Disclosures & Limitations

Version 2026-05-07-v1.6

Last updated May 7, 2026

Important

This platform provides illustrative internal analytical outputs. It does not constitute investment advice, legal advice, or tax advice.

1. Analytical Output Nature

All valuations, scenarios, tax estimates, and narratives produced by the platform are illustrative analytical outputs based on user-supplied data and explicitly selected assumptions. They are not appraisals, fairness opinions, or professional valuations.

2. Tax Estimates

Tax estimates are simplified illustrative calculations based on user-selected tax profiles, rates, and assumption flags. They do not model the full tax code. They do not constitute tax advice. Users should consult qualified tax professionals before making decisions based on tax-related outputs.

3. AI-Generated Narratives

AI-generated narrative sections are downstream interpretations of deterministic model outputs. AI does not compute, modify, or override financial values. AI narratives are clearly labeled throughout the platform and in all exports. AI may occasionally produce imprecise language; the deterministic numbers are the source of truth.

4. Data Accuracy

The platform processes data as provided by the user. It does not independently verify the accuracy or completeness of uploaded financial information. Output quality depends on input quality.

5. Assumption Dependence

All conclusions, scenarios, and recommendations are entirely dependent on the assumptions selected by the user, including valuation multiples, tax rates, withholding assumptions, and entity classifications. Changing assumptions will change outputs.

6. No Fiduciary Relationship

Use of this platform does not create a fiduciary, advisory, or professional relationship between the user and NOESIS CFO, its operator, or its affiliates.

7. No Reliance

Users should not rely solely on outputs from this platform when making investment, acquisition, financing, tax, or legal decisions. All outputs are decision-support tools intended to supplement, not replace, the judgment of qualified professionals. No output constitutes a recommendation to buy, sell, hold, or transact in any asset.

8. Platform Ownership and Intellectual Property

NOESIS CFO is a proprietary financial intelligence platform owned and developed by Athena Core Technologies, Inc., a Delaware corporation with its registered office in Sussex County, Delaware. All intellectual property rights, including software, algorithms, methodologies, and content, are reserved by Athena Core Technologies, Inc. No license to reproduce, distribute, or create derivative works is granted by access to or use of the platform.

9. Advisory Distinction

Athena Core Technologies, Inc. is the sole operating entity behind NOESIS CFO. Access to the platform does not, on its own, establish an advisory or consulting relationship. Any advisory services are governed by separate written engagement agreements with Athena Core Technologies, Inc. The platform itself is a software product, not an advisory service.

10. Data Handling

Data uploaded to the platform is used solely to generate analytical outputs for the uploading user or organization. User data is not shared with third parties for commercial purposes. Refer to our Data Handling Terms and Privacy Policy for full details on data retention, processing, and deletion.

11. Regulatory Framing & Licensure Disclaimers

Noesis CFO is software. It is not, and does not hold itself out as, any of the following. These disclaimers are not waivable by user conduct.

Not an investment adviser. Athena Core Technologies, Inc. is not registered as an investment adviser under the Investment Advisers Act of 1940 or any state equivalent. No output is a personalized securities recommendation.
Not a broker-dealer. The platform does not effect transactions in securities and is not registered with the SEC or FINRA.
Not a money transmitter or money-services business. The platform does not hold, transfer, or convert customer funds. Payments for the service are processed by Stripe (a licensed MSB); Athena Core Technologies, Inc. never receives customer funds for transmission.
Not a tax-return preparer. The platform produces analytical outputs and reconciliations. It does not file returns, sign returns under Circular 230, or represent taxpayers before the IRS. A qualified CPA or Enrolled Agent must review and approve any tax-position-relevant output before reliance.
Not a financial institution under GLBA. The platform is a vendor to businesses and does not hold consumer banking relationships. GLBA applies to our bank-data integrations (Plaid) at the source institution, not to Athena Core Technologies, Inc. as operator of the analytics layer.
Not a credit-reporting agency. Outputs are not “consumer reports” under the Fair Credit Reporting Act and may not be used to make decisions about eligibility for credit, insurance, employment, housing, or similar FCRA-regulated uses.

12. Sub-Processors & Vendor Transparency

The platform relies on a short list of sub-processors to operate. Each is contractually bound by a data-processing addendum and, where applicable, Standard Contractual Clauses. The current list is:

Sub-processor	Purpose	Region
Vercel, Inc.	Application hosting, edge delivery	US
Neon Inc.	Managed PostgreSQL database (AWS us-east)	US
Anthropic, PBC	Large-language-model API (zero-retention configuration)	US
Stripe, Inc.	Payment processing (PCI SAQ-A scope)	US
Twilio SendGrid, Inc.	Transactional email delivery	US
Plaid Inc.	Bank-account data aggregation (only where user explicitly connects)	US
Intuit Inc. (QuickBooks Online)	Accounting-data sync (only where user explicitly connects)	US
Xero Limited	Accounting-data sync (only where user explicitly connects)	US / NZ

Athena Core Technologies, Inc. will provide advance notice of any new or replacement sub-processor with access to Customer Data, with a reasonable opportunity to object. Objections may trigger the parties’ good-faith discussion of commercially reasonable alternatives, up to and including termination under the governing agreement.

