For business customers who need a written data-processing agreement (DPA) under Art. 28 GDPR, Helferlain offers a pre-filled template that can be electronically signed. The full PDF will be available in your workspace settings once signed.
Scope
Helferlain acts as processor for the following categories:
- OAuth tokens for the advertising and analytics accounts you connect
- Cached campaign performance data necessary to compute audits
- Audit findings, recommendations, and the action log we generate for you
Helferlain is not a processor of:
- End-user PII inside your ads or your CRM (we cache only what we need)
- The contents of LLM prompts when you bring your own Anthropic / OpenAI key (you remain the controller)
Sub-processors
See /legal/sub-processors. We give 30 days' notice before adding a new sub-processor; you may object in writing.
Technical and organisational measures
- EU-only hosting (Vercel Frankfurt, Cloudflare Workers EU, Neon Frankfurt)
- Postgres Row-Level-Security with mandatory tenant scoping
- Envelope-encryption (AES-256-GCM) for all OAuth tokens and BYO LLM keys
- Audit log of every administrative and customer-data-touching action
- Access on least-privilege basis with quarterly review
- Backups encrypted at rest, restore-tested quarterly
- Incident response within 72 hours per Art. 33 GDPR
How to sign
Email [email protected] with your company details. We send back a pre-filled DPA within one business day.