Data Processing Agreement

1. Subject matter

This agreement governs the processing of personal data carried out by Helix Mail (the "Processor") on behalf of the customer (the "Controller") in the context of providing the Helix Mail service.

2. Nature and purpose of processing

Hosting, indexing and processing email messages and their metadata to provide an AI-assisted collaborative inbox. No advertising use.

3. Categories of data

• Identity (name, email, profile picture)
• Email message content (body, attachments, headers)
• Usage metadata (access logs, product events)

4. Duration

For the duration of the subscription contract, plus 30 days for full purge after termination.

5. Technical and organizational measures

See /security — AES-256 encryption, RLS, hash-chain audit, kill-switch.

6. Sub-processors

List kept up to date in the platform back-office, notification 30 days before any addition.

7. Data location

European Union (Cloudflare EU + Supabase eu-central-1). No transfer outside the EU without Standard Contractual Clauses.

8. Breach notification

Notification to the Controller within 24h of breach detection, ahead of the GDPR 72h deadline.

9. Audit

The Controller may request an annual audit with 30 days' notice, at its own expense and under NDA.