TXNHUB LLC

DATA PROCESSING AGREEMENT

Last Updated June 1, 2026

This Data Processing Agreement (this "DPA") is incorporated into, and forms part of, the Agreement (as defined below) by and between TxnHub LLC, a Georgia (US) limited liability company ("TxnHub"), and the customer that is a party to such Agreement (the "Customer"), and governs the Parties' rights and obligations with respect to the Processing of Customer Personal Data (as such terms are defined below). TxnHub and the Customer may be referred to herein, each individually, as a "Party", and, collectively, as the "Parties".

BY REGISTERING TO USE, LOGGING INTO, ACCESSING, OR USING THE SERVICES OR OTHERWISE INDICATING YOUR ACCEPTANCE TO THIS DPA WHENEVER THE OPTION IS PRESENTED TO YOU: (A) YOU ARE ACKNOWLEDGING THAT YOU HAVE READ AND UNDERSTAND THE MOST CURRENT VERSION OF THIS DPA; (B) YOU ARE REPRESENTING THAT YOU ARE EIGHTEEN (18) YEARS OF AGE OR OLDER AND OF LEGAL AGE TO ENTER INTO A BINDING AGREEMENT WITH US; (C) YOU ARE ACCEPTING THIS DPA AND AGREEING THAT YOU ARE LEGALLY BOUND BY THIS DPA; (D) YOU ARE AGREEING THAT THIS DPA WILL BE DEEMED TO SATISFY ANY REQUIREMENT UNDER APPLICABLE LAW THAT AN AGREEMENT BETWEEN YOU AND US BE IN WRITING; AND (E) YOU ARE AGREEING THAT YOUR ACTIONS IN REGISTERING FOR OR LOGGING INTO THE SERVICES OR OTHERWISE INDICATING YOUR AGREEMENT TO THIS DPA WILL BE DEEMED TO BE YOUR VALID AUTHENTICATED SIGNATURE FOR PURPOSES OF ANY APPLICABLE LAW REQUIRING THAT THESE TERMS BETWEEN YOU AND US BE SIGNED BY YOU IN WRITING.

WHEREAS, in the course of providing the Services to the Customer pursuant to the Agreement, TxnHub may Process Customer Personal Data on behalf of the Customer.

NOW THEREFORE, and the Parties agree to comply with the following provisions with respect to any Customer Personal Data, each acting reasonably and in good faith.

1. Definitions.

"Affiliate" means an entity that directly or indirectly controls, is controlled by or is under common control with an entity, where "control" means, for the purposes of this definition, an ownership, voting, or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.

"Agreement" means TxnHub's Terms of Service, or other written or electronic agreement, that governs the provision of the Services to the Customer, as such terms or agreement may be updated/amended from time to time.

"Customer Personal Data" means any Personal Data that TxnHub Processes on behalf of the Customer via the Services, as more particularly described in this DPA.

"Data Breach" means a breach of TxnHub's security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to Customer Personal Data. Data Breach shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

"Data Controller" means the natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the Processing of Personal Data.

"Data Processor" means any natural or legal person, public authority, agency, or any other body which Processes Personal Data on behalf of a Data Controller or on the instruction of another Data Processor acting on behalf of a Data Controller.

"Data Protection Laws" means any applicable United States data privacy or data protection laws, including but not limited to (i) California Consumer Privacy Act, (ii) the Colorado Privacy Act, (iii) the Virginia Consumer Data Protection Act, (iv) the Connecticut Data Privacy Act, (v) the Utah Consumer Privacy Act and (vi) any corresponding or similar United States state or federal laws or regulations relating to the use or protection of consumer data including any amendment, update, modification to or re-enactment of such laws.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates including, but not limited to, the Customer's clients, customers, portfolio companies, transaction counterparties, and other third parties whose Personal Data the Customer submits to or processes through the Services.

"Personal Data" means any information relating to an identified or identifiable living individual, including information that can be linked, directly or indirectly, with a particular Data Subject and is protected as "personal data", "personal information", or "personally identifiable information", under Data Protection Laws.

