Data Processing Addendum

One-click counter-signature. No PDF, no DocuSign, no back-and-forth.

Review the DPA below, confirm you are authorized to sign on behalf of your organization, and click the Counter-sign button. You will receive an email receipt with the executed version and a reference ID. Uploads and live integrations unlock on the same click.

Version v1.0

Effective April 20, 2026

Data Processing Addendum

Effective Date: April 20, 2026

Version: v1.0

Processor: Athena Core Technologies (operating the Noesis CFO platform at noesiscfo-io.us)

Controller: The customer organization identified at execution.

This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Noesis CFO Terms of Service ("Agreement") between Athena Core Technologies ("Processor") and the customer organization ("Controller"). Where this DPA conflicts with the Agreement, this DPA controls with respect to the processing of personal data.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to or generates through the Noesis CFO service.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and erasure.

"Applicable Data Protection Law" means the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other substantially similar law applicable to the Processor's handling of Controller Personal Data.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on the Controller's behalf.

2. Scope of Processing

Item	Detail
Subject matter	Provision of the Noesis CFO platform under the Agreement.
Duration	The term of the Agreement plus any retention period required by law.
Nature and purpose	Hosting, analyzing, and generating reports from Controller-uploaded financial and operational data.
Data categories	Business contact data (name, email), authentication data (hashed password, session tokens), and Controller-uploaded financial records (transactions, invoices, balance sheets, tax returns).
Data subjects	Controller's authorized users and, as applicable, Controller's customers, employees, or contractors whose records appear in uploaded data.

3. Controller and Processor Obligations

The Processor will:

1.Process Personal Data only on documented instructions from the Controller, including those set out in the Agreement and this DPA.

2.Ensure that personnel authorized to process Personal Data are bound by confidentiality.

3.Implement the security measures described in Section 7.

4.Assist the Controller in responding to data-subject rights requests within the timeframes set by Applicable Data Protection Law.

5.Notify the Controller without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data breach, within the meaning of GDPR Article 33 where applicable. The notification will include, to the extent then known: the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.

6.Delete or return Personal Data at the Controller's choice upon termination, subject to Section 8.

7.Make available to the Controller all information necessary to demonstrate compliance with this DPA.

The Controller represents and warrants that:

1.It has a lawful basis for disclosing Personal Data to the Processor.

2.It has provided all notices and obtained all consents required to permit the Processor to carry out the Processing described in this DPA.

3.Its instructions comply with Applicable Data Protection Law.

4. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors as of the Effective Date:

Sub-processor	Role	Location
Vercel, Inc.	Application hosting and edge CDN	United States
Neon, Inc.	Managed Postgres datastore	United States
Stripe, Inc.	Billing and payment processing	United States
Resend	Transactional email delivery	United States
Upstash, Inc.	Rate-limit and cache layer	United States
Anthropic, PBC	Primary LLM inference (zero-training terms)	United States
Plaid Inc.	Bank and card data aggregation (customer-initiated)	United States
Intuit Inc. (QuickBooks Online)	Accounting data integration (customer-initiated)	United States

The Processor will provide the Controller 30 days' notice of any new sub-processor and give the Controller an opportunity to object. If the Controller reasonably objects, the Processor will either propose an alternative or permit the Controller to terminate the affected portion of the service without penalty.

5. International Data Transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States or another third country, the parties agree that the transfer is governed by the Standard Contractual Clauses (SCCs) (Commission Decision (EU) 2021/914) and the UK International Data Transfer Addendum (IDTA), as applicable. The Processor acts as "data importer" and the Controller as "data exporter." Module Two (Controller-to-Processor) applies by default. Clause 7 (docking clause) and Clause 17 Option 1 (Irish law) are selected. For UK transfers, the ICO-issued IDTA supplements the SCCs per the ICO addendum template. For Swiss transfers, references to the GDPR are read as references to the revised Swiss Federal Act on Data Protection (nFADP) and the competent supervisory authority is the FDPIC.

Cayman Islands. Where Personal Data is transferred from a Controller subject to the Cayman Islands Data Protection Act 2017 ("DPA 2017"), the Controller relies on the SCCs executed with this DPA as providing "adequate protection" under DPA 2017 Schedule 4 (cross-border transfers). Controllers subject to supplemental CIMA (Cayman Islands Monetary Authority) outsourcing rules remain responsible for any CIMA notifications required of regulated entities.

6. Data Subject Rights

The Processor will provide the Controller with self-service tooling to support requests for access, correction, export, and erasure. Where a data subject contacts the Processor directly, the Processor will (a) not respond on its own behalf and (b) promptly forward the request to the Controller.

7. Security

The Processor maintains technical and organizational measures appropriate to the risk, including:

TLS 1.2+ encryption in transit, AES-256 at rest.

Tenant-isolated queries via server-side scoping (see the /legal/compliance page).

Role-based access controls; least-privilege personnel access.

Audit logging of security-relevant events in an append-only SecurityEvent table.

Destructive actions require step-up authentication and leave an audit trail.

Anthropic inference is configured with zero-training terms; a Vercel AI Gateway fallback is used only with non-training providers.

Operational backups are encrypted and purged on a 30-day rolling cycle.

8. Deletion and Return

Upon termination of the Agreement or earlier on Controller request, the Processor will within 30 days delete all Controller Personal Data, except:

Billing records required to be retained under tax, accounting, or financial regulation;

Security event logs retained for up to 13 months;

Legal acceptance records retained for up to 7 years.

Any retained categories are documented on the /legal/data-handling page.

