ДАЛИНА ГРУП ЕООД
Tax ID: 201241579
VAT: BG201241579
Address: гр. Стара Загора 6000, ул. „Оборище" 17, ет. 2, ап. 2
Managing Director: Диляна Симеонова Илиева
Email: helionix@dalinagroup.com
The client using the Helionix platform, identified at registration with company name, tax ID, address, and contact details.
This Data Processing Agreement ("Agreement" or "DPA") governs the terms and conditions under which the Processor processes personal data on behalf of the Controller in connection with the provision of the Helionix SaaS platform – a software solution for construction project management and workforce attendance tracking.
This DPA is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation – "GDPR"), in particular Article 28, and the Bulgarian Personal Data Protection Act.
| Category | Specific Data | Sensitivity |
|---|---|---|
| Identification | Name, surname | Standard |
| Contact | Phone number | Standard |
| Professional | Specialty, position, hourly rate | Standard |
| Work time | Check-in/check-out times | Standard |
| Geolocation | GPS coordinates at check-in* | Standard |
*GPS coordinates are processed transiently for geo-fence validation only (comparing worker location against project boundaries). Coordinates are NOT stored in any database – only the boolean result (inside/outside geo-fence) is recorded.
| Category | Specific Data | Purpose |
|---|---|---|
| Company Identification | Company name, Tax ID (EIK/VAT) | Contract, Invoicing |
| Contact Details | Address, phone, email | Communication, Support |
| User Accounts | Name, email, role of managers/admins | Platform access, Audit trail |
| Billing Information | Billing address, MOL, bank details | Payment processing |
| Active subscription | Processing continues |
| After termination: 0-30 days | Grace period for data export |
| After 90 days | Full deletion of personal data* |
*Except accounting documents retained for 10 years per legal requirements
| Measure | Description |
|---|---|
| Encryption in transit | TLS 1.3 (HTTPS) |
| Encryption at rest | AES-256 |
| Access control | Row Level Security (RLS) |
| Authentication | bcrypt password hashing |
| Audit logging | Critical operations tracking |
| Physical security | Data centers in EU (AWS Frankfurt) |
| Sub-processor | Service | Location | Protection |
|---|---|---|---|
| Supabase Inc. | Database, Auth | EU (Frankfurt) | SCC, SOC 2 |
| Vercel Inc. | Hosting | EU (Amsterdam) | SCC, ISO 27001 |
In the event of a personal data breach, the Processor shall:
The Processor ensures that all personal data is processed primarily within the European Economic Area (EEA). Where transfers to third countries are necessary, the following safeguards apply:
In the event data must be transferred outside the EEA (e.g., to US-based sub-processors for technical support), such transfers shall be conducted exclusively under one of the following mechanisms:
All sub-processors with potential third-country access have signed the latest version of the SCCs and provide documentation of additional technical measures.
In accordance with Article 28(3)(h) of the GDPR, the Controller has the right to verify the Processor's compliance with this Agreement.
The Controller may request the following information at any time:
The Processor shall respond to information requests within fourteen (14) business days.
Due to the multi-tenant nature of the SaaS platform and shared infrastructure, on-site physical audits are not possible. Instead, the Processor offers:
The Controller acknowledges and agrees to the following obligations under this Agreement and applicable data protection law:
The Controller is responsible for ensuring the accuracy and completeness of all personal data entered into the Platform. The Processor shall not be liable for any errors, omissions, or inaccuracies in the data provided by the Controller.
The Controller's documented instructions to the Processor are deemed to be the standard use of the Platform as described in the Terms of Service. Any additional or non-standard processing instructions must be provided in writing and may be subject to additional fees.
| Period | Action |
|---|---|
| 0-30 days | Grace period – data remains accessible for export by the Controller |
| 30-90 days | Data archived (soft deletion) |
| After 90 days | Permanent and irreversible deletion from all systems |
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Invoices and accounting documents | 10 years | Bulgarian Accountancy Act, Art. 12 |
| Contractual data | 5 years | Statute of limitations under Bulgarian law |
| Records of consent | 5 years following withdrawal | GDPR, Article 7 |
In accordance with Article 28(3)(e) of the GDPR, the Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR.
| Right | GDPR | Platform Support |
|---|---|---|
| Right of access | Art. 15 | Data export feature in Settings |
| Right to rectification | Art. 16 | Edit worker/user profiles directly |
| Right to erasure | Art. 17 | Archive/Delete worker function |
| Right to data portability | Art. 20 | JSON/CSV export available |
The Processor shall not be liable for any failure by the Controller to respond to data subject requests in a timely manner. The Processor's obligation is limited to providing technical means and assistance – the legal responsibility for compliance remains with the Controller.
This Agreement shall be governed by and construed in accordance with the laws of the Republic of Bulgaria, without regard to its conflict of law provisions. The GDPR (Regulation (EU) 2016/679) and the Bulgarian Personal Data Protection Act shall apply to all matters of data protection.
Commission for Personal Data Protection (CPDP)
Address: бул. „Проф. Цветан Лазаров" № 2, София 1592
Email: kzld@cpdp.bg
Website: https://www.cpdp.bg
Except in cases of gross negligence or intentional misconduct, the Processor's total liability under this Agreement shall not exceed the total fees paid by the Controller in the twelve (12) months preceding the claim. This limitation does not affect any mandatory statutory liability under the GDPR.
This Agreement is concluded electronically through the platform. The Processor's system maintains a record of:
Electronic acceptance shall have the same legal validity and evidentiary value as a handwritten signature, in accordance with the Bulgarian Electronic Document and Electronic Certification Services Act (ЗЕДЕУУ) and Regulation (EU) No 910/2014 on electronic identification and trust services (eIDAS).