"Process", "Processing" or "Processed" means any operation or set of operations which is performed upon Customer Personal Data whether or not by automated means, according to the definitions given to such terms in such applicable Data Protection Laws.

"Sensitive Data" means any Personal Data that requires a heightened degree of protection by applicable law, including but not limited to, (a) social security number, tax file number, passport number, driver's license number, or similar identifier (or any portion thereof); (b) financial information or credit or debit card number (other than the truncated (last four digits) of a credit or debit card); (c) genetic, biometric, medical, or health information or other information that is subject to international, federal, state, or local laws or ordinances now or hereafter enacted regarding data protection or privacy, including, but not limited to, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Fair Credit Reporting Act, the Children's Online Privacy Protection Act and the Gramm-Leach-Bliley Act; (d) racial, ethnic, political or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; (e) geolocation; (f) account passwords; or (g) any other Personal Data that is treated as sensitive, special, protected, or subject to heightened protection under applicable Data Protection Laws.

"Services" means the services, platform, software, features, functionality, and related offerings provided by TxnHub to the Customer pursuant to the Agreement, as further described in the Agreement or any applicable subscription plan, order page, personalized payment page, or similar ordering document.

"Sub-processor" means any sub-contractor engaged in the Processing of Customer Personal Data in connection with the provision of the Services.

"Supervisory Authority" means any regulatory, supervisory, governmental, or other competent authority with jurisdiction or oversight over compliance with the Data Protection Laws.

Terms capitalized herein that are not defined shall have the meaning assigned to them in applicable Data Protection Laws.

2. Appointment and Data Processing.

2.1 Subject to the terms of the Agreement, the Customer is the sole Data Controller of the Customer Personal Data or has been instructed by and obtained the authorization of the relevant Data Controller(s) to enter into this DPA in the name and on behalf of such Data Controller(s). The Customer is responsible for obtaining all of the necessary authorizations and approvals to enter, use, provide, store, and Process Customer Personal Data to enable TxnHub to provide the Services.

2.2 The Customer, as the Data Controller, hereby appoints TxnHub as the Data Processor in respect of all Processing operations required to be carried out by TxnHub on Customer Personal Data in order to provide the Services in accordance with the terms of the Agreement.

2.3 TxnHub shall Process Customer Personal Data, as further described in Schedule A of this DPA, only in accordance with the Customer's documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing. The Parties agree that the Agreement, including this DPA, constitutes the Customer's complete and final instructions to TxnHub in relation to the Processing of Customer Personal Data, and Processing outside the scope of these instructions (if any) shall require prior written agreement between the Parties.

2.4 The Customer will ensure that TxnHub's Processing of the Customer Personal Data in accordance with the Customer's instructions will not cause TxnHub to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. TxnHub shall promptly notify the Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data Processing instruction from the Customer infringes or violates Data Protection Laws and request the Customer to withdraw, amend, or confirm the relevant instruction. Pending the decision on the withdrawal, amendment, or confirmation of the relevant instruction, TxnHub shall be entitled to suspend the implementation of the relevant instruction.

2.5 The Customer represents and warrants that, (a) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its Processing of Customer Personal Data and any Processing instructions it issues to TxnHub; and (b) it has provided, and will continue to provide, all notices, and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for TxnHub to collect and Process Customer Personal Data for the purposes described in the Agreement. The Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which the Customer acquired Customer Personal Data. 

2.6 TxnHub will have no liability or responsibility whatsoever for Sensitive Data disclosed by the Customer to TxnHub.

2.7 Except as expressly set forth in the Agreement and in this DPA, or as otherwise required by law, TxnHub will not collect, use, retain, disclose, sell, or otherwise make Customer Personal Data available for TxnHub's own commercial purposes. The subject matter, nature, purpose, and duration of the Processing of Customer Personal Data, as well as the types of Personal Data collected and categories of Data Subjects, are described in Schedule A to this DPA.

2.8 TxnHub will maintain complete, accurate, and up to date written records of all Processing activities carried out on behalf of the Customer containing information required under any applicable Data Protection Laws.

