprocessor from an individual in relation to their Merchant Personal Data and may advise the individual to submit their request directly to Merchant.
  3. Helium will (taking into account the nature of the processing of Merchant Personal Data) provide Merchant with self-service functionality through the Services or other reasonable assistance as necessary for Merchant to fulfil its obligation under applicable law to respond to Data Subject Requests, including if applicable, Merchant's obligation to respond to requests for exercising the rights set out in the GDPR or CCPA. Helium may charge Merchant, and Merchant shall reimburse Helium, for any such assistance beyond providing self-service features included as part of the Services.

8. SECURITY AND AUDITS

  1. Helium will implement and maintain appropriate technical and organizational data protection and security measures designed to ensure security of Merchant Personal Data, including, without limitation, protection against unauthorized or unlawful processing (including, without limitation, unauthorized or unlawful disclosure of, access to and/or alteration of Merchant Personal Data) and against accidental loss, destruction, or damage of or to it.
  2. Helium will implement and maintain as a minimum standard the measures set out in Schedule 3 and in the Security Documentation. Helium may update or modify the security measures set out in Schedule 3 from time to time, including (where applicable) following any review by Helium of such measures in accordance with clause 8.5 (b) of the SCCs, provided that such updates and/or modifications do not reduce the overall level of protection afforded to the Merchant Personal Data by Helium under this DPA.
  3. Merchant or its independent third-party auditor reasonably acceptable to Helium (which shall not include any auditors who are not suitably qualified or independent or are a competitor of Helium) may audit Helium's compliance with its obligations under this DPA up to once per year, or more frequently in the event a Security Incident has occurred or to the extent required by applicable data protection laws, including where mandated by Merchant's regulatory or governmental authority.
  4. To request an audit, Merchant must submit a detailed proposed audit plan to Helium at least four weeks in advance of the proposed audit date. Helium will review the proposed audit plan and work cooperatively with Merchant to agree on a final audit plan. All such audits must be conducted during regular business hours in Pacific Standard Time, subject to the agreed final audit plan and Helium's health and safety or other relevant policies and may not unreasonably interfere with Helium business activities. Nothing in this clause 8.4 shall require Helium to breach any duties of confidentiality.
  5. If the requested audit scope is addressed in an ISO 27001 certification, SOC 2 Type 2 report or similar audit report performed by a qualified third-party auditor within twelve (12) months of Merchant's audit request and Helium confirms there are no known material changes in the controls audited, Merchant agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.
  6. Merchant will promptly notify Helium of any non-compliance discovered during the course of an audit and provide Helium any audit reports generated in connection with any audit, unless prohibited by applicable law or otherwise instructed by a regulatory or governmental authority. Merchant may use the audit reports only for the purposes of meeting Merchant's regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
  7. Any audits are at Merchant's expense. Merchant shall reimburse Helium for any time expended by Helium or its Subprocessors in connection with such audits.

9. SECURITY INCIDENTS

Helium will promptly notify Merchant in writing in the event of any breach of this DPA, applicable law or any instruction by Merchant in connection with the processing of Merchant Personal Data under this DPA. Without limiting the generality of the foregoing, Helium shall notify Merchant in writing without undue delay after becoming aware of any Security Incident, (and in any event within 72 hours of so discovering) and reasonably cooperate in the investigation of any such Security Incident and any obligation of Merchant under applicable law to make any notifications to individuals, supervisory authorities, governmental or other regulatory authority, or the public in respect of such Security Incident. Helium shall take reasonable steps to contain, investigate, and mitigate any Security Incident, and shall, without undue delay, send Merchant timely information about the Security Incident, including, but not limited to, the nature of the Security Incident, the measures taken to mitigate or contain the Security Incident, and the status of the investigation. Helium's notification of or response to a Security Incident under this clause 9 will not be construed as an acknowledgement by Helium of any fault or liability with respect to the Security Incident.

10. DELETION AND RETURN

  1. Helium shall, within 90 days of the date of termination or expiry of the Agreement, (a) if requested to do so by Merchant within that period, return a copy of all Merchant Personal Data or provide self-service functionality allowing Merchant to do the same; and (b) delete and use all reasonable efforts to procure the deletion of all other copies of Merchant Personal Data processed by Helium or any Subprocessors.
  2. Merchant acknowledges that following Helium's permanent deletion from its live systems, partial data may reside on Helium's archival systems for a period of up to 45 days.
  3. Notwithstanding the foregoing, Merchant understands that Helium may retain Merchant Personal Data if required by law, and such data will remain subject to the requirements of this DPA.

