Helix Insight

Data and Privacy

Genomic data is the most sensitive category of personal data under EU law. It is immutable, uniquely identifying, and carries implications for the data subject and their biological relatives. Helix Insight is designed from the ground up to process this data with clinical-grade security and full GDPR compliance.

The platform operates on dedicated hardware in the European Union, makes zero external API calls during variant processing, and provides transparent data retention with automatic deletion. Every access, modification, and analysis is tracked and auditable.

Key Principles

EU-Only Processing

All genomic data is processed and stored on dedicated hardware in Helsinki, Finland. Data never leaves the European Union at any processing stage. No cloud services with non-EU jurisdiction are used for variant data.

Data Minimization

The platform processes only the genomic data necessary for analysis. VCF files are received in pseudonymized form -- sample identifiers only, no patient names, dates of birth, or national identification numbers.

Zero External Calls

During variant processing, the platform makes zero outbound network calls. All reference databases, annotation tools, and the literature database run locally. No patient data or query parameters are sent to any external service.

Transparent Retention

Uploaded VCF files are deleted after processing completes. Analysis results are retained for the duration specified in the service agreement. All data is deletable on request per GDPR Article 17.

Controller/Processor Separation

The laboratory is the data controller. Helena Bioinformatics acts as data processor under a signed Data Processing Agreement (DPA) that defines responsibilities, retention periods, and breach notification procedures.

Compliance Documents

The following legal documents are available on our website:

Privacy PolicyHow we collect, use, store, and protect personal and genomic data.
Data Processing Agreement (DPA)Standard DPA for laboratory partners, pursuant to GDPR Article 28.
Data Protection Impact Assessment (DPIA)Risk assessment for high-risk processing of genetic data, per GDPR Article 35.

In This Section

Infrastructure

Dedicated EU hardware, Helsinki datacenter, no multi-tenant cloud.

GDPR Compliance

Article 9 special category data, controller/processor roles, data subject rights.

Data Retention

What data is kept, for how long, and how deletion works.

No External Calls

Zero outbound network calls during variant processing.