13. International Data Transfers

The platform is operated from the United States. Where Customer Data originating in the European Economic Area, United Kingdom, or Switzerland is transferred to Athena Core Technologies, Inc. or a sub-processor located outside those jurisdictions, the transfer is governed by:

the European Commission’s Standard Contractual Clauses (Module 2: Controller-to-Processor; Module 3: Processor-to-Processor, as applicable), 2021/914;
the UK International Data Transfer Addendum (UK IDTA) to the SCCs for UK-origin data; and
the Swiss Federal Data Protection and Information Commissioner’s position on the SCCs for Swiss-origin data.

Athena Core Technologies, Inc. will execute the applicable transfer mechanism upon written request from any customer with personal data in scope of GDPR, UK GDPR, or the Swiss FADP.

14. Incident Response & Breach Notification

If Athena Core Technologies, Inc. becomes aware of a confirmed or reasonably suspected unauthorized acquisition, disclosure, or use of Customer Data (a “Security Incident”), it will:

notify the affected customer without undue delay and, in any event, within 72 hours of becoming aware;
include in that notice the facts known at the time, the categories of data involved, the estimated scope, any steps already taken, and a designated response contact;
provide reasonable assistance to the customer in meeting its own regulatory notification obligations (GLBA, state data-breach statutes, GDPR Art. 33, UK GDPR, and any sector-specific regime that applies to the customer); and
maintain an internal incident register for a minimum of three (3) years.

Unsuccessful security events (attempted but unsuccessful intrusions, denial-of-service events without data impact, routine log anomalies) are not Security Incidents and will not trigger individual notice.

15. CCPA / CPRA Service-Provider Status

For purposes of the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively “CCPA”), Athena Core Technologies, Inc. acts as a “Service Provider” to the customer. We certify that we:

do not sell or share Customer Data, as those terms are defined in the CCPA;
do not retain, use, or disclose Customer Data for any purpose other than the specific business purpose of providing the Services, including any commercial purpose not enumerated in the governing agreement;
do not combine Customer Data received from one customer with personal information received from another source, except as permitted by the CCPA; and
cooperate with customer requests to delete Customer Data in response to verified consumer deletion requests.

16. Data-Subject Rights Assistance

Where a data subject of a customer exercises a right of access, correction, deletion, portability, restriction, or objection under an applicable data-protection law (GDPR, UK GDPR, CCPA, LGPD, PIPEDA, or similar), Athena Core Technologies, Inc. will, at the customer’s written direction and without undue delay, assist by providing the technical means to locate, export, or delete the Customer Data in question. Requests from data subjects received directly by Athena Core Technologies, Inc. will be forwarded to the relevant customer without action, except as required by law.

17. Retention Schedule

Default retention periods. A customer may request shorter retention under a bespoke engagement.

Category	Retention	Rationale
Uploaded financial data, analyses, exports	Duration of subscription + 30 days	Active use; customer-driven deletion available at any time via Settings → Danger Zone.
Account metadata, billing records	7 years	Tax and accounting substantiation requirements.
Security / audit logs	2 years	Forensic availability for incident response.
LLM prompt / response logs	0 days at provider (zero-retention); up to 30 days internal for debugging	Anthropic zero-retention is contractually in force; any internal transient log is scoped to debugging.
Email delivery records	90 days	Bounce / complaint remediation and sender-reputation management.

18. Technical & Organizational Measures

Controls currently implemented or contractually in force include: tenant-isolated database queries enforced at the data-access layer; TLS 1.2+ for data in transit; AES-256 for data at rest; HMAC-signed session cookies; scoped OAuth tokens for third-party integrations with customer-revocable access; least-privilege internal access with named-individual audit trail; immutable audit logging of privileged actions; point-in-time restore at the database level; Anthropic zero-retention configuration for all LLM API calls; SendGrid domain-authentication (SPF / DKIM / DMARC) for transactional mail; Stripe PCI SAQ-A scope limitation (no card data touches our systems); CSP + HSTS + Referrer-Policy at the edge; automated dependency-vulnerability scanning; code-review + CI-gated deploys. Aligned with SOC 2 control families and NIST 800-53 Rev. 5 guidance. SOC 2 Type II readiness in progress with Vanta (controls inventory and evidence collection underway); we are not yet audit-ready and no SOC 2 certification is claimed. Controls narrative and gap assessment available under NDA. See Data Handling for the full measures list.

19. Audit Rights (Scoped to Reports)

Upon reasonable written request, and no more than once per calendar year, Athena Core Technologies, Inc. will make available to the customer the most recent SOC 2 report (or, pending completion, its equivalent internal control summary) and responses to a standard security questionnaire (SIG-Lite or CAIQ). On-site audits of Athena Core Technologies, Inc.’ systems or offices are not permitted except where required by applicable law or by a supervisory authority with jurisdiction.

20. Amendments & Change Notification

Athena Core Technologies, Inc. may update these Disclosures to reflect product changes, new sub-processors, or changes in applicable law. Material changes will be announced to active customers with reasonable notice (not less than 30 days except where a shorter period is required by law or by a supervisory authority) and, where re-acceptance is required, gated behind an in-app acceptance step before continued use. A dated changelog is maintained at the top of this page; the current version is 2026-05-07-v1.6.