Data Processing Addendum

Last Updated: October 24th, 2025

This Data Processing Addendum (“DPA”) forms part of the Terms of Service (the “Agreement”) between you and Cloud Captain Inc. (d/b/a Helium), a Delaware corporation (“Helium,” “we,” or “us”), and is hereby incorporated into the Agreement.

If you registered for the Services in your individual capacity, “Customer”, “you”, and “your” refer to you. If you registered for the Services on behalf of an organization, “Customer”, “you” and “your” refer to that organization, and you represent that you have the authority to bind that organization to this DPA. You and Helium may each be referred to herein as a “party” and collectively as the “parties.”

1. Definitions.

   1. “Affiliate”  means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.   

   2. “Anonymized Data” has the meaning in the Agreement and is not Customer Data.

   3. “CCPA”  means Sections 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 and its implementing regulations.

   4. “Control”  means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question. The term “Controlled” will be construed accordingly.

   5. “Customer Data”  means Personal Data that is provided to Helium by or on behalf of Customer through the Services.

   6. “Data Protection Laws”  means all data protection and privacy laws regulations applicable to a party and its processing of Personal Data under the Agreement, including, where applicable: (a) the GDPR, (b) all applicable implementations of the GDPR into national law, (c) in respect of the United Kingdom, the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), (d) the Swiss Federal Data Protection Act (“Swiss DPA”), and (e) the CCPA; in each case, as may be amended, superseded or replaced.

   7. “Europe” means for the purposes of this DPA the European Economic Area, United Kingdom and Switzerland.

   8. “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).

   9. “Personal Data” means any information protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Laws.

   10. “Restricted Transfer” means: (a) where the GDPR applies, a transfer of Customer Data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission (“EEA Restricted Transfer”); (b) where the UK GDPR applies, a transfer of Customer Data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018 (“UK Restricted Transfer”); and (c) where the Swiss DPA applies, a transfer of Customer Data from Switzerland to any other country which is not determined to provide adequate protection for personal data by the Federal Data Protection and Information Commission or Federal Council (as applicable) (“Swiss Restricted Transfer”).

   11. “Security Incident” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data, stored or otherwise processed by Helium in connection with the provision of the Services. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful login attempts, pings, port scans, denial of services attacks, and other network attacks on firewalls or networked systems.

   12. “Standard Contractual Clauses” means the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (as may be amended, superseded or replaced from time to time), which can be found here: https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_en.

   13. “Subprocessor” means any processor having access to Customer Data and engaged by Helium to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement (excluding any employee, consultant or independent contractor of Helium).

   14. The terms “controller”, “data subject”, “processor”, “processing”, “personal data” and “sensitive data” shall have the meanings given to them in the GDPR, and the terms “service provider”, “business”, “collects” (and “collected” and “collection”), “consumer”, “business purpose”, “sell” (and “selling”, “sale”, and “sold”), “share” (and “sharing” and “shared”), have the meanings given to them in the CCPA.

   15. “UK Addendum” means the International Data Transfer Addendum (version B1.0) to the EU Commission Standard Contractual Clauses issued by UK Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as amended, superseded or replaced from time to time.

2. Roles and Scope of Processing.

   1. Data Processing Roles. Helium shall process Customer Data for the Permitted Purpose (as defined below) as a processor on behalf of Customer as the controller. For the purposes of the CCPA (where applicable), Helium shall process Customer Data as a service provider for the Customer as a business.   

   2. Compliance with Laws. Each party shall comply with its obligations under Data Protection Laws in respect of any Customer Data it processes under this DPA. For the avoidance of doubt, Helium is not responsible for complying with Data Protection Laws uniquely applicable to Customer by virtue of its business or industry, such as those generally applicable to online service providers. 

   3. Processing Instructions. Helium shall process Customer Data in accordance with Customer’s documented lawful instructions, unless obligated to do otherwise by applicable law, in which case Helium will notify Customer (unless that law prohibits Helium from doing so on important grounds of public interest). For these purposes, Customer instructs Helium to process Customer Data for the purposes described in Schedule A (the “Permitted Purpose”, which, where CCPA applies, is a business purpose). This DPA and Agreement are Customer’s complete and final instructions. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. Without prejudice to Section 2.4 (Customer Responsibilities), Helium shall promptly notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any processing instructions from Customer violates Data Protection Laws (but without obligation to actively monitor Customer’s compliance with Data Protection Law) and in such event, Helium shall not be obligated to undertake such processing until such time as the Customer has updated its processing instructions and Helium has determined that the incidence of non-compliance has been resolved.

