EVENHAND LLC — DATA PROCESSING ADDENDUM

Effective Date of this Template: May 21, 2026

Reader's Note

This Data Processing Addendum (the "DPA") supplements the Evenhand Terms of Service available at https://evenhandhq.com/terms (the "Terms") and any executed Order Form, Master Service Agreement, or Brokerage Subscription Agreement between Evenhand LLC and the Customer (each, an "Agreement"). It governs the Processing of Personal Information by Evenhand on behalf of Customer in connection with Customer's use of the Platform.

This DPA is offered in template form. To execute, the Customer (typically a Brokerage) completes the cover sheet at the end of this DPA and submits an executed copy to legal@evenhandhq.com (or accepts the in-product click-through DPA acceptance flow described in Annex 5). Upon countersignature by Evenhand or auto-acceptance per Annex 5, this DPA becomes part of the Agreement and binds the parties as of the date stated on the cover sheet.

Capitalized terms used but not defined in this DPA have the meanings given in the Terms or in the Privacy Policy at https://evenhandhq.com/privacy.

1. Definitions

For the purposes of this DPA:

• "Applicable Privacy Law" means, collectively, (a) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA") and the regulations issued thereunder; (b) the Virginia Consumer Data Protection Act ("VCDPA"); (c) the Colorado Privacy Act ("CPA"); (d) the Connecticut Data Privacy Act ("CTDPA"); (e) the Utah Consumer Privacy Act ("UCPA"); (f) the Oregon Consumer Privacy Act ("OCPA"); (g) the Texas Data Privacy and Security Act ("TDPSA"); (h) the Delaware Personal Data Privacy Act ("DPDPA"); (i) the New Hampshire Privacy Act ("NHPA"); (j) the Montana Consumer Data Privacy Act ("MTCDPA"); (k) the Iowa Consumer Data Protection Act ("ICDPA"); (l) the Indiana Consumer Data Protection Act ("INCDPA"); (m) the Tennessee Information Protection Act ("TIPA"); (n) the Florida Digital Bill of Rights ("FDBR"); (o) the Maryland Online Data Privacy Act ("MODPA"); (p) the Minnesota Consumer Data Privacy Act ("MCDPA"); (q) the New Jersey Data Privacy Law ("NJDPL"); (r) the Washington My Health My Data Act ("MHMDA") to the limited extent any consumer health data is processed; and (s) any other U.S. state or federal privacy law applicable to the Processing.
• "Business," "Business Purpose," "Consumer," "Personal Information" (or "Personal Data"), "Process" / "Processing," "Sell" / "Sale," "Service Provider" / "Processor," "Sensitive Personal Information" (or "Sensitive Data"), and "Share" / "Sharing" have the meanings given in the Applicable Privacy Law. Where a term has different meanings under different laws, the meaning under the law applicable to the specific Processing applies.
• "Authorized Affiliate" means an entity that controls, is controlled by, or is under common control with the Customer, where "control" means ownership of more than 50% of voting securities or the right to direct management and policies.
• "Consumer Request" means a request from a Consumer to exercise rights under Applicable Privacy Law, including rights of access, deletion, correction, portability, opt-out of sale or sharing, opt-out of targeted advertising, opt-out of profiling, and limitation on the use of Sensitive Personal Information.
• "Customer" means the Brokerage (or other Evenhand subscriber) that has executed this DPA, as identified in the cover sheet.
• "Customer Personal Information" means Personal Information that Customer makes available to Evenhand, or that Evenhand collects on behalf of Customer, in connection with the Services. Customer Personal Information includes the categories described in Annex 1.
• "Deal Participant Personal Information" means Personal Information of Buyers, Sellers, Service Providers, Post-Close Observers, and other individuals invited to a Deal by or through the Customer.
• "Evenhand" or "Service Provider" means Evenhand LLC, a Washington limited liability company.
• "Processing Instruction" has the meaning given in Section 3.2.
• "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information transmitted, stored, or otherwise Processed.
• "Services" means the Platform and related services provided by Evenhand to Customer under the Agreement.
• "Sub-Processor" means any third party engaged by Evenhand to Process Customer Personal Information on its behalf.