11. CONTRACT PERIOD

This DPA will commence on the Effective Date and, notwithstanding any termination of the Agreement, will remain in effect until, and automatically expire upon, Helium's deletion of all Merchant Personal Data as described in this DPA.

12. LIABILITY

Each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Merchant Affiliates and Helium, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' (see section 9 of our Terms of Service) section of the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. The foregoing shall not limit a party's liability with respect to a data subject's rights to the extent such liability may not be limited under the applicable SCCs.

13. STANDARD CONTRACTUAL CLAUSES

The Parties agree that the terms of the Standard Contractual Clauses Module Two (Controller to Processor) and Module Three (Processor to Processor), as further specified in Schedule 1 of this DPA, are hereby incorporated by reference and shall be deemed to have been executed by the Parties and apply to any transfers of Merchant Personal Data falling within the scope of the GDPR from Merchant (as data exporter) to Helium (as data importer).

14. SUPPORT FOR CROSS-BORDER DATA TRANSFERS

Helium will provide Merchant reasonable support to enable Merchant's compliance with the requirements imposed on the transfer of personal data to third countries with respect to data subjects located in the EEA, Switzerland, and UK. Helium will, upon Merchant's request, provide information to Merchant which is reasonably necessary for Merchant to complete a transfer impact assessment ("TIA"). Helium further agrees to implement the supplementary measures agreed upon and set forth in Schedule 4 of this DPA in order to enable Merchant's compliance with requirements imposed on the transfer of personal data to third countries. Helium may charge Merchant, and Merchant shall reimburse Helium, for any assistance provided by Helium with respect to any TIAs, data protection impact assessments or consultation with any supervisory authority of Merchant.

15. MERCHANT PERSONAL DATA SUBJECT TO THE UK AND SWISS DATA PROTECTION LAWS

To the extent that the processing of Merchant Personal Data is subject to UK or Swiss data protection laws, the UK Addendum and/or Swiss Addendum (as applicable) set out in Schedule 5 shall apply.

16. MERCHANT PERSONAL DATA SUBJECT TO THE CCPA

  1. If Merchant or Merchant Affiliates provide Helium any Merchant Personal Data that is "personal information" under the CCPA, Helium will:
    1. act as a service provider with regard to such personal information;
    2. retain, use, and disclose such personal information solely for the purpose of performing the Services or as otherwise permitted under the CCPA;
    3. not sell Merchant Personal Data to another business or third party. Notwithstanding the foregoing, disclosures to a third party in the context of a merger, acquisition, bankruptcy, or other transaction shall be permitted in accordance with the terms of the Agreement; and
    4. provide reasonable assistance to Merchant in responding to requests from consumers pursuant to the CCPA with regard to their personal information, and in accordance with clause 7 of this DPA.
  2. Helium certifies that it understands the foregoing obligations and shall comply with them for the duration of the Agreement and for as long as Helium processes Merchant Personal Data.

Schedule 1 - Standard contractual clauses

The applicable Standard Contractual Clauses, which are deemed incorporated into and form a part of this DPA, as follows:

  1. Module Two respectively Module Three shall apply in the case of the processing under clause 3.1(a)(i) of the DPA and Module Three shall apply in the case of processing under clause 3.1(a)(ii) of the DPA.
  2. Clause 7 of the Standard Contractual Clauses (Docking Clause) does not apply.
  3. Clause 9(a) Option 2 (General written authorization) is selected, and the time period to be specified is determined in clause 6.3 of the DPA.
  4. The option in Clause 11(a) of the Standard Contractual Clauses (Independent dispute resolution body) does not apply.
  5. With regard to Clause 17 of the Standard Contractual Clauses (Governing law), the Parties agree that, option two shall apply according to the following:

    (a) where the Merchant is established in the EEA, the law of the Member State in which the Merchant is established, provided such Member State law allows for third-party beneficiary rights;

    (b) where the Merchant is established in the UK, the law of England and Wales;

    (c) where the Merchant is established other than in the UK or EEA, the law of the Member State in which the Merchant has appointed its representative under Article 27 of the GDPR; or

    (d) otherwise, the law of the Republic of Ireland.

