- Security, data use, and financial stability are solid.
- Request their offline Enterprise MSA and Data Processing Addendum (DPA). HelixCode's online terms are vendor-favorable. If they instead attach their form Enterprise MSA and DPA, you will likely get better terms (limitation of liability, indemnity, termination rights, maybe an SLA) without having to negotiate.
- Ask for non-renewal in the Order Form. They will have standard language overriding their default terms.
Subject: HelixCode contract — quick asks
Hi [Name],
We've gone through the HelixCode terms and the current order form. To get this moving, could you incorporate your standard Enterprise MSA and DPA instead of your online terms? We don't anticipate any changes to those, but want the more robust protections.
We would also like to include a 90-day data export window and a 30-day non-renewal notice period in the final order form. Let me know if you can get those over to us.
Thanks!
[Your Name]
The following terms are incorporated into the Order Form and shall prevail over any conflicting terms in the Vendor's online Terms of Service, Privacy Policy, or other supplemental agreements (the "Agreement").
Conflict of Terms
In the event of any conflict between this Order Form and the Vendor's standard Terms of Service or Privacy Policy, this Order Form shall control.
Uptime Commitment
Vendor commits to 99% monthly uptime for the Services. If uptime falls below this level, Customer shall, upon written request, receive service credits equal to 15% of the monthly fees for each 0.5% of downtime below the commitment.
Security Standards
Vendor shall: (i) maintain SOC 2 Type II or ISO 27001 certification; (ii) encrypt all Personal Data at rest using AES-256 and in transit using TLS 1.2 or higher; (iii) implement role-based access controls and multi-factor authentication for all systems processing Customer data; and (iv) provide Customer with current security audit reports upon reasonable request.
Renewal Terms
Upon expiration of the initial term, the subscription will only renew upon the affirmative written consent of both parties (email shall suffice). The automatic renewal clause in the Terms of Service is hereby deleted.
Liability Limits
Notwithstanding anything to the contrary in the Agreement, Vendor's total liability shall not be less than the greater of: (i) amounts paid by Customer in the twelve (12) months preceding the claim; or (ii) one hundred thousand dollars ($100,000).
Data Deletion and Export Rights
Customer may export all Customer Data at any time in a standard, machine-readable format (e.g., CSV or JSON). Upon termination, Vendor shall provide data export capability for ninety (90) days. Within thirty (30) days following the export window or Customer's earlier request, Vendor shall delete all Personal Data in its possession or control and provide written certification of such deletion.
Subprocessor Controls
Vendor shall: (i) maintain and provide a current list of all subprocessors; (ii) provide Customer with at least thirty (30) days' advance written notice before engaging any new subprocessor; and (iii) allow Customer to object to new subprocessors on reasonable data protection grounds. All subprocessors must be bound by data protection obligations at least as restrictive as those in this Agreement.
Price Protection
Any price increases upon renewal shall not exceed five percent (5%) annually or the Consumer Price Index (CPI), whichever is greater, and shall require Customer's prior written consent.
Data Processing and Compliance
The parties shall execute a Data Processing Agreement (DPA) that complies with GDPR, CCPA, and other applicable data protection laws. Vendor shall maintain compliance with these laws throughout the term of the Agreement.
Intellectual Property Indemnification
Vendor shall defend, indemnify, and hold Customer harmless from and against any third-party claims, damages, and costs (including reasonable attorneys' fees) arising from any allegation that Customer's use of the Services infringes any third-party intellectual property rights.
Dispute Resolution
Any provisions in the Agreement requiring exclusive arbitration or prohibiting class actions are hereby deleted. Disputes shall be resolved in the state or federal courts of the jurisdiction specified in the Agreement, and both parties waive any prohibition against participating in class-action proceedings.
- Security, financial stability, and data use practices are strong. SOC 2 Type II certified, well-funded Series C with credible investors, and clear privacy mode that prevents AI training on customer code.
