The regulatory frameworks Helixx operates under, the artifacts we provide, and how we keep customers audit-ready in regulated markets.
Helixx is built compliance-first because our customers operate in regulated markets where AI marketing decisions trigger MAS, GDPR, FCA, ICO, and UAE PDPL obligations. Compliance primitives — region routing, audit logging, human-in-command, decision lineage — are part of the platform core, not enterprise add-ons.
We align to the Monetary Authority of Singapore's FEAT principles (Fairness, Ethics, Accountability, Transparency) and the PDPC's Model AI Governance Framework. Customer-facing AI decisions are logged with documented lineage. We maintain a registered Data Protection Officer and are notifiable for data breaches within 72 hours per the PDPA.
Helixx complies with the General Data Protection Regulation as a processor and, where applicable, controller. We have completed AI Act readiness assessments for our model tier and provide customers with the documentation needed for their downstream obligations: purpose-of-processing records, data minimization proof, and explanations of automated decisions in plain language.
For UK deployments we follow the ICO's AI auditing framework and provide customers with the artifacts needed to satisfy the FCA's Consumer Duty — fairness reviews, clear-and-not-misleading checks, and outcome monitoring. Our UK data plane is pinned to UK-region infrastructure with UK IDTA-backed transfer mechanisms where necessary.
We support the Federal Personal Data Protection Law as well as emirate-level requirements (DIFC Data Protection Law 2020, ADGM Data Protection Regulations 2021). Cross-border transfer assessments are completed before processing UAE customer data, and consent management is configurable per emirate.
Every model prompt, output, deployment action, and configuration change is logged with actor, timestamp, jurisdiction, and outcome. Logs are immutable and queryable from the admin console for 7 years. This satisfies MAS recordkeeping, FCA Consumer Duty outcome monitoring, and GDPR Article 30 records of processing.
Our standard DPA covers GDPR Article 28 processor obligations, UK GDPR addendum, Singapore PDPA, and UAE PDPL. We pre-list sub-processors, retention windows, and security measures. The DPA is available on request and incorporated into all Enterprise contracts by default.
We use a limited set of vetted sub-processors for cloud hosting, identity, observability, and payments. The current list is published in our Trust Center and updated with 30 days' notice before any material change. Customers may object; we'll work with you on remediation.
We provide on request: completed security questionnaires (SIG, CAIQ), penetration test summaries, SOC 2 / ISO 27001 attestations as they become available, MAS-aligned governance attestations, and DPIA support documentation for high-risk deployments.
To report a compliance concern or request documentation, email compliance@helixx.ai. We acknowledge within 2 business days and provide a substantive response within 14 days.