Version v1.3

Effective April 20, 2026

NOESIS CFO - Data Handling Terms

Effective Date: April 20, 2026

Version: v1.3

Operator: Athena Core Technologies ("Athena", "we", "our")

Platform posture: Business-to-Business FinTech SaaS. Customer Data is processed for internal commercial finance, tax, and analytics purposes only.

These Data Handling Terms ("DHT") supplement the Terms of Service and Privacy Policy and govern specifically how Athena processes, stores, and protects the financial and operational data you submit to the NOESIS CFO Platform. In the event of a conflict between these DHT and the Terms of Service on a data-handling matter, these DHT control.

1. Customer Data Ownership

You retain full ownership of all financial data, documents, and inputs you submit to the Platform ("Customer Data"). Athena acquires no ownership interest in Customer Data.

The limited license you grant Athena (as described in the Terms of Service) is strictly for:

Processing your data through the Platform's analysis engines

Storing results in your account for your review

Delivering the services you subscribed to

Athena will not access, read, or process Customer Data for any purpose outside this scope without your explicit written consent.

2. No Training on Customer Data

Athena will not use Customer Data to train, fine-tune, validate, or otherwise improve any machine learning, AI, or statistical model - whether proprietary to Athena or provided by a third party.

This prohibition applies regardless of:

Whether the data is individually identifiable

Whether the data has been aggregated or anonymized

Whether the data would improve model accuracy

This is a firm contractual commitment, not a policy preference subject to change without notice. Any modification to this prohibition requires a written amendment signed by both parties.

3. Platform-Generated Analysis - No Professional Certification

All outputs generated by the Platform (valuations, insights, tax observations, deal scores, CFO briefs, reports) are:

Deterministic estimates produced by rule-based computational models applied to your inputs

Not certified by any professional licensing body (USPAP, CPA, RIA, or similar)

Not legal or professional opinions from Athena employees or contractors

Dependent entirely on the accuracy of your inputs - garbage in, garbage out

The Platform clearly labels the source, confidence level, and assumptions underlying each output. You are solely responsible for verifying outputs before acting on them.

3A. Enforced Guardrails on AI Output

Athena operates a three-layer output model that is enforced at the code level, not only in policy:

1.Computed Analysis layer - deterministic engines, version-pinned, ROUND_HALF_EVEN Decimal math. No AI model may compute or modify a financial figure.

2.LLM Interpretation layer - AI-generated commentary only. Prompts are server-constructed, include authority-citation requirements for tax claims, and are validated to reject outputs that restate numbers, invent figures, or omit required citations.

3.Experienced CFO Review layer - human advisory by Athena Core Technologies, contracted separately.

Customer acknowledges that (a) AI commentary is narrative only, (b) any figure referenced in AI commentary is sourced from the Computed Analysis layer and is not recomputed by the AI, (c) the Platform ignores instructions embedded in uploaded documents, prompts, or other untrusted sources ("prompt-injection defense"), and (d) Customer will not attempt to bypass, disable, or manipulate these guardrails.

4. Data Classification

Athena classifies Customer Data as follows:

Classification	Description	Examples
Financial Data	Numerical and categorical financial inputs	Revenue, expense, NOI, property details
Structural Data	Entity and ownership configuration	Entity type, jurisdiction, investor type
Identity Data	Account-identifying information	Email, name, firm
Session Data	Technical authentication records	IP address, session tokens

Financial and Structural Data receives the highest protection and access controls. Athena employees do not access Financial Data except as required to diagnose a technical issue, and only with your knowledge.

5. Sub-Processors and Data Residency

Customer Data is stored and processed in the United States. Our primary sub-processors:

Sub-Processor	Role	Data Location
Neon Technology Inc.	PostgreSQL database	US East (AWS)
Vercel Inc.	Application hosting + edge CDN	US regions
Stripe Inc.	Payment processing	US / EU (Stripe policy)
Upstash Inc.	Rate-limit + session cache (Redis)	US regions
Anthropic PBC	LLM inference (Claude API, zero-training)	US regions
Resend Inc.	Transactional email delivery	US regions
Plaid Inc.	Bank data integration (customer-initiated)	United States
Intuit Inc. (QuickBooks Online)	Accounting data integration (customer-initiated)	United States

The canonical, always-current sub-processor list is maintained in the Data Processing Addendum at /legal/dpa. Athena does not transfer Customer Data outside the United States except as required by Stripe for payment processing. All sub-processors are bound by data processing agreements consistent with these DHT.