   4. Customer Responsibilities. In using the Services, Customer shall process Customer Data in compliance with all applicable Data Protection Laws. Customer is solely responsible for: (a) the accuracy, quality, and legality of the Customer Data; (b) the manner in which such Customer Data was obtained; and (c) the instructions it provides to Helium regarding the processing of such Customer Data. Customer shall ensure that: (i) it has provided all required notices and obtained (or will obtain) all necessary consents and rights for Helium to process Customer Data under the Agreement and this DPA; (ii) its instructions are lawful and the processing of Customer Data in accordance with such instructions will not result in a violation of Data Protection Laws; and (iii) where the CCPA applies, the Customer Data is provided to Helium solely for the purpose of performing the Services for a valid business purpose.  

3. Subprocessing.

   1. Authorized Subprocessors. Customer grants Helium a general authorization to engage Subprocessors and, where the CCPA applies, other third party service providers (together, the “Subprocessors”) as necessary to provide the Services. A current list of Helium’s Subprocessors is available at tryhelium.com/support-pages/sub-processors (or any successor URL maintained by Helium) (the “Subprocessor Site”). Helium will remain fully responsible for the acts and omissions of its Subprocessors that result in a breach of Helium’s obligations under this DPA.

   2. Notification of New Subprocessors. Helium will maintain the Subprocessor Site and provide Customer with a means to receive notice of any updates to the Subprocessor Site.

4. Security Measures and Security Incident Response.

   1. Security Measures. Helium will implement and maintain reasonable administrative, technical, and physical safeguards, as further described in Schedule B (Technical and Organizational Security Measures), designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, including Security Incidents. Such safeguards will include measures intended to ensure the confidentiality, integrity, and availability of Customer Data, and will be designed to provide a level of security appropriate to the risk. Helium may update and refine its safeguards from time to time, provided that such updates do not materially reduce the overall protection of Customer Data. 

   2. Personnel. Helium will restrict its personnel from processing Customer Data without authorization by Helium, and will ensure that any individual authorized to process Customer Data is bound by an appropriate obligation of confidentiality. 

   3. Customer Responsibilities. Except as otherwise provided in this DPA, Customer is responsible for the secure use of the Services. This includes securing its account authentication credentials, protecting the transmission of Customer Data through its own systems (such as by using email encryption), and taking appropriate steps to encrypt or back up any Customer Data uploaded to the Services.

   4. Security Incident Response. Upon becoming aware of a Security Incident, Helium will notify Customer without undue delay and in all cases within seventy-two (72) hours. Helium will provide Customer with information about the Security Incident as it becomes available or as reasonably requested in order to allow Customer to meet its obligations as a controller. Helium will also take appropriate and reasonable measures to contain, investigate, and mitigate the Security Incident. 

5. Audit and Records.

   1. Audit Rights. Helium will make available to Customer all information in its possession or control and will provide reasonable assistance in connection with audits of its premises, systems, and documentation as Customer may reasonably request to assess Helium’s compliance with this DPA. Customer acknowledges and agrees that it will exercise its audit rights under this DPA, including this Section 5 and where applicable the Standard Contractual Clauses, by instructing Helium to follow the audit measures described in Section 5.2 below. 

   2. Audit Procedures. Where required under Data Protection Laws or where directed by a data protection authority, Customer may, upon providing at least thirty (30) days’ prior written notice, request that its own personnel or a third party (at Customer’s expense) conduct an audit of Helium’s facilities, equipment, documents, and electronic data relating to the processing of Customer Data under the Agreement to the extent necessary to assess Helium’s compliance with this DPA, provided that Customer may not exercise this right more than once per calendar year, any such audit must not unreasonably disrupt or adversely affect Helium’s regular operations or conflict with applicable Data Protection Laws or the instructions of a competent data protection authority, the parties will mutually agree in advance on the scope, timing, and duration of the audit, and Customer and any third party engaged by Customer will at all times comply with Helium’s policies, procedures, and reasonable instructions governing access to its systems and facilities (including any restrictions on access to confidential information), and without limiting the foregoing Helium will provide reasonable assistance as necessary to accommodate Customer’s request.

6. Data Transfers. Customer agrees that Helium may process and transfer Customer Data to the United States and to any other jurisdiction in which Helium, its Affiliates, or its Subprocessors operate data processing facilities, as identified on the Subprocessor Site. Helium will conduct all such transfers in accordance with applicable Data Protection Laws and the terms of this DPA.

