At Helpy, protecting your personal data and that of your customers is very important to us. We have created this Data Processing Addendum ("DPA") to help you understand and govern how we protect and securely process personal data. This DPA amends and supplements your Terms of Service ("TOS") and requires no further action on your part.

Helpy agrees to comply with the following provisions with respect to any Personal Data Processed by Helpy in connection with its provision of the Services. References to the Agreement will be construed as including this DPA and, except as modified below, the terms of the Agreement shall remain in full force and effect.

For the purpose of this DPA, Company is the Data Controller and Helpy is the Data Processor. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. In the event of any conflict between this DPA and the TOS, this DPA will prevail.

1. DEFINITIONS

1. "Helpy", "We", "Us", "the Services" refers to the Provider of the Helpy Website, Software and Hosted Service, collectively referred to as "Helpy Services."
2. "Company", "You" means the entity (customer) who has created an account with Helpy, and is using Helpy to process Personal Data (of your customers.)
3. "Company Email Address" means the email address used when the Company account on the Services was created.
4. "Data Controller" means the entity that determines the purposes and means of the Processing of Personal Data.
5. "Data Processor" means the entity which Processes Personal Data on behalf of the Data Controller.
6. "Data Protection Laws" means all laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.
7. "Data Subject" means the individual to whom Personal Data relates.
8. "Personal Data" means any information relating to an identified or identifiable person, including their email address, name, ip address, phone number, address, company name, and in some cases their social media names.
   
9. "Privacy Shield" means the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
10. "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction ("Process", "Processes" and "Processed" shall have the same meaning).
11. "Security Breach" has the meaning set forth in Section 7 of this DPA.
12. "Sub-processor" means any Data Processor engaged by Helpy. A list of sub-processors is available upon request to hello@helpy.io

2. PROCESSING OF PERSONAL DATA

2.1 The parties agree that with regard to the Processing of Personal Data, Company is the Data Controller and Helpy is the Data Processor.

2.2 Helpy shall process Personal Data in accordance with the requirements of the Data Protection Laws and Company will maintain a Privacy Notice for its users, referencing Helpy as a third party data processor.

2.3 During the Term of the Agreement, Helpy shall only Process Personal Data on behalf of and in accordance with the Services as set out in the Terms of Service. Helpy shall treat Personal Data as confidential information.

2.4 Helpy engages Sub-processors to facilitate sending email, storage of file attachments, usage analytics and for other reasons essential for providing the services. Helpy agrees that any agreement with an approved Sub-processor shall include no less protective data protection obligations as set out in this DPA. Helpy shall remain responsible for any approved Sub-processor's compliance with the obligations of this DPA.

3. DATA RETENTION

Upon account termination, whether initiated by Company or Helpy, Helpy will retain Company data, backups and logs for no more than 30 days, unless there is a pending collection action or other business or legal requirement to retain the data for a longer period of time.

4. RIGHTS OF DATA SUBJECTS

4.1 To the extent Company, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Personal Data, as required by Data Protection Laws, Helpy shall promptly comply with reasonable requests by Company to facilitate such actions to the extent Helpy is legally permitted and able to do so.

4.2 Helpy shall, to the extent legally permitted, promptly notify Company at the Company Email Address if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person's Personal Data.

Helpy shall not respond to any such Data Subject request without Company's prior written consent except to confirm that the request relates to Company. To the extent that Company responds to any such Data Subject request, Helpy shall provide Company with commercially reasonable cooperation and assistance, including by implementing appropriate technical and organizational measures, in relation to handling of a Data Subject's request, to the extent legally permitted.

5. HELPY PERSONNEL

5.1 Helpy shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations shall survive the termination of that individual's engagement with Helpy.

5.2 Helpy shall ensure that access to Personal Data is limited to those personnel who require such access to fulfill Helpy's obligations under the Agreement.

6. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS

If you are a resident of the EEA, you have additional legal rights as per the General Data Protection Regulations ("GDPR"):

6.1 Pursuant to Article 28, Section 3(c) of the General Data Protection Regulation ("GDPR"), Helpy shall take all measures required pursuant to Article 32 of the GDPR.

6.2 Helpy will make available to Company all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Company or another auditor mandated by Company.

6.3 Helpy will reasonably cooperate with Company to assist Company in ensuring compliance with Articles 32 to 36 of the GDPR.

7. SECURITY BREACH MANAGEMENT AND NOTIFICATION

7.1 If Helpy becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on Helpy's equipment or in Helpy's facilities ("Security Breach"), Helpy will promptly: (i) notify Company of the Security Breach in accordance with Section 7.2 below; (ii) investigate the Security Breach and provide Company with all relevant information about the Security Breach; and (iii) take all steps to mitigate the effects and to minimize any damage resulting from the Security Breach.

7.2 Notification(s) of Security Breaches will be promptly delivered to the Company Email Address.

7.3 Upon becoming aware of a Security Breach, Helpy will notify affected individuals within 24 hours.

8. RETURN AND DELETION OF PERSONAL DATA

Upon Company's request, Helpy shall delete and/or return Personal Data to Company and shall delete existing copies unless applicable European Union of Member State law requires storage of such data.

9. PRIVACY SHIELD

Helpy agrees to apply the Privacy Shield Framework Principles issued by the U.S. Department of Commerce, located at https://privacyshield.gov/ ("Privacy Shield Principles") to all Personal Data that Company transfers to Helpy that originates from the European Economic Area or Switzerland ("EEA Data"). For clarity, Helpy agrees to: (a) use EEA Data only for purposes specified by Company; (b) notify Company at at the Company Email Address upon Helpy's determination that it can no longer apply the Privacy Shield Principles to EEA Data; and (c) upon such determination, cease use of EEA Data or take other reasonable and appropriate steps to apply the Privacy Shield Principles to EEA Data.

10. PARTIES TO THIS DPA

Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.