  6. In Clause 18 of the Standard Contractual Clauses (Choice of forum and jurisdiction), the Parties submit themselves to the jurisdiction of the courts of that country whose law applies according to clause 5 of this Schedule 1.
  7. For the Purpose of Annex I of the Standard Contractual Clauses, Schedule 2 contains the specifications regarding the parties, the description of transfer, and the competent supervisory authority
  8. For the Purpose of Annex II of the Standard Contractual Clauses, Schedule 3 contains the technical and organizational measures.
  9. The specifications for Annex III of the Standard Contractual Clauses, are determined by clause 6.1 of the DPA. The Subprocessor's contact person's name, position and contact details will be provided by Helium upon request.

Schedule 2 - Details of processing

A. LIST OF PARTIES

1. Data Exporter:

Merchant and/or the Merchant Affiliates operating in the countries which comprise the European Economic Area, UK and/or Switzerland and/or – to the extent agreed by the Parties – Merchant and/or the Merchant Affiliates in any other country to the extent the GDPR or corresponding Swiss law applies.

Merchant and Merchant Affiliate's contact person's position and contact details as well as (if appointed) the data protection officer's and (if relevant) the representative's contact details will be notified to Helium prior to the processing of personal data via email to privacy@heliumdev.com or an available form provided by Helium in Merchant's account in the Services.

The activities relevant to the data transfer under these Clauses are defined by the Agreement and the data exporter who decides on the scope of the processing of personal data in connection with the Services further described in this Schedule 1 and in the Agreement.

2. Data Importer:

Helium Development, LLC a private limited liability company registered in the United States of America, with its registered office at:

6659 Kimball Drive
STE D-402
Gig Harbor WA, 98335
United States

The data importer's contact person can be contacted at privacy@heliumdev.com. The data importer's activities relevant to the data transfer under these Clauses are as follows: the data importer processes personal data provided by the data exporter on behalf of the data exporter in connection with providing the Services to the data exporter as further specified in clause 7 and 8 of this Schedule 2 and in the Agreement.

B. DESCRIPTION OF TRANSFER

1. Categories of data subjects

The categories of data subjects whose personal data are transferred: Employees of Merchant and Merchant Affiliates, as well as Merchant's customers and their employees, as well as the individual recipients of marketing communications and other individuals being targets of other marketing activities of the Merchant and/or Merchant Affiliates' or their customers.

2. Categories of personal data

The transferred categories of personal data are: Determined by Merchant's configuration of the Services, and may include name, phone number, email address, address data, IP address, device identifiers, usage data (such as interactions between a user and Helium's online system, website or email, used browser, used operating system, referrer URL).

Moreover, Merchant and Merchant Affiliate may include further personal data of data subjects as specified above (in particular in unstructured form) in connection with their use the Services according to the Agreement.

3. Special categories of personal data (if applicable)

The transferred personal data includes the following special categories of data: N/A - Helium's Terms of Use prohibits Merchant from using the Services to solicit, display, store, process, send or transmit special categories of data.

The applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures are: N/A

4. Frequency of the transfer

The frequency of the transfer is: The transfer is performed on a continuous basis and is determined by Merchant's configuration of the Services.

5. Subject matter and nature of the processing

The subject matter of the processing is: to provide a data analytics and marketing automation platform to Merchant.

6. Purpose(s) of the data transfer and further processing

The purpose/s of the data transfer and further processing is: to provide the Services to Merchant pursuant to the Agreement, for technical support, issue diagnosis and error correction to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Service, URL scanning for the purposes of the provision of targeted threat protection and similar service which may be provided under the Agreement.

7. Duration

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: the duration is defined in clause 11 of the DPA.

8. Subprocessor (if applicable)

For transfers to subprocessors, specify subject matter, nature, and duration of the processing: as stipulated in clause 6.2 of the DPA. The Subprocessors may have access to the Personal Data for the term of this DPA or until the service contract with the respective Subprocessor is terminated or the access by the Subprocessor has been excluded as agreed between Helium and Merchant.

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance with clause 13 of the SCCs

Where the data exporter is established in an EU Member State: The supervisory authority of the country in which the data exporter is established is the competent authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of the GDPR: The competent supervisory authority is the Member State in which the representative is established.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of the GDPR in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: The competent supervisory authority is the supervisory authority in Ireland, namely the Data Protection Commission (https://www.dataprotection.ie).