7. Return or Deletion of Data. Promptly upon Customer’s request, or within one hundred eighty (180) days following the termination or expiration of the Agreement, Helium will delete or return all Customer Data in its possession or control. This obligation will not apply where Helium is required by applicable law to retain certain Customer Data, or to Customer Data stored on back-up systems, provided that any retained data is securely isolated and protected from further processing except as required by law.

8. Cooperation. 

   1. Assistance with Data Subject and Authority Requests. Taking into account the nature of the processing, Helium will provide reasonable assistance to Customer in responding to requests from individuals or data protection authorities relating to the processing of Customer Data for the Permitted Purposes. If any such request is made directly to Helium, it will not respond except to direct the individual to contact Customer, unless legally required to do so or otherwise authorized by Customer, in which case Helium will promptly notify Customer and provide a copy of the request unless prohibited by law. If Customer is unable to respond to a request concerning personal data processed by Helium as Customer’s processor or service provider, then, upon Customer’s reasonable request and subject to any restrictions or exemptions under applicable law, Helium will use reasonable efforts to assist Customer in responding to such verified requests to the extent they relate to Helium’s processing of personal data on behalf of Customer.

   2. Data Protection Impact Assessments. To the extent required under applicable European Data Protection Laws, Helium will provide Customer with the information reasonably necessary regarding the Services to enable Customer to conduct data protection impact assessments and, where appropriate, to carry out prior consultations with data protection authorities.

9. Europe. 

   1. Scope. The provisions in this Section 9 apply only if and to the extent that Customer is established in Europe or the Customer Data is otherwise subject to European Data Protection Laws.

   2. Subprocessor Obligations. Helium will enter into a written agreement with each Subprocessor that imposes data protection obligations no less protective of Customer Data than those set out in this DPA or as otherwise required under applicable Data Protection Laws, taking into account the nature of the services provided by the Subprocessor.

   3. Subprocessor Objection Right. If Customer objects on reasonable data protection grounds to Helium’s engagement of a new Subprocessor, Customer must provide written notice of such objection to Helium promptly and in any event within fifteen (15) days after Helium’s notification under Section 3.2 (Notification of New Subprocessors). The parties will discuss the objection in good faith with a view to reaching a resolution. If no mutually acceptable resolution is achieved, Customer’s sole and exclusive remedy is to terminate the relevant affected portion of the Services without liability to either party, except that Customer will remain responsible for fees incurred prior to termination.

   4. Transfer Mechanism. To the extent the transfer of Customer Data from Customer to Helium constitutes a Restricted Transfer and European Data Protection Laws require appropriate safeguards, such transfer will be governed by the Standard Contractual Clauses, which are incorporated by reference into and form an integral part of this DPA, as follows:

1. EEA Restricted Transfers. For any EEA Restricted Transfer, the Standard Contractual Clauses will apply as follows: (i) Module Two (controller-to-processor transfers) will apply, and all other modules will be deleted; (ii) Clause 7 (the optional docking clause) will apply; (iii) in Clause 9 of Module Two, Option 2 will apply, and the time period for prior notice of Subprocessor changes will be as set out in Section 3.2 of this DPA; (iv) in Clause 11, the optional language will not apply; (v) in Clause 17, Option 1 will apply, and the Standard Contractual Clauses will be governed by Irish law; (vi) in Clause 18(b), disputes will be resolved before the courts of Ireland; (vii) Annex I will be deemed completed with the information set out in Schedule A (Description of Processing/Transfer); and (viii) Annex II will be deemed completed with the security measures described in Schedule B (Technical and Organizational Security Measures) (as applicable) of this DPA.

2. UK Restricted Transfers. For any UK Restricted Transfer, the Standard Contractual Clauses will apply in accordance with subsection (a) above, as modified and interpreted by the UK Addendum, which is incorporated into and forms part of this DPA. In the event of any conflict between the Standard Contractual Clauses and the UK Addendum, the UK Addendum will prevail in accordance with Sections 10 and 11 thereof. Tables 1 through 3 of Part 1 of the UK Addendum will be completed with the information set out in Schedule A and Schedule B of this DPA, and Table 4 of Part 1 will be deemed completed by selecting “neither party.”

