Helix Extract

by Helix Systems LLC

Data Processing Agreement

Last Updated: February 15, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Helix Systems LLC ("Processor," "we," "us") and the customer ("Controller," "you") using Helix Extract services.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on Personal Data (collection, storage, use, transmission, deletion).
  • Sub-processor: Any third party engaged by Processor to process Personal Data.
  • Data Subject: The individual whose Personal Data is processed.

2. Scope and Purpose

This DPA applies when you use Helix Extract to process documents containing Personal Data. We process your data solely to:

  • Extract data from uploaded documents using AI
  • Populate web forms with extracted data
  • Provide the Helix Extract service as described in our Terms of Service

3. Our Processing Commitments

3.1 Data Handling

We commit to the following data handling practices:

  • No Data Retention: Document content is processed in memory and immediately deleted upon completion
  • Temporary Storage: Multi-page documents requiring layout analysis are temporarily stored in encrypted S3 storage and automatically deleted upon processing completion (24-hour maximum)
  • No Secondary Use: Your data is never used for AI model training, analytics, or any purpose other than providing the extraction service
  • No Data Selling: We never sell, rent, or share your document content with third parties

3.2 Security Measures

We implement the following technical and organizational measures:

  • Encryption in Transit: TLS 1.3 for all data transmission
  • Encryption at Rest: AES-256 encryption for any temporarily stored data
  • Access Controls: Role-based access; document content is never accessible to Helix staff
  • Infrastructure: AWS secure infrastructure (US-EAST-1) with automated monitoring
  • Secure Deletion: Cryptographic deletion ensuring data cannot be recovered

4. Sub-processors

We use the following sub-processors to provide our services:

Sub-processorPurposeData Processed
Amazon Web Services (AWS)Cloud infrastructure, AI processing (Bedrock), document analysis (Textract)Document content (processed, not stored)
StripePayment processingPayment information only (no document content)
ResendEmail deliveryEmail addresses only (no document content)

Important: Your document content is only processed by AWS Bedrock and AWS Textract. These services process data in memory and do not retain or use your content for model training.

We will notify you before adding new sub-processors that process document content, giving you the opportunity to object.

5. Your Rights and Obligations

5.1 Controller Responsibilities

You are responsible for:

  • Ensuring you have lawful basis to process Personal Data through our service
  • Obtaining necessary consents from Data Subjects where required
  • Not uploading prohibited content (as defined in our Terms of Service)

5.2 Your Rights

You have the right to:

  • Audit: Request information about our security practices
  • Data Subject Requests: Instruct us to assist with Data Subject access, correction, or deletion requests
  • Termination: Terminate this DPA and your account at any time

6. Data Subject Requests

If we receive a request from a Data Subject regarding their Personal Data:

  1. We will promptly notify you (unless legally prohibited)
  2. We will not respond directly without your authorization
  3. We will assist you in fulfilling the request as required by law

Note: Because we do not retain document content after processing, we typically cannot retrieve or delete specific Personal Data from past processing sessions.

7. Security Incident Response

In the event of a security incident affecting your Personal Data:

  1. We will notify you within 72 hours of becoming aware
  2. We will provide details of the incident, data affected, and remediation steps
  3. We will cooperate with your incident response procedures
  4. We will document the incident and actions taken

8. Data Transfers

Our services are hosted in the United States. By using Helix Extract, you authorize the transfer of Personal Data to the US. We rely on:

  • Standard Contractual Clauses (SCCs) for EU/UK data transfers
  • AWS's compliance certifications and data processing agreements

9. Term and Termination

This DPA is effective when you begin using Helix Extract and continues until:

  • You terminate your account, or
  • We cease providing the service

Upon termination, we will delete any remaining account data within 30 days (document content is already deleted immediately after processing).

10. Liability

Our liability under this DPA is subject to the limitations in our Terms of Service. We maintain appropriate insurance coverage for data processing activities.

11. Modifications

We may update this DPA to reflect changes in our practices or legal requirements. Material changes will be communicated via email or through the service.

12. Contact

For DPA-related inquiries:

Company: Helix Systems LLC

Email: privacy@discoverhelix.com

Appendix A: Technical and Organizational Measures

Infrastructure Security

  • AWS Virtual Private Cloud (VPC) isolation
  • Security groups restricting network access
  • DDoS protection via AWS Shield

Application Security

  • Input validation and sanitization
  • Secure authentication (bcrypt password hashing, JWT tokens)
  • HTTPS-only communication

Operational Security

  • Automated security monitoring
  • Regular dependency updates and vulnerability scanning
  • Incident response procedures

Data Security

  • No persistent storage of document content
  • Encryption at rest (AES-256) and in transit (TLS 1.3)
  • Secure deletion procedures

By using Helix Extract, you acknowledge and agree to this Data Processing Agreement.