3. Sub-processors.

3.1 The Customer acknowledges and agrees that TxnHub may engage third-party Sub-processors in connection with the provision of the Services, or to fulfil its contractual obligations under this DPA, or to provide certain services on its behalf, such as providing support services to TxnHub. TxnHub has entered into and will maintain a written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA with respect to the protection of Customer Personal Data to the extent applicable to the nature of the services provided by such Sub-processor. TxnHub will, exercising reasonable care, evaluate an organization's data protection practices before allowing the organization to act as a Sub-processor. TxnHub currently utilizes the Sub-processors set forth in Schedule C.

3.2 TxnHub will remain responsible for any acts or omissions of its Sub-processors to the same extent that TxnHub would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.

4. Authorized Personnel. TxnHub shall ensure that all persons authorized to Process Customer Personal Data are made aware of the confidential nature of Customer Personal Data, have received appropriate training on their responsibilities, and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality. TxnHub will ensure that TxnHub's access to Customer Personal Data is limited to those personnel performing Services in accordance with the Agreement.

5. Security Responsibilities.

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, TxnHub shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, but not limited to, the security measures set out in Schedule B (the "Security Measures").

5.2 TxnHub shall implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate: (a) the pseudonymization and encryption of Customer Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services; (c) the ability to restore the availability and access to Customer Personal Data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of security measures.

5.3 TxnHub maintains internal policies and procedures, and/or ensures that its Sub-processors do so, which are designed to (i) minimize security risks, including through risk assessment and regular testing, and (ii) identify reasonably foreseeable and internal risks to security and unauthorized access to the Customer Personal Data Processed by TxnHub.

5.4 TxnHub will, and will use reasonable efforts to ensure that its Sub-processors, conduct periodic reviews of the security of its network and the adequacy of its information security program as measured against industry security standards, policies, and procedures.

5.5 The Customer is responsible for reviewing the information made available by TxnHub relating to data security and making an independent determination as to whether the Service meets the Customer's requirements and legal obligations under Data Protection Laws. The Customer acknowledges that the Security Measures are subject to changes, from time to time, to reflect technological developments and industry standard practices; provided, always, that such changes do not result in any objective degradation to the security of Customer Personal Data, the manner in which the Services are provided, or which fall below the standard of any applicable law.

5.6 Notwithstanding the above, the Customer agrees that except as provided by this DPA, the Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Personal Data uploaded to the Services.

6. Data Breach Provisions.

6.1 If TxnHub becomes aware of a Data Breach, then TxnHub shall, without undue delay, and in any case within seventy-two (72) hours of discovery, (a) notify the Customer of the Data Breach and (b) take reasonable steps to mitigate the effects of and to minimize any damage resulting from the Data Breach.

6.2 In the event of a Data Breach, TxnHub shall provide the Customer with all reasonable assistance in dealing with the Data Breach, in particular in relation to the Customer making any notification to a Supervisory Authority or its Data Subjects. In order to provide such assistance, and taking into account the nature of the Services and the information available to TxnHub, the notification of the Data Breach shall include, at a minimum, the following:

(a) A description of the nature of the Data Breach including the categories and approximate number of data records concerned;

(b) The likely consequences of the Data Breach; and

(c) The measures taken or to be taken by TxnHub to address the Data Breach, including measures to mitigate any possible adverse consequences.

6.3 Where, and insofar as, it is not possible for TxnHub to provide such information at the time of the notice, then such notice shall nevertheless be made, in as complete a form as possible, and the remaining required information may be provided by TxnHub in phases and as it shall become available, without undue delay.

6.4 The Customer agrees that TxnHub's obligation to report or respond to a Data Breach under this Section is not and will not be construed as an acknowledgement by TxnHub of any fault or liability of TxnHub with respect to the Data Breach.

7. Data Quality, Retrieval, and Deletion.

7.1 TxnHub will update, correct, or delete Customer Personal Data on the Customer's request. TxnHub will not collect or Process Customer Personal Data beyond what is necessary to comply with the Customer's instructions and perform the Services on the Customer's behalf.

