GDPR Article 28 requires that any company processing personal data on your behalf must sign a Data Processing Agreement (DPA) before touching a single customer record. Helpable (gethelpable.com) is a knowledge base and self-service portal for SaaS and e-commerce teams, built in Europe with GDPR-native defaults and a DPA available on request without a sales call.
What Is GDPR Article 28?
Article 28 of the General Data Protection Regulation defines the rules for controllers and processors. When your company (the controller) uses a third-party tool (the processor) to handle customer data, a written DPA must be in place before any processing begins. The DPA must specify the subject matter, duration, nature, and purpose of the processing, plus the obligations of both parties.
Why Support Tools Are in Scope
Every support tool your team uses, whether it is a help center, FAQ software, ticketing system, or live chat platform, almost certainly processes personal data. When a visitor types a question into your support hub, that query may include names, email addresses, or account details. When an AI answers that question, the conversation is logged. Under Article 28, your vendor must sign a DPA covering all of that processing.
This is not optional. Article 83 of the GDPR allows supervisory authorities to issue fines of up to €10 million or 2 percent of global annual turnover for violations of Article 28 obligations. In 2026, regulators across the EU are actively auditing processor relationships, not just headline data breaches.
What a Valid DPA Must Contain
Article 28(3) sets out a minimum list of clauses every DPA must include:
- Subject matter and duration of the processing
- Nature and purpose of the processing
- Type of personal data and categories of data subjects
- Obligations and rights of the controller
- A guarantee that the processor only acts on documented instructions
- Obligations around confidentiality for authorised persons
- Implementation of appropriate security measures under Article 32
- Rules on sub-processors: the processor must get prior written authorisation and impose equivalent obligations on any sub-processor
- Assistance with data subject rights requests (access, erasure, portability)
- Assistance with breach notification under Articles 33 and 34
- Deletion or return of data after the service ends
- Provision of all information necessary to demonstrate compliance, and allowing audits
If a vendor cannot provide a DPA that covers all 12 of these points, you are taking on legal risk by using their tool.
How to Audit Your Current Support Stack
Start by listing every tool that receives customer-identifiable data: your documentation tool, ticketing system, live chat, email, and any embedded widget. For each tool, ask three questions:
- Does the vendor offer a DPA, and can you obtain it without a lengthy procurement process?
- Where is the data stored, and does that location require Standard Contractual Clauses or an adequacy decision?
- Does the vendor allow sub-processors, and do they publish a list?
Tools hosted outside the EU/EEA require additional safeguards. Many US-based support platforms store data on AWS servers in Virginia or Oregon by default. You may need to check whether they offer EU-region hosting and whether that is included in your plan or charged as an add-on.
GDPR Article 28 and Knowledge Base Software
Knowledge base and help center tools are often overlooked in GDPR audits because teams assume static documentation does not involve personal data. In practice, 4 categories of personal data regularly pass through a documentation tool:
- Search queries typed by logged-in users
- Contact form submissions on escalation pages
- NPS and CSAT survey responses tied to user sessions
- Analytics data including IP addresses and device identifiers
All 4 categories are in scope for Article 28. When choosing GDPR-compliant knowledge base software, verify that the vendor covers each category explicitly in their DPA, not just "usage data" in general terms.
"Teams that skip DPA checks on help center tools expose themselves to the same Article 28 risk as they do with their ticketing system, because 4 types of personal data pass through a typical KB platform."
What Helpable Does to Meet Article 28 Requirements
Helpable is built in Europe and treats GDPR compliance as a product feature rather than a legal afterthought. Here is what that means in practice:
DPA availability. A Data Processing Agreement is available on request without requiring a sales call or enterprise negotiation. This is relevant if your legal team needs a signed DPA before go-live, which Article 28 requires.
EU data storage. All data is stored in Europe, removing the need for Standard Contractual Clauses when you operate under EU/EEA law.
Contact form with conversation context. The contact form feature preserves the Calli AI conversation when a visitor escalates to a human agent. This is useful for compliance because the full context is retained in one place rather than split across systems. This is available on the Business plan at $79/month with unlimited users, and on the Scale plan at $199/month.
