Data Processing Agreement

Effective Date: March 5, 2026
Data Processor: HelmCase (CNPJ 12.695.310/0001-57)
Contact: support@helmcase.com

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between HelmCase (“Processor”) and the subscribing law firm (“Controller”). This DPA governs the processing of personal data by the Processor on behalf of the Controller, in compliance with LGPD, GDPR, and applicable US privacy law.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
  • “Data Subject” means the individual to whom the Personal Data relates (e.g., immigration clients).
  • “Sub-processor” means a third party engaged by the Processor to assist in processing Personal Data.

2. Scope & Purpose

The Processor shall process Personal Data solely on documented instructions from the Controller, for the purpose of providing the HelmCase platform services, including case management, document storage, messaging, and reporting.

3. Processor Obligations

The Processor agrees to:

  • Process Personal Data only on the Controller’s documented instructions
  • Ensure that authorized personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (Article 32 GDPR / LGPD Art. 46)
  • Not engage new sub-processors without prior written consent of the Controller
  • Assist the Controller in fulfilling Data Subject rights requests
  • Delete or return all Personal Data upon termination of the Service
  • Make available all information necessary to demonstrate compliance
  • Notify the Controller within 72 hours of becoming aware of a Personal Data breach

4. Controller Obligations

The Controller agrees to:

  • Ensure a valid legal basis for processing Personal Data uploaded to the platform
  • Obtain all necessary consents from Data Subjects (immigration clients)
  • Provide accurate and up-to-date processing instructions
  • Comply with applicable data protection laws in their jurisdiction

5. Sub-processors

The Controller hereby provides general written authorization to engage the following sub-processors:

  • Stripe Inc. — Payment processing (USA) — stripe.com/privacy
  • cPanel / Hosting Infrastructure — Cloud hosting (Brazil/USA)

The Processor will inform the Controller of any intended changes with at least 14 days’ notice, providing the Controller an opportunity to object.

6. Security Measures

The Processor maintains the following security measures:

  • TLS 1.2+ encryption for all data in transit
  • Encrypted storage for sensitive data fields
  • Role-based access control (RBAC) with multi-tier permissions
  • Audit logging of all data access and modifications
  • Regular backups with encrypted ZIP export capability
  • Bcrypt password hashing

7. Data Transfers

Where Personal Data is transferred outside Brazil or the European Economic Area, the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where applicable.

8. Term & Termination

This DPA is effective for the duration of the Service Agreement. Upon termination, the Processor shall delete all Personal Data within 30 days, except where retention is required by law.

9. Governing Law

This DPA is governed by the laws of Brazil (LGPD). For EU Subscribers, GDPR takes precedence. For US Subscribers, applicable state privacy laws apply.

10. Contact

To execute a signed DPA or for DPA-related inquiries: support@helmcase.com