6. Data Retention and Deletion

Athena operates NOESIS on a no-retention posture. We do not warehouse Customer Data. Financial Data, Structural Data, and analysis outputs are held only as long as they are being used by you inside the Platform, plus the short operational minimum required to deliver the service you requested.

Active Subscriptions

Customer Data remains in the Platform for as long as you choose to keep it there. You may remove any upload, valuation, portfolio, or generated output from your workspace at any time. Once removed through the Platform UI or the self-serve purge control in Settings, the underlying row is deleted from our primary store within 24 hours and from operational backups within 30 days.

Self-Serve Purge

Signed-in users may purge all of their Financial Data, Structural Data, analysis outputs, and connected-integration data at any time from Settings > Profile > Purge my data. This is an immediate, user-initiated deletion that does not require a support request and does not require account cancellation.

After Termination or Cancellation

Financial uploads, analysis outputs, integration connections, and entity/structural profile: deleted within 24 hours of subscription end or account closure; removed from operational backups within 30 days

Identity (name, email) and billing records: retained only to the extent required by applicable law (typically 7 years for financial records such as paid invoices)

Security logs: retained 13 months for fraud and abuse defense, then deleted

Legal acceptance records: retained while any acceptance remains in force, then for the statutory limitation period

Request-Based Deletion

You may also request immediate deletion in writing by contacting support@noesiscfo-io.us. Written requests are processed within 10 business days. The self-serve purge is the faster route and is always available while your account is active.

What We Keep (and Why)

The only Customer Data Athena retains beyond the active-use window is the minimum record set required by law, tax authorities, payment processors, or legal-acceptance audit. Everything else is disposable at your request.

7. Security Measures

Athena implements the following controls to protect Customer Data:

Technical Controls:

TLS 1.2+ for all data in transit

AES-256 encryption at rest (managed by Neon/Vercel infrastructure)

HMAC-signed session tokens with server-side secret rotation capability

API rate limiting and IP-based abuse detection

Parameterized database queries (no raw SQL from user input)

Principle of least privilege for all internal systems access

Operational Controls:

Security event logging for authentication failures, admin actions, and rate limit violations

Periodic access reviews for internal systems

Employee NDA requirements covering all customer data

Incident Response:

Security incidents are assessed within 24 hours of detection

Material breaches affecting Personal Data are reported to affected users within 72 hours of confirmed discovery, as required by applicable law

Post-incident reviews are conducted for all material events

8. Breach Notification

In the event of a confirmed data breach that materially affects your Customer Data, Athena will:

1.Notify you at your registered email address within 72 hours of confirming the breach

2.Describe the nature of the breach, the data categories affected, and the approximate number of records involved

3.Describe the remediation steps Athena is taking

4.Provide a point of contact for follow-up questions

This notification timeline applies to confirmed breaches. Athena will not delay notification for the purpose of investigating whether legal liability exists.

9. Audit Rights

Enterprise customers may request written confirmation that Athena's data handling practices comply with these DHT. Athena will provide a written compliance summary within 30 business days of a written request.

Physical audits of Athena's infrastructure are not available; instead, Athena relies on its sub-processors' SOC 2 certifications (Neon, Vercel) as evidence of infrastructure security.

10. Changes to These Terms

Athena may update these DHT at any time. Users will be required to re-accept updated DHT before continued access to protected features. The core prohibition on training AI models on Customer Data (Section 2) will not be weakened without your affirmative consent.

11. Contact

Athena Core Technologies - Data Handling Inquiries

Email: support@noesiscfo-io.us

Subject: Data Handling Terms Inquiry