Data Processing Agreement
SprintHelm's DPA formalises our obligations as a data processor under GDPR and equivalent regulations. Available to Enterprise customers.
Last updated: January 2026 · Effective for all Enterprise agreements signed after this date
1. Parties
This Data Processing Agreement is entered into between SprintHelm Ltd ("Data Processor") and the Customer entity identified in the SprintHelm Enterprise order form ("Data Controller"). It supplements and forms part of the SprintHelm Enterprise Terms of Service.
2. Scope of Processing
SprintHelm processes Customer Data solely to provide the SprintHelm platform services as described in the Enterprise agreement. Processing includes: storing and analysing backlog ticket data, running Monte Carlo simulations against team capacity inputs, generating AI-powered summaries, and maintaining simulation history in Customer workspaces.
3. Data Subject Categories
The Customer Data processed may relate to: employees and contractors of the Customer (team capacity data, names, and roles used in simulation inputs); end users of the Customer's products (referenced indirectly in ticket descriptions and priority inputs). SprintHelm does not require or process sensitive personal data (as defined in GDPR Article 9) in the normal course of service delivery.
4. Security Measures
SprintHelm maintains the following technical and organisational measures: TLS 1.3 encryption in transit; AES-256 encryption at rest; access controls with role-based permissions; annual penetration testing; SOC 2 Type II certification (report available under NDA on request); incident response procedures with 72-hour breach notification to affected Controllers.
5. Sub-processors
SprintHelm uses the following categories of sub-processors in the delivery of its services: cloud infrastructure (AWS EU-West-1), authentication services, payment processing (Stripe), and AI inference (Anthropic). A full sub-processor list with entity names and processing locations is available to Enterprise customers on request. SprintHelm will provide 30 days' notice of material changes to sub-processors.
6. Data Transfers
Customer Data is stored and processed in the EU by default (AWS EU-West-1). If Customer requests processing in an alternative region, a separate addendum will be agreed. Where sub-processors are located outside the EEA, SprintHelm relies on Standard Contractual Clauses (SCCs) as the transfer mechanism.
7. Data Retention & Deletion
SprintHelm retains Customer Data for the duration of the Enterprise subscription plus 30 days. Upon termination or written request, Customer Data will be deleted from production systems within 30 days and from backup systems within 90 days. A deletion confirmation is available on request.
8. Data Subject Rights
SprintHelm will assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction) within the timescales required by applicable law. Requests should be submitted to enterprise@sprinthelm.com.
Ready to execute a DPA?
Contact us with your legal entity name and billing email. We'll send a countersigned DPA within 5 business days.
Request DPA — enterprise@sprinthelm.com