3. Swiss Restricted Transfers. For any Swiss Restricted Transfer, the Standard Contractual Clauses will apply in accordance with subsection (a) above, subject to the following modifications: (i) references to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss DPA and the equivalent provisions therein; (ii) references to “EU,” “Union,” “Member State,” and “Member State law” will be interpreted as references to Switzerland and Swiss law, as applicable; (iii) references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the Swiss data protection authority and Swiss courts; and (iv) the Standard Contractual Clauses will be governed by Swiss law, and disputes will be resolved before the competent Swiss courts.

4. Precedence of Standard Contractual Clauses. The rights and obligations under the Standard Contractual Clauses will be exercised in accordance with this DPA, unless expressly stated otherwise. It is not the intention of either party to contradict or limit the Standard Contractual Clauses. In the event of any conflict between the Standard Contractual Clauses and the Agreement (including this DPA), the Standard Contractual Clauses will prevail to the extent of the conflict.

5. Data Transfer Arrangements. To the extent Helium implements an alternative data export mechanism (including any new version of, or successor to, the Standard Contractual Clauses adopted under Data Protection Laws) for the transfer of Personal Data (an “Alternative Transfer Mechanism”), such Alternative Transfer Mechanism will apply in place of the transfer mechanism described in this DPA, but only to the extent it complies with applicable European Data Protection Laws and covers the territories to which Personal Data is transferred.

6. Notification of Government Access Requests. For purposes of Clause 15(1)(a) of the Standard Contractual Clauses, Helium will notify Customer, and not the data subjects, in the event of a government access request. Customer will be solely responsible for promptly notifying the affected data subjects, if required.

10. CCPA. 

    1. Scope. The terms in this Section 10 apply only if and to the extent Customer Data is subject to California Data Protection Laws.

    2. Prohibited Activities. In providing the Services, Helium will act as a service provider to Customer within the meaning of the CCPA. Accordingly, Helium will not (i) sell or share Customer Data; (ii) use Customer Data for purposes of targeted or cross-context behavioral advertising; (iii) use, disclose, or retain Customer Data for any purpose other than delivering the Services or as otherwise permitted under the Agreement and this DPA; (iv) use, disclose, or retain Customer Data outside the scope of its business relationship with Customer; or (v) merge or combine Customer Data with other data in a manner inconsistent with the CCPA’s requirements for service providers or with the agreed business purpose.

    3. Compliance Commitment. Helium affirms that it understands the obligations set out in this Section 10 and will adhere to them. If at any point Helium determines that it cannot continue to meet the requirements of the CCPA, it will promptly inform Customer.

    4. Permitted Use of De-Identified Information. Notwithstanding the restrictions in this DPA or the Agreement, Customer acknowledges that Helium may process Customer Data in order to produce information that is anonymized, aggregated, or otherwise de-identified so that it no longer identifies Customer or any individual. Helium may use such de-identified information for its own legitimate business purposes, including the preparation of benchmarking reports, statistical summaries, and similar analyses.

    5. Handling Consumer Requests. Helium will maintain processes and resources that enable consumers to exercise their rights under the CCPA. Where Helium receives a request directly from a consumer who is an employee of Customer regarding that individual’s Customer Data, Helium will not act independently but will instead handle the request in line with the procedures outlined in Section 8 of this DPA, thereby enabling Customer to fulfill its responsibilities under the CCPA. 

11. General. 

    1. Replacement of Prior Agreements. This DPA supersedes and replaces any prior data processing agreement entered into between the parties in connection with the Services.

    2. Incorporation into the Agreement. As between Customer and Helium, this DPA forms part of and is governed by the Agreement. It will remain effective for the term of the Agreement or for the duration of the Services. If there is a conflict between the terms of this DPA and the Agreement, the terms of this DPA will control with respect to the processing of Customer Data.

    3. No Third-Party Beneficiaries. This DPA does not create any rights or causes of action for third parties. The foregoing does not limit any rights or remedies that data subjects may have under applicable Data Protection Laws, this DPA, the Standard Contractual Clauses, or the UK Addendum.

    4. Disclosure to Regulators. Each party acknowledges that the other may disclose this DPA, the Standard Contractual Clauses, and any privacy-related terms of the Agreement to a regulator or supervisory authority upon request.

    5. Modifications. Notwithstanding anything to the contrary in the Agreement, and without limiting Section 2.3, Helium may amend this DPA from time to time to reflect changes in Data Protection Laws or in its business practices, provided such updates do not materially reduce the protection of Customer Data.

    6. Dispute Resolution. Except to the extent required otherwise under applicable Data Protection Laws or the Standard Contractual Clauses, the dispute resolution provisions in the Agreement will govern any disputes arising under or in connection with this DPA.
       
