H
HelpKit
HomeData Processing Agreement

Data Processing Agreement

Last updated: January 1, 2026

Controller: You (the HelpKit customer/subscriber)
Processor: Hostao LLC, 30 N Gould St, Ste 4000, Sheridan, Wyoming 82801, USA
DPO Contact: dpo@helpkit.in

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Hostao LLC ("Processor") and you ("Controller"). It is intended to ensure compliance with Article 28 of the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual whose Personal Data is being processed
  • "Sub-Processor" means any third party engaged by the Processor to process Personal Data
  • "GDPR" means EU Regulation 2016/679 (General Data Protection Regulation)

2. Scope and Purpose

The Processor will process Personal Data on behalf of the Controller only for the purpose of providing the HelpKit Service as described in the Terms of Service. Processing activities include:

  • Storing and managing support ticket data submitted by end users
  • Processing chat messages and AI-assisted conversations
  • Authenticating and managing Controller user accounts
  • Generating analytics and usage reports
  • Sending transactional email notifications

3. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Respect the conditions for engaging Sub-Processors
  • Assist the Controller in ensuring compliance with data subject rights
  • Delete or return all Personal Data upon termination of services
  • Make available all information necessary to demonstrate compliance with this DPA

4. Sub-Processors

The Controller grants general authorization for the Processor to engage the following sub-processors. The Processor will notify the Controller of any intended changes to sub-processors with at least 30 days notice.

Supabase Inc.

Database hosting, authentication, and real-time data

United States · Transfer mechanism: Standard Contractual Clauses
Vercel Inc.

Application hosting, edge delivery, and serverless functions

United States · Transfer mechanism: Standard Contractual Clauses
Stripe Inc.

Payment processing and billing management

United States · Transfer mechanism: Standard Contractual Clauses

5. International Data Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area (EEA). All such transfers are subject to appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Adequacy decisions where applicable
  • Binding corporate rules where applicable

6. Technical & Organisational Measures

The Processor implements and maintains the following security measures:

  • Encryption in Transit: All data transmissions use TLS 1.2 or higher
  • Encryption at Rest: Database encryption using AES-256
  • Access Control: Role-based access control with least-privilege principles
  • Authentication: Multi-factor authentication for administrative access
  • Monitoring: Continuous security monitoring and intrusion detection
  • Backup: Daily encrypted backups with tested restoration procedures
  • Audits: Annual third-party security assessments
  • Incident Response: Documented incident response plan

7. Data Breach Notification

In the event of a Personal Data breach, the Processor will:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide a description of the nature of the breach, categories and approximate number of data subjects affected, and likely consequences
  • Describe the measures taken or proposed to address the breach
  • Cooperate with the Controller to fulfill any obligations to notify supervisory authorities and affected data subjects

8. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject rights requests under GDPR Articles 15–22, including:

  • Right of access (Article 15) — providing access to Personal Data upon request
  • Right to rectification (Article 16) — correcting inaccurate data
  • Right to erasure (Article 17) — deleting Personal Data upon request
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20) — providing data in machine-readable format
  • Right to object (Article 21)

Requests should be directed to: privacy@helpkit.in

9. Data Deletion and Return

Upon termination of the Service agreement, the Processor will, at the Controller's choice:

  • Delete all Personal Data within 30 days of termination, or
  • Return all Personal Data in a structured, machine-readable format

Deletion will be confirmed in writing. Certain data may be retained as required by applicable law (e.g., billing records for tax compliance).

10. Audit Rights

The Controller has the right to conduct audits of the Processor's compliance with this DPA, subject to:

  • Providing 30 days advance written notice
  • Conducting audits during normal business hours
  • Bearing all costs associated with the audit
  • Entering into a confidentiality agreement prior to the audit

The Processor may satisfy audit requirements by providing relevant third-party certification reports (e.g., SOC 2 Type II) in lieu of an on-site audit.

Privacy PolicyTerms of ServiceCookie PolicyRefund PolicyData Processing Agreement
On this page
1. Definitions2. Scope and Purpose3. Processor Obligations4. Sub-Processors5. International Data Transfers6. Technical & Organisational Measures7. Data Breach Notification8. Data Subject Rights9. Data Deletion and Return10. Audit Rights