2. Roles and Scope

2.1 Role Allocation

The parties acknowledge that, with respect to the Processing of Customer Personal Information under this DPA:

• Customer is a Business under the CCPA/CPRA, a Controller under the VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, DPDPA, NHPA, MTCDPA, ICDPA, INCDPA, TIPA, FDBR, MODPA, MCDPA, and NJDPL, and a regulated entity under analogous Applicable Privacy Laws.
• Evenhand is a Service Provider under the CCPA/CPRA, a Processor under the VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, DPDPA, NHPA, MTCDPA, ICDPA, INCDPA, TIPA, FDBR, MODPA, MCDPA, and NJDPL, and engages with Customer Personal Information solely to provide the Services to Customer.

The parties acknowledge that, with respect to Personal Information that Evenhand Processes for its own business purposes (e.g., billing, security monitoring, product analytics on metadata, fraud prevention, satisfying its own legal obligations, and creating de-identified or Aggregated Data per the Terms), Evenhand acts as a Business, Controller, or regulated entity in its own right. This DPA does not govern that Processing; the Privacy Policy does.

2.2 Subject Matter, Nature, Duration, and Purpose

The subject matter, nature, duration, purpose, categories of Personal Information, and categories of data subjects are set out in Annex 1.

2.3 Limited Purposes

Evenhand will Process Customer Personal Information only for the following Business Purposes:

(a) providing, operating, maintaining, and supporting the Services as described in the Agreement and the Documentation; (b) responding to Customer's documented Processing Instructions, including assisting Customer with Consumer Requests as described in Section 6; (c) detecting, preventing, investigating, and addressing security incidents, fraud, illegal activity, and violations of the Terms or the Acceptable Use Policy; (d) ensuring the integrity, quality, and reliability of the Services, including the operation of the integrity-signal features (multi-role collision detection, prequal forgery signals, attestation capture, issuer confirmation); (e) complying with applicable law and responding to lawful governmental requests; and (f) performing other services for Customer as expressly authorized in writing.

Evenhand will not Process Customer Personal Information for any purpose other than the foregoing or as expressly permitted by Applicable Privacy Law for Service Providers.

3. Customer Obligations and Instructions

3.1 Customer Compliance

Customer represents and warrants that:

(a) it has provided all notices and obtained all rights, consents, and authorizations necessary under Applicable Privacy Law for Evenhand to Process Customer Personal Information in accordance with this DPA; (b) the Processing Instructions it issues comply with Applicable Privacy Law and do not require Evenhand to violate any law to which Evenhand is subject; (c) the Personal Information it makes available to Evenhand was collected lawfully and in compliance with all applicable notices (including the notice-at-collection requirements of the CCPA/CPRA); (d) it will maintain its own internal records of Consumer Requests and rights exercises as required by Applicable Privacy Law; and (e) it has read and understood the Privacy Policy, including the Sub-Processor list, and consents to the Sub-Processors identified there in connection with the Services.

3.2 Processing Instructions

"Processing Instructions" means Customer's documented instructions to Evenhand regarding the Processing of Customer Personal Information. The following are deemed Processing Instructions of Customer:

(a) the Agreement (including the Terms); (b) this DPA, including its annexes; (c) Customer's configuration of the Services through the user interface, the API, the MCP server, or Webhook configuration (including access-control settings, integration authorizations, and retention configurations); (d) Customer's specific instructions submitted in writing to legal@evenhandhq.com or through an authorized in-product mechanism; and (e) the Privacy Policy as in effect from time to time.

Evenhand will Process Customer Personal Information in accordance with the Processing Instructions and not otherwise, except as expressly required by applicable law (in which case Evenhand will, where lawful, notify Customer of the legal requirement before Processing).

3.3 Notification of Non-Compliant Instructions

If Evenhand determines, in its reasonable judgment, that a Processing Instruction violates Applicable Privacy Law or would cause Evenhand to violate any other law to which it is subject, Evenhand will promptly notify Customer in writing. Evenhand may suspend Processing under the disputed instruction pending Customer's confirmation, withdrawal, or modification of the instruction.