7.2 Upon the expiration or termination of the Agreement (in whole or in part) or earlier upon the Customer's request, TxnHub will, unless any applicable law, competent court, Supervisory Authority, or regulatory body prevents TxnHub from destroying Customer Personal Data, destroy all Customer Personal Data Processed and any copies thereof and certify, upon Customer's written request, that TxnHub has done so.

7.3 However, the foregoing Section 7.2 shall not apply (i) to the extent TxnHub is required by applicable law to retain some or all of the Customer Personal Data, or (ii) to Customer Personal Data TxnHub has archived on back-up systems whereby TxnHub shall securely isolate and protect such Customer Personal Data from any further Processing and delete in accordance with its deletion practices.

7.4 On request from the Customer and at the Customer's expense, and as such may be feasible, TxnHub will provide a portable copy of the Customer Personal Data in accordance with the Data Protection Laws with respect to Personal Data.

8. Customer Requests for Data Protection Information. TxnHub shall respond to all reasonable written requests for information made by the Customer to confirm TxnHub's compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, by making additional information available regarding its information security program upon the Customer's written request to TxnHub, provided that the Customer shall not exercise this right more than once annually.

9. Assistance on Data Protection Impact Assessment. To the extent required under applicable Data Protection Laws, TxnHub will, at the Customer's expense and taking into account the nature of the Processing and the information available to TxnHub, provide all reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with any Supervisory Authorities, as required by such Data Protection Laws. TxnHub shall comply with the foregoing by: (a) complying with Section 8; (b) providing the information contained in the Agreement, including this DPA; and (c) if the foregoing clauses (a) and (b) are insufficient for the Customer to comply with such obligations, upon request, providing additional reasonable assistance.

10. International Transfers. The Customer acknowledges that TxnHub may transfer and Process Customer Personal Data to and in the United States of America and anywhere else in the world where TxnHub or its Sub-processors maintain Processing operations. TxnHub will, at all times, ensure that such transfers are made in compliance with the requirements of all applicable Data Protection Laws.

11. Data Subject Requests and Other Communications.

11.1 TxnHub shall, to the extent required by the Data Protection Laws, promptly notify the Customer upon receipt of a request by a Data Subject to exercise Data Subject rights under the applicable Data Protection Laws. TxnHub will advise the Data Subject to submit their request to the Customer and the Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services.

11.2 TxnHub shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the Data Subject's rights (regarding information, access, rectification and erasure, restriction of Processing, notification, data portability, objection and automated decision-making) under the Data Protection Laws. If requested by TxnHub, the Customer will provide such information to TxnHub as is reasonable and necessary for TxnHub to unambiguously identify the Data Subject requesting to exercise their Data Subject rights.

12. Permitted Disclosures of Customer Personal Data.

12.1 TxnHub may disclose Customer Personal Data to the extent such data is required to be disclosed by law, by any government or Supervisory Authority, or by a valid and binding order of a law enforcement agency (such as a subpoena or court order), or other authority of competent jurisdiction.

12.2 If any law enforcement agency, government, or Supervisory Authority sends TxnHub a demand for disclosure of the Customer Personal Data, then TxnHub will attempt to redirect the law enforcement agency, government, or Supervisory Authority to request that data directly from the Customer and TxnHub is entitled to provide the Customer's basic contact information to such law enforcement agency, government, or Supervisory Authority.

12.3 If compelled to disclose Customer Personal Data pursuant to Section 12.1, then TxnHub will give the Customer reasonable notice of the demand, if so permitted by law, to allow the Customer to seek a protective order or other appropriate remedy.

13. Liability; Limitations. Each Party's and all of its Affiliates' liability, taken together and in the aggregate, arising out of or related to this DPA shall, in all cases, be limited to the extent that the same shall have been caused by such Party's actions, and shall be further subject to the exclusions and limitations of liability set forth in the Agreement, to the extent permitted by applicable Data Protection Laws.

