Data Processing Addendum
Effective May 17, 2026
1. Relationship to Agreement
This Data Processing Addendum ("DPA") forms part of the Terms of Service, order form, or other written agreement between Customer and TxnHub LLC governing Customer's use of Odin (the "Agreement"). If there is a conflict about processing Customer Personal Data, this DPA controls.
2. Roles and Instructions
For Customer Personal Data processed to provide Odin, Customer is the controller or business and TxnHub LLC is the processor or service provider. TxnHub LLCwill process Customer Personal Data only on Customer's documented instructions, including the Agreement, this DPA, user configuration, and applicable law.
3. Definitions
Customer Personal Data means Customer Data that is personal data, personal information, or a similar term under applicable privacy laws. Processing, controller, processor, data subject, personal data, and supervisory authority have the meanings given by applicable privacy laws.
4. Processing Details
TxnHub LLCprocesses Customer Personal Data to provide, secure, support, maintain, and improve Odin for Customer's workspace, including hosting, storage, search, document analysis, AI-assisted drafting, chat, scoring support, workflow management, billing, support, logging, and security operations. Additional details are in Annex I.
5. Customer Responsibilities
Customer is responsible for the lawfulness of Customer Personal Data, required notices and consents, user permissions, workspace configuration, and any sensitive or regulated data it chooses to upload. Odin is not intended for special categories of personal data, protected health information, payment-card data outside Stripe-hosted flows, or other highly regulated data unless separately agreed in writing.
6. Confidentiality and Security
TxnHub LLC will ensure personnel authorized to process Customer Personal Data are subject to confidentiality obligations and will maintain reasonable technical and organizational measures designed to protect Customer Personal Data. Current measures are summarized in Annex II.
7. Subprocessors
Customer authorizes TxnHub LLC to use subprocessors to provide Odin. TxnHub LLC will impose data-protection obligations on subprocessors and remains responsible for their processing under the Agreement. Current subprocessors are listed in Annex III. TxnHub LLC will provide notice of material subprocessor changes by email, in-product notice, website posting, or another reasonable method.
8. Security Incidents
TxnHub LLC will notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data. Where feasible, notice will include the nature of the incident, affected data, mitigation steps, and information reasonably needed for Customer to meet its own legal obligations.
9. Data Subject Requests
TxnHub LLC will provide reasonable assistance, taking into account the nature of the Service, for Customer to respond to data-subject requests. If TxnHub LLC receives a request relating to Customer Personal Data, TxnHub LLC may direct the requester to Customer unless legally required to respond.
10. Return and Deletion
After termination, Customer may export available Customer Personal Data for 30 days unless legally prohibited or the account was terminated for security or misuse. TxnHub LLC will then delete Customer Personal Data from active systems according to its standard deletion process and from backups according to its backup lifecycle, unless retention is required by law or legitimate dispute, security, or compliance needs.
11. International Transfers
If Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will use appropriate safeguards. Where applicable, the EU Standard Contractual Clauses, Module Two, and the UK Addendum are incorporated by reference and completed by the Agreement and this DPA.
12. CCPA/CPRA Terms
For Customer Personal Data subject to the CCPA/CPRA, TxnHub LLCacts as Customer's service provider or contractor. TxnHub LLC will not sell or share Customer Personal Data, retain/use/disclose it outside the business relationship except as permitted by law, or combine it with other personal information except as permitted by CCPA regulations.
13. Audit and Assistance
Upon reasonable written request, TxnHub LLC will provide information reasonably necessary to demonstrate compliance with this DPA, such as summaries of security controls, subprocessors, or certifications as they become available. Any audit must be reasonable, no more than once annually absent a Security Incident or regulator request, and subject to confidentiality and security requirements.
14. Liability
Liability under this DPA is subject to the Agreement's limitation of liability, except to the extent applicable privacy laws or the Standard Contractual Clauses require otherwise.
Annex I — Processing Details
| Item | Description |
|---|---|
| Subject matter | Provision of Odin and related support, security, billing, and account administration. |
| Duration | Term of the Agreement plus export, deletion, backup, legal, and dispute-retention periods. |
| Data subjects | Authorized users, customer personnel, target-company personnel, deal contacts, advisers, counterparties, and other individuals included in Customer Data. |
| Data categories | Business contact information, account data, communications, deal records, diligence materials, financial or operational files, prompts, notes, and generated outputs. |
| Sensitive data | None intended. Customer should not upload sensitive or highly regulated data unless necessary and lawful. |
| Processing operations | Hosting, storage, retrieval, display, transmission, analysis, AI inference, search, logging, backup, support, security, and deletion. |
Annex II — Security Measures
- TLS for data in transit and managed encryption at rest for database and storage services.
- Tenant isolation through organization-scoped authorization and database row-level security.
- Role-based permissions and least-privilege administrative access.
- Administrative MFA where supported and appropriate.
- Logging, monitoring, and audit trails for security-relevant activity.
- Backups, restoration procedures, and provider business-continuity controls.
- Vendor review for material subprocessors.
- Secure development practices, code review, dependency review, and vulnerability remediation.
- Incident response process for triage, containment, investigation, and customer notice.
Annex III — Current Subprocessors
| Provider | Purpose | Location / Notes |
|---|---|---|
| Clerk | Authentication and identity management | United States; may process account and login data. |
| Supabase | Managed Postgres database, storage, and row-level security | United States or selected cloud region. |
| Vercel | Application hosting, edge network, deployment logs | United States and global edge network. |
| Anthropic | AI inference for user-invoked Odin features | United States; inputs/outputs not used to train third-party foundation models per provider commitments. |
| Stripe | Billing, checkout, subscription management, invoices, payments | United States; card data handled by Stripe-hosted flows. |
| Resend | Transactional email delivery | United States. |
| Sentry | Error monitoring and diagnostics, if enabled | United States or configured region. |