Schedule 3 - Technical and organizational measures

Helium has implemented the technical and organizational measures (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, as well as the risks for the rights and freedoms of natural persons as set forth here: https://heliumdev.com/security

  1. SECURITY PROGRAM. Helium maintains a written security program that includes administrative, technical, and physical safeguards reasonably designed to protect the confidentiality, integrity and availability of Merchant Data. As used in this Exhibit, "Security Program" means Helium's security program that has been provided to Merchant for review (a current version is available at https://heliumdev.com/security), and which includes Helium's security policies and procedures and its current SOC 2 Type II report. Helium agrees that it will not materially diminish the protections and controls of its Security Program during the term of the Agreement with Merchant.
  2. PSEUDONYMISATION AND ENCRYPTION OF PERSONAL DATA. Helium pseudonymises Personal Data where appropriate and encrypts Personal Data in transit and at rest using encryption in accordance with its Security Documentation.
  3. BUSINESS CONTINUITY PLAN. Helium has a business continuity and disaster recovery plan in place to manage significant disruptions to Helium's operations and infrastructure. The plan is appropriate based on the size, scope and complexity of Helium's operations.
  4. AVAILABILITY CONTROL. Vendor has backup procedures for its assets. Vendor has processes in place to monitor availability of its systems.
  5. ACCESS CONTROL. Helium has access controls in place designed to maintain the confidentiality and security of Merchant Data. Controls include as appropriate, authorization and authentication processes for physical and logical access to facilities, systems, networks and devices that handle Merchant Data. Access is granted based on the principal of least privilege. As appropriate Helium logs, monitors and reviews access on a regular basis at a frequency commensurate with risk. As part of Helium's enforced Password Policy (a current copy of which can be provided upon request), Helium requires employees to use two-factor auth (2FA) whenever possible for the services we use as a business. Helium provides employees with Security Keys (FIDO U2F) and prefer these over time-based one time passwords and text message-based two-factor solutions because cyber attackers would also need access to our physical hardware.
  6. PHYSICAL SECURITY. Helium has physical and environmental controls that are commensurate to the risk for Merchant Data and for the Helium equipment, assets, or facilities used to hold and process Merchant Data.
  7. LOG MANAGEMENT. Helium collects and records log information and maintain system logs based on residual risk and commensurate with industry expected operating practices. System logs include, but are not limited to, operating system event logs, administrative access logs, user access logs and security event logs. Such logs facilitate identifying the root cause issues associated with a system issue or a Merchant Data Security Incident.
  8. ASSET MANAGEMENT. Helium has an asset management program in place that appropriately classifies and facilitates control and management of hardware and software assets throughout their lifecycle.
  9. RISK MANAGEMENT. Helium has a documented risk assessment and management process to identify, rate and treat all identified risks to Helium's organization.
  10. HUMAN RESOURCES SECURITY. Prior to hiring, engaging or granting access to Helium systems that store Merchant Data, Helium conducts background checks for its employees that will have access to Merchant Data ("Helium Personnel") and provides security and privacy training. Helium Personnel are subject to confidentiality provisions in their employment agreements or service contracts. Helium ensures responsibilities for information security and privacy are acknowledged by Helium Personnel and that Helium Personnel comply with the terms of this Exhibit. Helium is responsible to Merchant for any acts or omissions of Helium Personnel that result in a breach of this Exhibit. Helium has a disciplinary process for violations of Security Program requirements by Helium Personnel.
  11. NETWORK SECURITY. Helium has appropriate network perimeter defense solutions in place, such as Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) and firewalls to monitor, detect, and prevent malicious network activity and restrict access to authorized users and services. Helium will have appropriate monitoring in place to detect and take appropriate action. Helium reviews firewall configurations and rules at least annually, and any significant changes to firewall rules will follow a documented change management process.