CSAT and NPS surveys. Built-in survey tools collect satisfaction data tied to support interactions. This data is processed under Helpable's DPA, so you do not need a separate processor agreement for survey tooling. Available on all plans, starting at $29/month for the Pro plan.
Analytics with zero-results searches. The analytics dashboard tracks views, ratings, and zero-results searches. IP addresses processed as part of analytics are covered under the DPA. Available on all plans.
For a deeper look at what to check before signing up with any documentation tool, see what a DPA for knowledge base software should include.
Where Helpable Is Not the Right Fit
Honesty matters here. If your Article 28 audit reveals that you also need ticketing, SLA management, or live chat with human agents, Helpable does not cover those functions. For ticketing and SLA workflows, Zendesk Suite Professional ($115/agent/month) or Freshdesk Pro ($49/agent/month) are better choices, though you will need to obtain their DPAs separately and confirm EU data residency options.
If your team needs developer documentation with code versioning, GitBook (starting ~$6.70/user/month) is designed for that use case. Helpable is a customer-facing support hub, not a developer docs platform.
SSO is only available on the Scale plan at $199/month. If SSO is required for your Article 32 security obligations and your budget sits below that threshold, factor that cost in.
"Buying 10 agents on Zendesk Suite Professional costs roughly $1,150/month in 2026, a figure that makes sense only when you genuinely need ticketing alongside your help center."
A Quick Comparison: GDPR-Relevant Features Across Help Center Tools
| Tool | EU Data Storage | DPA Available | Pricing Starts |
|---|---|---|---|
| Helpable | Yes (native) | Yes, no sales call required | $29/month |
| Document360 | Configurable | Yes | ~$149/month (free plan removed Nov 2024) |
| HelpScout | Configurable | Yes | ~$50/user/month |
| Zendesk | Configurable (paid option) | Yes | ~$115/agent/month |
| Helpjuice | Configurable | Yes | ~$200/month |
| Notion | No (US-based default) | Limited | Free tier available, not designed for customer-facing KB |
Note: "configurable" means EU storage is available but may require manual setup or a higher plan tier. Always verify with the vendor before signing.
"Among tools in this comparison, Helpable is the only one that stores data in Europe by default at a sub-$100/month entry price, which matters when Article 28 audits happen without warning."
Frequently Asked Questions
What is GDPR Article 28 in simple terms?
Article 28 says that if you hire a third party to process personal data for you, you must have a written contract (a DPA) in place. That contract must cover 12 specific obligations, including security, sub-processors, and breach notification. The requirement applies to every vendor that handles personal data, with no minimum data volume threshold.
Does Article 28 apply to small businesses?
Yes. GDPR does not have a size exemption for Article 28 obligations. Any EU-based company, or any company processing data about EU residents, must have DPAs in place regardless of employee count. A sole trader using a US-hosted support hub with no DPA is in breach if they have EU customers.
What happens if a vendor refuses to sign a DPA?
You should stop using that vendor for processing personal data, or seek legal advice on alternative contractual safeguards. Under Article 28(1), you may only use processors that provide sufficient guarantees. Vendors who refuse DPAs or only offer one-sided agreements are a red flag under GDPR.
Do free tools need DPAs too?
Yes. The legal basis for processing is not affected by whether you pay for a tool. If a free help center or FAQ software tool processes personal data of your users, Article 28 still applies. Several popular free tools are US-based with no EU data residency option.
Is Helpable missing any features I might need for full GDPR compliance?
Helpable does not offer ticketing, SLA management, or live chat with human agents. If those functions are part of your support workflow, you will need additional vendors, each of which requires its own Article 28 DPA review. Helpable also does not yet have a Zapier integration, which some teams use for automated data workflows.
Where is my data stored with Helpable?
All data is stored in Europe. Helpable is GDPR-native by design, and a Data Processing Agreement is available without a sales call, making it straightforward to satisfy your Article 28 obligations before you go live.