Data Processing Agreement

This Data Processing Agreement (“DPA”) between Intelligent Group (“Processor”) and the subscribing organization (“Controller”) governs the processing of personal data in connection with the Helix platform in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and, where applicable, UK GDPR and CCPA.

Terms used but not defined here have the meanings given in GDPR Regulation (EU) 2016/679. “Personal Data” means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller via the Helix platform.

The Processor processes the following categories of personal data on behalf of the Controller:

• Security alert metadata: user principal names (UPNs), device names, IP addresses, and activity timestamps ingested from connected security tools.
• Identity data: user account attributes from Microsoft 365 and Google Workspace used for posture assessment.
• Audit log entries: operator actions within the Helix platform (triage decisions, autonomy changes, kill-switch invocations).

The Processor does not process special category data as defined in GDPR Article 9 unless such data is incidentally present in security alert metadata.

The Processor agrees to: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorized to process the Personal Data have committed to confidentiality; (c) implement appropriate technical and organizational security measures per GDPR Article 32; (d) assist the Controller in responding to data subject rights requests; (e) delete or return all Personal Data upon termination of the service.

The Processor uses the following sub-processors:

• Supabase, Inc. — database hosting (PostgreSQL), us-central1.
• Google Cloud Platform — compute (Cloud Run), secret management (Secret Manager), us-central1.
• Vercel, Inc. — web application hosting (Next.js frontend).
• Clerk, Inc. — identity and authentication management.
• Stripe, Inc. — payment processing (billing data only; no security telemetry).

The Processor will notify the Controller of any intended changes to sub-processors at least 14 days in advance.

The Processor implements the following technical and organizational measures:

• Encryption at rest (AES-256) and in transit (TLS 1.2+) for all tenant data.
• Row-level security (PostgreSQL RLS) enforcing strict per-tenant data isolation.
• Connector credentials stored in Google Secret Manager, not in the application database.
• Mandatory human escalation for all high and critical security findings.
• Audit logging of all operator actions with immutable timestamps.
• Kill-switch capability to halt all agent actions within 30 seconds.

[DRAFT — pending legal review.] Where Personal Data is transferred to a country outside the European Economic Area, the Processor ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

The Controller may request, no more than once per calendar year, written evidence of compliance with this DPA. The Processor may satisfy this obligation by providing a current SOC 2 Type II report or equivalent third-party audit report.

This DPA is effective for the duration of the Helix subscription. Upon termination, the Processor will delete all Personal Data within 30 days unless retention is required by applicable law.

Data protection questions: Manuel Ruiz, CISO, Intelligent Group — mruiz@intelligentit.io.