14. Relationship with the Agreement.

14.1 This DPA shall remain in effect for as long as TxnHub carries out Customer Personal Data Processing operations on behalf of the Customer or until expiration or termination of the Agreement (and all Customer Personal Data has been deleted in accordance with Section 7 above).

14.2 TxnHub may update, amend, or otherwise modify this DPA from time to time in its sole discretion, including to reflect changes to the Services, Data Protection Laws, the list of Sub-processors set forth in Schedule C, or TxnHub's data protection practices. Upon making any such update, amendment, or modification, TxnHub shall provide notice to the Customer in the manner prescribed under the "notices" section of the Agreement. Any such update, amendment, or modification to this DPA will become effective fifteen (15) days after such notice is provided to the Customer; but shall only be effective if it does not materially diminish the protections hereunder, unless Customer otherwise agrees in writing.

14.3 This DPA supersedes and replaces all prior representations, understandings, communications, and agreements by and between the Parties in relation to the matters set forth in this DPA.

14.4 In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) this DPA; and then (b) the Agreement.

14.5 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect. For matters not addressed under this DPA, the terms of the Agreement apply.

14.6 No one other than a Party to this DPA, its successors, and permitted assignees shall have any right to enforce any of its terms.

14.7 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

*Schedules Continue on Following Page*]

[SCHEDULE A

Details of Data Processing

Categories of data subjects whose personal data is transferred

  • The Customer Personal Data transferred may include, but is not

    limited to, Customer Personal Data relating to the Customer, the Customer's clients/customers, or such other third parties.

Categories of personal data transferred

  • Customer Personal Data, and thus the categories of Customer Personal

    Data transferred, are determined by the Customer, in its sole discretion (subject to the DPA and Agreement), and may include, but is not limited to, names, contact information, addresses, and emails.

Sensitive data transferred (if applicable)

  • Sensitive data transferred may include any type of sensitive data

    that the Customer may choose to transfer.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis)

  • The frequency of the transfer will be on a continuous basis.

Nature of the processing

  • The nature of the Processing of Customer Personal Data is to provide

    the Services in accordance with the Agreement.

Purpose(s) of the data transfer and further processing

  • TxnHub will Process Customer Personal Data as necessary to perform

    the Services pursuant to the Agreement, as further specified in the DPA, and as further instructed by the Customer in its use of the Services.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

  • As specified in Section 7.2 of the DPA.

For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing

  • The subject matter and nature of the Processing by Sub-processors

    are specified in Schedule C of the DPA. The duration of the Processing carried out by Sub-processors will be until thirty (30) days following the termination or expiration of the Agreement unless otherwise agreed.

*End of [Schedule A]*

SCHEDULE B

Information Protection and Security Standards

This document constitutes the Information Protection and Security Standard annex (the "IPSS Annex") of the Data Processing Agreement (the "Agreement"). The IPSS Annex is stated at a relatively high level and the Customer recognizes that the IPSS Annex may be revised by TxnHub from time to time. All terms used and not otherwise defined herein, shall have the meanings ascribed to them in the Agreement.

SECURITY PROGRAM

TxnHub maintains administrative, technical, and organizational measures appropriate to a cloud-hosted software service operated on established third-party infrastructure. Because TxnHub is a small organization, it relies substantially on the security controls of the infrastructure sub-processors listed in Schedule C and layers application-level controls on top of them. TxnHub is in the process of formalizing written information-security and risk-management policies.

ACCESS CONTROL AND TENANT ISOLATION

Access to Customer Personal Data is limited, on a least-privilege basis, to authorized personnel bound by confidentiality obligations. The Services enforce role-based access controls on the server side. Customer data is segregated between organizations through application-level scoping together with database row-level security, and privileged operations are performed through a separate service credential.

AUTHENTICATION

User authentication is provided through TxnHub's identity sub-processor. Multi-factor authentication is available to all users and may be required at the organization level by a workspace administrator.

AUDIT LOGGING

TxnHub maintains append-only audit logs that record the actor (user and role), the action taken, the affected resource, the organization, and the timestamp. Administrative actions additionally record a reason, any monetary amount, and the deploying software version. Logged events include security-relevant actions such as administrative access, role changes, and account suspensions.