9. Audits

The Controller may, at the Controller's cost and no more than once per calendar year, audit the Processor's compliance with this DPA upon 30 days' prior written notice during normal business hours, provided the audit does not unreasonably disrupt the Processor's business. The auditor must be an independent third party reasonably acceptable to the Processor and bound by written confidentiality obligations no less protective than Section 8 (Confidentiality) of the Agreement. Audits are limited to information and systems reasonably necessary to assess compliance with this DPA and exclude other customers' Personal Data, source code, and commercially sensitive information. In lieu of an on-site audit, the Processor may provide a then-current SOC 2 Type II report, an industry-recognized certification, or a completed CAIQ / SIG questionnaire covering the audit scope. Following a confirmed Personal Data breach materially affecting the Controller, the once-per-year limit does not apply to one (1) follow-on audit within twelve (12) months of the breach.

10. Term and Precedence

This DPA takes effect on the date the Controller counter-signs it through the Processor's platform. It remains in effect for the duration of the Agreement. Nothing in this DPA reduces the Controller's or the Processor's obligations under Applicable Data Protection Law; such law controls to the extent of any conflict.

11. Governing Law

This DPA is governed by the same law and dispute-resolution provisions as the Agreement, except for Section 5 (International Data Transfers), which is governed by the law selected in the SCCs / IDTA.

12. Counter-Signature

By executing this DPA on the Noesis CFO platform, the individual identified as the "Signer" confirms that they are duly authorized to bind the Controller organization. The Processor counter-signature is provided on the Processor's behalf at the time of execution. A copy of the executed DPA is emailed to the Signer and filed in the Processor's audit log.

Annex I - List of Parties, Transfer, and Supervisory Authority

A. List of Parties

Data Exporter (Controller): The Customer organization identified at counter-signature. Role: Controller. Activities relevant to the transfer: uploading financial, operational, and personnel-related records to the Platform for analysis, reporting, and integration-based processing.

Data Importer (Processor): Athena Core Technologies, a Delaware entity, operating the Noesis CFO platform at noesiscfo-io.us. Contact: support@noesiscfo-io.us. Role: Processor.

B. Description of the Transfer

Categories of data subjects transferred: Controller's authorized users and, as applicable, Controller's customers, employees, contractors, tenants, and counterparties whose identifying or financial information appears in records the Controller uploads.

Categories of personal data transferred: Business contact information, authentication credentials (hashed), and Controller-uploaded financial and operational records (transactions, invoices, balance sheets, rent rolls, bank transactions via Plaid, accounting ledgers via QuickBooks, tax returns).

Sensitive data transferred (if any): The Controller is not expected to upload special-category data under GDPR Article 9. If the Controller voluntarily uploads data that incidentally contains such categories, they are processed under the same technical and organizational measures as all other Personal Data and may be purged via Settings → Profile → Purge my data.

Frequency of the transfer: Continuous for the duration of the Agreement.

Nature and purpose of processing: Hosting, tenant-isolated analysis, interpretation, visualization, reporting, and delivery of financial intelligence outputs to the Controller.

Period for which data will be retained: As described in Section 8 of this DPA and the Data Handling Terms at noesiscfo-io.us/legal/data-handling; on termination, within 30 days except for billing, security-log, and legal-acceptance records retained on the bases stated.

Transfers to sub-processors: As listed in Section 4 of this DPA, each bound by a contract consistent with Clause 9 of the SCCs.

C. Competent Supervisory Authority

In accordance with Clause 13 of the SCCs, the competent supervisory authority is the Irish Data Protection Commission (per Clause 17 Option 1, selected in Section 5 of this DPA). Controllers established in another EEA Member State may lodge a complaint with their local supervisory authority without prejudice to Clause 13.

For UK transfers: The competent supervisory authority is the Information Commissioner's Office (ICO).

For Swiss transfers: The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Annex II - Technical and Organizational Measures

The Processor implements the following technical and organizational measures (the "TOMs"), which are incorporated by reference from Section 7 of this DPA and Section 7 of the Data Handling Terms:

Encryption. TLS 1.2+ in transit; AES-256 at rest in the primary datastore and encrypted operational backups.

Access control. Role-based access control; least-privilege access for Processor personnel; step-up authentication for destructive actions; HMAC-signed session cookies; server-side enforced tenant isolation via the resolveOrgForSession contract.

Pseudonymization and minimization. Financial records are identified by internal surrogate keys; model inference receives only the minimum data needed to produce the requested output; no raw upload bytes are sent to third-party model providers except a single ephemeral vision pass for scanned-document OCR.

Integrity and availability. Append-only SecurityEvent audit table; health-canary cron; external uptime monitoring of /api/health; 30-day encrypted backup cycle.

Vendor management. Sub-processors selected for SOC 2 Type II or equivalent posture; each bound by a DPA containing obligations no less protective than this DPA (Clause 9 SCCs).

Data-subject rights. In-product self-serve access, export, and erasure flows (Settings → Profile) delivering within 24 hours for content data; SLA-bound support channel for identity-level requests.

Incident response. Documented incident-response runbook; 72-hour notification clock per Section 3(5) of this DPA; post-incident report with root-cause analysis and remediation within 30 days.

Training. Annual security-awareness training for all personnel with access to production systems.

The Processor reviews the TOMs at least annually and updates them as threats and best practices evolve. Material reductions require 30 days' prior notice to the Controller.

Annex III - List of Sub-processors

The list of sub-processors authorized as of the Effective Date is set out in Section 4 of this DPA. Any update to that list is treated as an update to this Annex III and is subject to the 30-day notice and objection right in Section 4.

*This DPA is effective when you click "Counter-sign this DPA" on the /legal/dpa page. You will receive a PDF receipt by email at the address you provide. For questions, contact support@noesiscfo-io.us.*

Counter-sign this DPA

Sign in first, then return here to counter-sign. The DPA text above is the final executed version you will be agreeing to.