  12. DATA MINIMISATION. Helium collects and processes data as necessary to provide the Services set forth in the Agreement and in accordance with the DPA.
  13. SECURE DEVELOPMENT. Helium has a software development lifecycle ("SDLC") methodology in place that governs the acquisition, development, implementation, configuration, maintenance, modification and management of Helium's infrastructure and software components as applicable. Helium has defined secure coding guidelines applicable to Helium Personnel. Developers will receive secure code training at least annually. Helium's SDLC program will include secure code reviews, vulnerability scanning and security architecture reviews as appropriate.
  14. CHANGE MANAGEMENT. Helium follows documented change management policies and procedures for requesting, testing, and approving application, infrastructure, and product related changes. Changes will undergo review and testing prior to approval for implementation. Changes are approved prior to implementation to production, and only authorized individuals are allowed to move code into production. Helium maintains separate environments for development, testing and production.
  15. THREAT AND VULNERABILITY MANAGEMENT AND SECURITY TESTING. Helium has a threat and vulnerability management program that includes on-going monitoring for vulnerabilities that are acknowledged by Helium's, reported by researchers, or discovered internally through vulnerability scans, or identified by Helium's personnel. Helium has processes in place to document vulnerabilities, risk rank the vulnerabilities and take appropriate steps to remediate vulnerabilities based on risk. Helium performs regular internal and external vulnerability scans. Helium conducts internal and external penetration tests at least annually and remediate vulnerabilities identified in accordance with its Security Program.
  16. THIRD PARTY SECURITY. Helium assesses the risks associated with any new and existing service providers that access to Merchant Data. Helium communicates security and confidentiality requirements, as well as operational responsibilities, through contractual agreements that are as substantially as protective of Merchant Data as the obligations within this Exhibit, with such service providers. Helium is responsible to Merchant for the performance of service providers that Helium uses to perform the Agreement and will remain liable to Merchant for the acts or omissions of its service providers.
  17. INCIDENT RESPONSE AND NOTIFICATION. "Merchant Data Security Incident" means a security event that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Merchant Data stored or otherwise processed by Helium. If there is a Merchant Data Incident, Helium will (A) notify Merchant via email without undue delay upon confirmation of a Merchant Data Security Incident, (B) reasonably cooperate with Merchant with respect to any such Merchant Data Security Incident, and (C) take appropriate action as Helium deems necessary to mitigate risks or damages associated with the Merchant Data Security Incident to protect Merchant Data from further compromise. Helium will take such other actions that may be required by applicable law as a result of the Merchant Data Security Incident. For avoidance of doubt, a Merchant Data Security Incident does not include unsuccessful attempts or activities that do not compromise the security or Personal Data, including unsuccessful login attempts, pings, port scans, denial of service attacks and other network attacks on firewalls or networked systems.
  18. INSPECTION RIGHTS. Merchant or its designated representative will have the right to review and assess Helium's security practices related to handling of Merchant Data ("Assessment"). Following Merchant's written request for an Assessment, and subject to the confidentiality obligations set forth in the Agreement, Helium shall make available to Merchant information regarding Helium's compliance with the obligations set forth in the Agreement (including this Exhibit) in the form of the third-party certifications in its then current SSAE 16 SOC 2 Type II audit report (or comparable industry standard successor report), or any summaries thereof, to the extent that Helium makes them generally available to its Merchants at the time of the request. Helium will annually complete a penetration test of Helium's application, and upon Merchant's written request, provide an executive summary of the results. Helium agrees that any remediation items reasonably identified will be resolved in accordance with its Security Program and commensurate with the associated risk. Any on-site audits requested by Merchant will be subject to the terms of the data processing addendum ("DPA") available at www.heliumdev.com/DPA (or such other DPA executed by both parties).
  19. DATA PORTABILITY & ERASURE. Helium processes support data portability and erasure.