- Legal terms need work. No standalone DPA, liability capped at six months' fees, no IP indemnification for the customer, and no uptime SLA.
- Low-leverage negotiation. HelixCode is a dominant player in the AI code editor space and unlikely to negotiate heavily on core terms, but standard requests like a DPA and data export rights are achievable.
Products:
- HelixCode Editor: AI-powered code editor for planning, writing, and reviewing code with inline AI assistance.
Data Collected:
- Account information: Name and email address used to sign up or contact support.
- Source code: Codebase uploaded for AI embeddings; embeddings and file-name hashes stored but plaintext code not retained after the request completes.
- Code inputs and actions: Code files, snippets, editor actions, and prompts used to power AI features.
- Prompts and telemetry: Prompts and limited telemetry may be shared with model providers when specific models are selected; data may be used to improve AI features.
- Data from integrations: Data from connected tools (e.g., GitHub, Jira, Slack) accessed for context and automation based on user configuration.
Your company: Series B SaaS startup
Leverage: Low
HelixCode is a well-funded, fast-scaling platform with a $480M Series C at approximately a $15B valuation. A Series B customer deal is unlikely to move HelixCode's terms or strategic direction.
Risk: Yellow
- Liability cap is limited to six months' fees. The agreement caps vendor liability at the greater of $100 or fees paid in the preceding six months, which is lower than the typical 12-month SaaS standard.
- No vendor intellectual property indemnification. The customer must indemnify the vendor for IP claims arising from use, but the vendor provides no reciprocal protection if the service infringes third-party rights.
- Missing formal Data Processing Addendum (DPA). The terms do not include a standalone DPA or specific GDPR/CCPA clauses, leaving subprocessor oversight and formal data deletion timelines undefined.
- No uptime SLA or service credits. The service is provided on an "as is" basis with no guaranteed availability levels or financial remedies for downtime.
Risk: Green
- SOC 2 Type II certified. HelixCode maintains SOC 2 Type II certification and provides the report via its Trust Center. The most recent audit was published in January 2026.
- SAML 2.0 SSO supported on business and enterprise tiers. SSO is available for team, business, and enterprise plans and is not listed as a separate paid add-on.
- No public bug-bounty program; responsible disclosure policy published. HelixCode accepts vulnerability reports via a security contact and GitHub Security advisories, but no formal bug bounty program is advertised.
- No public data breaches or regulatory fines found. Searched news, regulatory filings, and vulnerability databases through February 2026 — no confirmed breaches or fines identified.
Risk: Green
- Private, ~$15B post-money valuation (Series C, November 2025). Headquartered in San Francisco; founded 2023 (~3 years). Rapid late-stage valuation positions HelixCode as a major AI/SaaS scale-up.
- ~$480M total funding raised; Series C led by Tier 1 investors. Deep capital from top-tier VCs and strategic corporates provides strong runway and market credibility.
- ARR ~$400M (November 2025) with rapid growth trajectory; headcount 200+. Strong commercial traction and premium product adoption indicate scalable revenue growth across enterprise and developer segments.
- No public reports of layoffs, leadership churn, or declining metrics. Typical high-valuation scale-up risks apply, but no negative signals identified in available coverage.
Risk: Green
- AI training restricted via Privacy Mode. The Privacy Policy states that customer inputs and suggestions are not used to train models except with explicit consent, user-reported feedback, or security review. Privacy Mode (enabled by default for teams) prevents model providers from retaining or training on customer data.
- Allows aggregated/de-identified use for product improvement. The policy permits anonymization and aggregation for research and feature improvement and asserts de-identified data won't be re-identified. No explicit prohibition on resale is stated.
- Post-termination deletion documented (~30 days) but export rights unclear. A commitment to deleting personal data within approximately 30 days of written instruction exists, but the standard terms lack a clear customer data export window or format guarantee.
- Processes full content (source code, prompts, files), plus metadata and account identifiers. HelixCode handles high-sensitivity developer content (code and prompts) alongside behavioral telemetry and account information.