POWERENT Ltd.
Tax ID: 202432231
VAT: BG202432231
Address: Galabovo 6280, 4 Panayot Hitov Str, Bulgaria
Managing Director: Dilyana Simeonova Ilieva
Email: info@powerent-ltd.com
The client using the Helionix platform, identified at registration with company name, tax ID, address, and contact details.
This Data Processing Agreement ("Agreement" or "DPA") governs the terms and conditions under which the Processor processes personal data on behalf of the Controller in connection with the provision of the Helionix SaaS platform – a software solution for construction project management and workforce attendance tracking.
This DPA is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – "GDPR"), in particular Article 28, and the Bulgarian Personal Data Protection Act.
| Category | Specific Data | Sensitivity |
|---|---|---|
| Identification | Name, surname | Standard |
| Contact | Phone number | Standard |
| Professional | Specialty, position, hourly rate | Standard |
| Work time | Check-in/check-out times | Standard |
| Geolocation | GPS coordinates at check-in* | Standard |
*GPS coordinates are processed transiently for geo-fence validation only (comparing worker location against project boundaries). They are not used for continuous tracking and are not stored as a standard server attendance record. In offline mode, coordinates may be held temporarily on the device or pending synchronization until validation or cleanup is completed.
| Category | Specific Data | Purpose |
|---|---|---|
| Company Identification | Company name, Tax ID (EIK/VAT) | Contract, Invoicing |
| Contact Details | Address, phone, email | Communication, Support |
| User Accounts | Name, email, role of managers/admins | Platform access, Audit trail |
| Billing Information | Billing address, MOL, bank details | Payment processing |
| Active subscription | Processing continues |
| After termination: 0-30 days | Grace period for data export |
| After 90 days | Full deletion of personal data* |
*Except accounting documents retained for 10 years per legal requirements
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.3 (HTTPS) |
| Encryption at rest | AES-256 |
| Access control | Row Level Security (RLS) |
| Authentication | bcrypt password hashing |
| Audit logging | Critical operations tracking |
| Physical security | Infrastructure provider physical security controls |
The Controller gives general written authorization for the Processor to engage sub-processors necessary to provide the Platform, subject to GDPR Article 28(2) and 28(4). The current public Subprocessor List is available at /en/subprocessors.
| Sub-processor | Service | Status / transfer | Protection |
|---|---|---|---|
| Supabase Inc. | Database, authentication, storage, audit records | Active; as configured for the Supabase project | SCC, SOC 2 |
| Vercel Inc. | Hosting, deployment, runtime and operational logs | Active; Vercel infrastructure locations | SCC, ISO 27001 |
| Stripe | Subscriptions, checkout, payment status, invoice/payment evidence | Active for billing; processor and/or controller depending on the activity | DPA, SCC |
| Resend | Transactional email and notifications | Active for platform email delivery | DPA |
Conditional providers listed in the Subprocessor List, including analytics, anti-abuse, map/geofence UI, and rate-limiting providers, process personal data only when the relevant feature or environment configuration is enabled. The Processor will impose data protection obligations on sub-processors that are no less protective than those in this DPA and remains responsible for their performance as required by GDPR Article 28(4).
In the event of a personal data breach, the Processor shall:
The Processor uses infrastructure providers and sub-processors described in the Subprocessor List. Where personal data is transferred outside the European Economic Area (EEA), the Processor relies on appropriate transfer mechanisms and supplementary measures where required by applicable law.
Where data must be transferred outside the EEA (e.g., to US-based sub-processors for technical support), the Processor will rely on one or more lawful transfer mechanisms appropriate to the relevant provider and processing activity:
The Processor maintains vendor documentation and may provide relevant information reasonably available from its providers, subject to confidentiality and security restrictions.
In accordance with Article 28(3)(h) of the GDPR, the Controller has the right to verify the Processor's compliance with this Agreement.
The Controller may request the following information at any time:
The Processor shall respond to information requests within fourteen (14) business days.
Due to the multi-tenant nature of the SaaS platform and shared infrastructure, on-site physical audits are not possible. Instead, the Processor offers:
The Controller acknowledges and agrees to the following obligations under this Agreement and applicable data protection law:
The Controller is responsible for ensuring the accuracy and completeness of all personal data entered into the Platform. The Processor shall not be liable for any errors, omissions, or inaccuracies in the data provided by the Controller.
The Controller's documented instructions to the Processor are deemed to be the standard use of the Platform as described in the Terms of Service. Any additional or non-standard processing instructions must be provided in writing and may be subject to additional fees.
| Period | Action |
|---|---|
| 0-30 days | Grace period - data remains accessible for export by the Controller |
| 30-90 days | Data archived (soft deletion) |
| After 90 days | Permanent and irreversible deletion from active systems, subject to statutory retention exceptions and backup lifecycle controls |
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Invoices and accounting documents | 10 years | Bulgarian Accountancy Act, Art. 12 |
| Contractual data | 5 years | Statute of limitations under Bulgarian law |
| Records of consent | 5 years following withdrawal | GDPR, Article 7 |
In accordance with Article 28(3)(e) of the GDPR, the Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.
| Right | GDPR | Platform Support |
|---|---|---|
| Right of access | Art. 15 | Data export feature in Settings |
| Right to rectification | Art. 16 | Edit worker/user profiles directly |
| Right to erasure | Art. 17 | Archive/Delete worker function |
| Right to data portability | Art. 20 | JSON/CSV export available |
The Processor shall not be liable for any failure by the Controller to respond to data subject requests in a timely manner. The Processor's obligation is limited to providing technical means and assistance – the legal responsibility for compliance remains with the Controller.
This Agreement shall be governed by and construed in accordance with the laws of the Republic of Bulgaria, without regard to its conflict of law provisions. The GDPR (Regulation (EU) 2016/679) and the Bulgarian Personal Data Protection Act shall apply to all matters of data protection.
Commission for Personal Data Protection (CPDP)
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
Email: kzld@cpdp.bg
Website: https://www.cpdp.bg
Except in cases of gross negligence or intentional misconduct, the Processor's total liability under this Agreement shall not exceed the total fees paid by the Controller in the twelve (12) months preceding the claim. This limitation does not affect any mandatory statutory liability under the GDPR.
This Agreement is concluded electronically through the platform. The Processor's system maintains a record of:
Electronic acceptance shall have the same legal validity and evidentiary value as a handwritten signature, in accordance with the Bulgarian Electronic Document and Electronic Certification Services Act (ЗЕДЕУУ) and Regulation (EU) No 910/2014 on electronic identification and trust services (eIDAS).