Schedule 4 - Additional supplementary measures

Helium further commits to implementing supplementary measures based on guidance provided by EU supervisory authorities in order to enhance the protection of Merchant Personal Data in relation to the processing in a third country, as described in this Schedule 4.

  1. Additional Technical Measures (Encryption)
    1. The personal data is transmitted (between the Parties and by Helium between data centers as well as to a Subprocessor and back) using strong encryption.
    2. The personal data at rest is stored by Helium using strong encryption
  2. Additional Organizational Measures
    1. Internal policies for governance of transfers especially with groups of enterprises

      (a) Adoption of adequate internal policies with clear allocation of responsibilities for data transfers, reporting channels and standard operating procedures for cases of formal or informal requests from public authorities to access the data.

      (b) Development of specific training procedures for personnel in charge of managing requests for access to personal data from public authorities, which should be periodically updated to reflect new legislative and jurisprudential developments in the third country and in the EEA.

    2. Transparency and accountability measures. Regular publication of transparency reports or summaries regarding governmental requests for access to data and the kind of reply provided, insofar publication is allowed by local law.
    3. Organizational methods and data minimization measures. Development and implementation of best practices by both Parties to appropriately and timely involve and provide access of information to their respective data protection officers, if existent, and to their legal and internal auditing services on matters related to international transfers of personal data transfers.
    4. Others. Adoption and regular review by Helium of internal policies to assess the suitability of the implemented complementary measures and identify and implement additional or alternative solutions, when necessary, to ensure that an essentially equivalent level of protection to that guaranteed within the EEA of the personal data transferred is maintained.
  3. Additional Contractual Measures
    1. Transparency obligations

      (a) Helium declares that (1) it has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, (2) it has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and (3) that national law or government policy does not require Helium to create or maintain back doors or to facilitate access to personal data or systems or for Helium to be in possession or to hand over the encryption key.

      (b) Helium will verify the validity of the information provided for the TIA questionnaire on a regular basis and provide notice to Merchant in case of any changes without delay. Clause 14(e) of the SCCs shall remain unaffected.

    2. Obligations to take specific actions. In case of any order to disclose or to grant access to the personal data, Helium commits to inform the requesting public authority of the incompatibility of the order with the safeguards contained in the Article 46 GDPR transfer tool and the resulting conflict of obligations for Helium.
    3. Empowering data subjects to exercise their rights

      (a) Helium commits to fairly compensate the data subject for any material and non-material damage suffered because of the disclosure of his/her personal data transferred under the chosen transfer tool in violation of the commitments it contains.

      (b) Notwithstanding the foregoing, Helium shall have no obligation to indemnify the data subject to the extent the data subject has already received compensation for the same damage.

      (c) Compensation is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Helium's infringement of the GDPR.

  4. Additional obligations in case of requests or access by public authorities
    1. Helium shall promptly inform Merchant:

      (a) Of any legally binding requests from a law enforcement or other government authority ("Public Authority") to disclose the personal data shared by Merchant ("Transferred Personal Data"); such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided. Such notification shall occur prior to the disclosure of any personal data in response to such requests.

      (b) If it becomes aware of any direct access by public authorities to transferred personal data in accordance with the laws of the country of destination, such notification shall include all information available to Helium.

      (c) If Helium is prohibited from notifying Merchant and/or the data subject, Helium agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicate as much information and as soon as possible. Helium agrees to document its best efforts in order to be able to demonstrate them upon request of the data exporter.

    2. Helium agrees to review, under the laws of the country of destination, the legality of the public authority's request, notably whether it remains within the powers granted to the requesting public authority and exhaust all available remedies to challenge the request if, after a careful assessment, Helium concludes that there are grounds under the laws of the country of destination to do so. This includes requests under section 702 of the United States Foreign Intelligence Surveillance Court ("FISA"). When challenging a request, Helium shall seek interim measures with a view to suspend the effects of the request until the court has decided on the merits. Helium shall not disclose or provide access to the personal data requested until required to do so under the applicable procedural rules and, at such time, shall provide only the minimum amount of information required to comply with the request, based on a reasonable interpretation of the request.
    3. Helium agrees to preserve the information required to comply with this Schedule 4 for the duration of the Agreement and, unless prohibited by applicable law, make it available to the competent supervisory authority upon request and when required by applicable law.

Schedule 5 - UK and Swiss addendum

1. UK ADDENDUM

With respect to any transfers of Merchant Personal Data falling within the scope of the UK GDPR from Merchant (as data exporter) to Helium (as data importer):

  1. neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018 (together, the "UK Data Protection Laws");
  2. the Standard Contractual Clauses are deemed to be amended to the extent necessary, so they operate:
    1. for transfers made by Merchant to Helium, to the extent that UK Data Protection Laws apply to the Merchant's processing when making that transfer;
    2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR;
  3. the amendments referred to in clause 1.2 of this Schedule 5 include (without limitation) the following:
    1. references to "Regulation (EU) 2016/679" or "that Regulation" are replaced by "UK GDPR" and references to specific Article(s) of "Regulation (EU) 2016/679" are replaced with the equivalent Article of the UK GDPR;
    2. references to Regulation (EU) 2018/1725 are removed;
    3. references to the "Union", "EU" and "EU Member State" are all replaced with the "UK";
    4. the "competent supervisory authority" shall be the Information Commissioner;
    5. clause 17 of the Standard Contractual Clauses is replaced with the following: "These Clauses are governed by the laws of England and Wales";
    6. clause 18 of the Standard Contractual Clauses is replaced with the following: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts";
    7. any footnotes to the Standard Contractual Clauses are deleted in their entirety.