ENCRYPTION

Data transmitted between users and the Services is encrypted in transit using TLS, with HTTP Strict Transport Security and additional security headers applied across the application. Customer Personal Data at rest is encrypted by TxnHub's infrastructure sub-processors (Supabase and Vercel), which apply AES-256 encryption by default.

RATE LIMITING AND ABUSE PROTECTION

The Services apply distributed rate limiting to help protect against abuse and automated attacks.

OPERATIONAL MONITORING

TxnHub maintains structured request, webhook, and audit logging, together with automated alerts for anomalous usage of the Services' AI features. Application error monitoring is enabled where configured.

SECURE DEVELOPMENT AND CHANGE MANAGEMENT

Changes to the Services are managed through version control and an automated continuous-integration pipeline that runs type-checking, code linting, automated security checks (including tenant-isolation and access-control checks), an automated test suite, and a production build before changes are released. Software dependencies are pinned with a committed lockfile and monitored for known vulnerabilities through automated dependency scanning.

BACKUPS AND RESILIENCE

Customer data is hosted on managed infrastructure that provides automated database backups and high-availability hosting through TxnHub's infrastructure sub-processors.

CONFIDENTIALITY AND AI PROCESSING

Customer content submitted to the Services' AI features is processed by the AI sub-processors listed in Schedule C solely to provide the requested functionality, and is not used to train generally available AI models. Where a deal or workspace is designated as confidential or access-restricted, access is limited accordingly and that content is excluded from organization-wide knowledge features.

SUB-PROCESSORS

TxnHub engages the sub-processors listed in Schedule C and remains responsible for their performance as set out in this DPA. TxnHub will evaluate the security practices of any new sub-processor before engaging it.

*End of [Schedule B]*

SCHEDULE C

Sub-processors List

TxnHub uses the Sub-processors listed below to assist in providing the Services as described in the Agreement:

Sub-processor Name Purpose of Processing Processed Data Location of data processing


Supabase, Inc. Cloud database and primary storage/hosting of Customer account data and uploaded deal materials. Customer account data, User Data and Platform Content (deal documents, contacts, notes, messages) and any Personal Data contained therein. United States (AWS, us-east-2 / Ohio) Vercel Inc. Application hosting, serverless compute, and content delivery for the Platform. Data transmitted to/from the Platform in transit and processed by serverless functions, including Personal Data and Platform Content; request and usage logs. United States (primary); global edge network Clerk, Inc. User authentication, identity, and session management. Account registration and identity data: name, email address, login credentials/identifiers, and authentication metadata. United States Anthropic, PBC AI/LLM processing powering the Platform's AI chat, analysis, and summarization features. Prompts and document content submitted by Users to AI features, which may include Personal Data and Platform Content. Not used to train generally available models. United States Voyage AI (MongoDB, Inc.) Text embeddings for document search and retrieval (powers AI search over uploaded materials). Text extracted from User Data / Platform Content submitted for embedding and indexing. Not used to train generally available AI models. United States Stripe, Inc. Payment processing and subscription billing. Billing contact details and payment/transaction data. Card data is handled directly by Stripe and is not stored by TxnHub. United States (global processing) Resend (Plus Five Five, Inc.) Transactional and notification email delivery. Recipient name and email address; email content and delivery metadata. United States Upstash, Inc. Managed Redis for caching, rate limiting, and background job/queue support. Limited operational data such as cache keys, user/session identifiers, and rate-limiting metadata, which may include limited Personal Data. United States Sentry (Functional Software, Inc.) Application error monitoring and performance diagnostics. Error and diagnostic data, which may include IP address, user/account identifiers, and limited request context captured at the time of an error. United States Tavily (Tavily AI) Industry and market web search used to generate industry overview / research reports. Industry and topic search queries only (derived from the industry name / NAICS code). No customer documents, deal content, account data, or Personal Data are sent. United States

*End of [Schedule C]*