Last updated 2026-04-12. The DPA is incorporated by reference into the master subscription agreement and is countersigned at the start of every customer engagement.
This DPA applies to processing of personal data carried out by Helion Aerospace ehf. on behalf of the customer (the "controller") in connection with the platform. The full list of data categories and processing purposes is set out in Schedule A.
The customer is the controller. Helion is the processor. Sub-processors are listed at /legal/subprocessors/ and may be updated per Section 7 of the privacy policy.
For transfers outside the EEA, the parties rely on the EU Commission's Standard Contractual Clauses (Module 2: controller-to-processor), adopted 4 June 2021. The SCCs are incorporated by reference and the full text is appended to this DPA.
Helion implements the technical and organisational measures set out in /docs/security/. SOC 2 Type II report and ISO 27001 certificate are available under NDA.
Helion will notify the customer in writing at least 30 days before adding or replacing any sub-processor that processes customer personal data. The customer may object on reasonable grounds related to data protection; the parties will work in good faith to resolve.
Helion will assist the customer in responding to data subject requests, taking into account the nature of the processing. Assistance is included in the subscription fee; it is not metered.
Helion will notify the customer without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach affecting customer data. The notification will include the information required by Article 33(3) GDPR to the extent then known.
The customer may audit Helion's compliance with this DPA once per calendar year, on at least 30 days' written notice, during business hours, and in a manner that does not unreasonably interfere with Helion's operations. Helion's SOC 2 Type II report and ISO 27001 certificate count as adequate evidence for most controls; on-site audit is reserved for the residual.
On termination of the master agreement, Helion will return or delete customer personal data within 30 days, at the customer's choice. Deletion is confirmed in writing.
dpa@helionhq.link. Data Protection Officer: dpo@helionhq.link.