2. SWISS ADDENDUM

As stipulated in clause 15 of the DPA, this Swiss Addendum shall apply to any processing of Merchant Personal Data subject to Swiss data protection law or to both Swiss data protection law and the GDPR.

  1. Interpretation of this Addendum
    1. Where this Addendum uses terms that are defined in the Standard Contractual Clauses as further specified in Schedule 1 of this DPA, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:

      – "This Addendum" means This Addendum to the Clauses.

      – "Clauses" means The Standard Contractual Clauses as further specified in Schedule 1 of this DPA.

      – "Swiss Data Protection Laws" means The Swiss Federal Act on Data Protection of 19 June 1992 and the Swiss Ordinance to the Swiss Federal Act on Data Protection of 14 June 1993, and any new or revised version of these laws that may enter into force from time to time.

    2. This Addendum shall be read and interpreted in the light of the provisions of Swiss Data Protection Laws, and so that if fulfils the intention for it to provide the appropriate safeguards as required by Article 46 GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    3. This Addendum shall not be interpreted in a way that conflicts with rights and obligations provided for in Swiss Data Protection Laws.
    4. Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
  2. Hierarchy. In the event of a conflict or inconsistency between this Addendum and the provisions of the Clauses or other related agreements between the Parties, existing at the time this Addendum is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
  3. Incorporation of the Clauses
    1. In relation to any processing of personal data subject to Swiss Data Protection Laws or to both Swiss Data Protection Laws and the GDPR, this Addendum amends the DPA including as further specified in Schedule 1 of this DPA to the extent necessary, so they operate:
      1. for transfers made by the data exporter to the data importer, to the extent that Swiss Data Protection Laws or Swiss Data Protection Laws and the GDPR apply to the data exporter's processing when making that transfer; and
      2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the GDPR and/or Article 6(2)(a) of the Swiss Data Protection Laws, as the case may be.
    2. To the extent that any processing of personal data is exclusively subject to Swiss Data Protection Laws, the amendments to the DPA including the SCCs, as further specified in Schedule 1 of this DPA and as required by clause 2.1 of this Swiss Addendum, include (without limitation):
      1. References to the "Clauses" or the "SCCs" means this Swiss Addendum as it amends the SCCs and
      2. Clause 6 Description of the transfer(s) is replaced with: "The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are those specified in Schedule 1 of this DPA where Swiss Data Protection Laws apply to the data exporter's processing when making that transfer."
      3. References to "Regulation (EU) 2016/679" or "that Regulation" or ""GDPR" are replaced by "Swiss Data Protection Laws" and references to specific Article(s) of "Regulation (EU) 2016/679" or "GDPR" are replaced with the equivalent Article or Section of Swiss Data Protection Laws extent applicable.
      4. References to Regulation (EU) 2018/1725 are removed.
      5. References to the "European Union", "Union", "EU" and "EU Member State" are all replaced with "Switzerland".
      6. Clause 13(a) and Part C of Annex I are not used; the "competent supervisory authority" is the Federal Data Protection and Information Commissioner (the "FDPIC") insofar as the transfers are governed by Swiss Data Protection Laws;
      7. Clause 17 is replaced to state: "These Clauses are governed by the laws of Switzerland insofar as the transfers are governed by Swiss Data Protection Laws".
      8. Clause 18 is replaced to state: "Any dispute arising from these Clauses relating to Swiss Data Protection Laws shall be resolved by the courts of Switzerland. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland in which he/she has his/her habitual residence. The Parties agree to submit themselves to the jurisdiction of such courts."

      Until the entry into force of the revised Swiss Data Protection Laws, the Clauses shall also protect personal data of legal entities and legal entities shall receive the same protection under the Clauses as natural persons.

  4. To the extent that any processing of personal data is subject to both Swiss Data Protection Laws and the GDPR, the DPA including the Clauses as further specified in Schedule 1 of this DPA will apply (i) as is and (ii) additionally, to the extent that a transfer is subject to Swiss Data Protection Laws, as amended by clauses 2.1 and 2.3 of this Swiss Addendum, with the sole exception that Clause 17 of the SCCs shall not be replaced as stipulated under clause 2.3(b)(vii) of this Swiss Addendum.
  5. Merchant warrants that it and/or Merchant Affiliates have made any notifications to the FDPIC which are required under Swiss Data Protection Laws.