       

SCHEDULE A

Description of Processing/Transfer

Annex 1(A): List of Parties

1. Data Exporter: 

Name: The customer that registers for an account with Helium under the Agreement, as identified in the registration process.

Address, and contact person’s name, position, and contact details: As identified in the registration process.

Activities relevant to the data transferred under these Clauses: The performance of the Services described in the Agreement.

Role: Controller.

2. Data Importer:

Name: Cloud Captain Inc. (d/b/a Helium).

Address: 156 2nd St, Suite 502, San Francisco, CA 94105

Contact person’s name, position and contact details:

Shishir Jakati — Data Protection Officer

490 Post St, Suite 1700
San Francisco, CA 94102

legal@tryhelium.com

Activities relevant to the data transferred under these Clauses: The performance of the Services described in the Agreement.

Role: Processor.

Annex 1(B): Description of Transfer

Categories of data subjects whose personal data is transferred.

The data subjects may include Customer’s employees, customers, vendors, and end users.

Categories of personal data transferred.

The Personal Data that is sent to Helium by, or on behalf of, Customer for the purpose of using the Services.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Helium does not intentionally collect or process special categories of personal data (as defined under applicable Data Protection Laws). However, because Customer determines the content of the data it submits to the Services, Customer may, at its sole discretion and to the extent permitted under the Agreement, include special category data within Customer Data. Such data, if submitted, may include, but is not limited to, information regarding gender, race or ethnicity, sexual orientation, trade union membership, or other sensitive categories of personal data.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

Personal Data is transferred on a continuous basis.

Nature of the processing.

Analysis, storage, and other Services as described in the Agreement, Order Form(s), DPA, and Documentation.  

Purpose(s) of the data transfer and further processing.

Personal Data may be processed (i) to provide, operate, and improve the Services in accordance with the Agreement; (ii) in connection with processing initiated by the Customer through their use of the Services; (iii) to comply with reasonable written instructions from Customer, including through email or support tickets, provided such instructions are consistent with the Agreement and this DPA; and (iv) to comply with applicable legal obligations, including those under Data Protection Laws.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.

The duration of processing will be the term of the Agreement, plus any additional period following its expiration necessary for Helium to return or delete Customer Data in accordance with this DPA.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing.

As above.

Annex 1(C): Competent Supervisory Authority.

Identify the competent supervisory authority/ies in accordance with Clause 13.

The data protection authority of the EU Member State in which the exporter is established.

SCHEDULE B

Technical and Organizational Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures (TOMs) designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, damage, theft, alteration, or disclosure. These measures include, but are not limited to, the following:

1. Access Control

• Personal Data is accessible only by authorized personnel with a business need-to-know.

• Unique user IDs and strong authentication mechanisms (e.g., MFA) are required for system access.

• Role-based access is enforced and reviewed regularly.

• Physical access to facilities is restricted and monitored.

2. Data Protection

• Personal Data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).

• Backups are encrypted and stored securely with defined retention periods.

• Segregation of customer data is maintained to prevent unauthorized cross-access.

3. System and Network Security

• Firewalls, intrusion detection, and intrusion prevention systems are deployed to protect networks.

• Anti-malware protection is maintained and updated on all relevant systems.

• Regular vulnerability scanning and penetration testing are performed.

• Logging and monitoring are in place to detect and respond to anomalous activities.

4. Incident Response

• A written incident response plan is maintained and tested periodically.

• Security events and data breaches are logged, investigated, and remediated promptly.

• The Controller will be notified of any Personal Data Breach without undue delay, in accordance with the DPA.

5. Business Continuity and Disaster Recovery

• Disaster recovery plans are in place and tested at least annually.

• Redundancy is built into critical systems to ensure service availability.

• Regular backups are performed and periodically tested for data restoration.

6. Personnel Security and Training

• Employees and contractors are subject to confidentiality obligations.

• Security awareness training is conducted at onboarding and refreshed regularly.

• Access to Personal Data is revoked immediately upon termination of employment or contract.

7. Sub-Processor Management

• Sub-processors are subject to written agreements with equivalent security obligations.

• The Processor reviews the security practices of sub-processors before engagement.

8. Data Minimization and Retention

• Personal Data is collected and processed only as necessary for the Services.

• Retention periods are defined and data is securely deleted or anonymized upon expiration.

Review and Updates:

These measures will be reviewed and updated regularly to reflect technological developments, industry practices, and regulatory requirements.