4. Evenhand's Service Provider Obligations

4.1 CCPA/CPRA Service Provider Restrictions

Evenhand will not:

(a) Sell or Share Customer Personal Information (as those terms are defined in the CCPA/CPRA), including for cross-context behavioral advertising; (b) retain, use, or disclose Customer Personal Information for any purpose other than the Business Purposes set out in Section 2.3, including any commercial purpose unrelated to providing the Services; (c) retain, use, or disclose Customer Personal Information outside the direct business relationship between Customer and Evenhand, except as required by law or for the Business Purposes set out in Section 2.3; (d) combine Customer Personal Information received from Customer with Personal Information that Evenhand receives from any other source, or that Evenhand collects from any interaction between Evenhand and a Consumer, except as expressly permitted by 11 Cal. Code Regs. § 7050(b) (i.e., for the Business Purposes for which Evenhand was engaged, to detect security incidents, to comply with applicable law, or as otherwise permitted); (e) use Customer Personal Information for any purpose, including training or improving any non-Evenhand model or service, that would exceed the scope of a Service Provider relationship; or (f) attempt to re-identify any de-identified or Aggregated Data derived from Customer Personal Information.

Evenhand will notify Customer if Evenhand determines that it can no longer meet its obligations under Applicable Privacy Law. Customer may, on receipt of such notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

4.2 Equivalent Obligations Under Other Applicable Privacy Laws

To the extent the Processing is subject to the VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, DPDPA, NHPA, MTCDPA, ICDPA, INCDPA, TIPA, FDBR, MODPA, MCDPA, NJDPL, or other state law imposing analogous Processor obligations, Evenhand will:

(a) Process Customer Personal Information only on Customer's documented instructions; (b) ensure that personnel authorized to Process Customer Personal Information are bound by appropriate confidentiality obligations; (c) implement appropriate technical and organizational security measures (see Section 5 and Annex 2); (d) engage Sub-Processors only in accordance with Section 8; (e) assist Customer with Consumer Requests in accordance with Section 6; (f) assist Customer with Security Incident notification, data protection assessments, and consultations with regulators, as applicable; (g) at the choice of Customer, return or delete Customer Personal Information at the end of the Services, in accordance with Section 9; and (h) make available to Customer information reasonably necessary to demonstrate compliance with this DPA, in accordance with Section 10.

4.3 Sensitive Personal Information

Customer Personal Information may include Sensitive Personal Information under the CCPA/CPRA and analogous categories under other Applicable Privacy Laws, including (without limitation) account log-in credentials and financial account information contained in uploaded financial documents (bank statements, tax returns) and OAuth-authorized accounting connections.

Evenhand will Process Sensitive Personal Information only for the purposes permitted under California Civil Code § 1798.121 and analogous provisions of other Applicable Privacy Laws — i.e., as necessary to perform the Services, ensure security and integrity, detect fraud and abuse, comply with legal obligations, and verify the quality and safety of the Services. Evenhand will not use Sensitive Personal Information for advertising, profiling, or any other purpose that would trigger a Consumer's right to limit use under California Civil Code § 1798.121.

4.4 Children's Data

The Services are not directed to children under 18 (and certainly not to children under 13). Customer represents and warrants that it will not knowingly upload, transmit, or otherwise make available to Evenhand any Personal Information of a child under 18. If either party becomes aware that the Services contain such information, that party will promptly notify the other and the parties will cooperate in good faith to delete it.

4.5 Health Data

The Services are not designed for and should not be used to Process Protected Health Information ("PHI") under HIPAA. Evenhand does not offer a Business Associate Agreement, and this DPA does not create a HIPAA business-associate relationship. Customer further represents and warrants that the Customer Personal Information made available to Evenhand will not include consumer health data within the meaning of the Washington My Health My Data Act (RCW 19.373) except to the limited extent such data may be incidentally included in uploaded documents (e.g., an employee benefits census). Customer assumes responsibility for compliance with the MHMDA with respect to any such incidentally included data.

5. Security

5.1 Technical and Organizational Measures

Evenhand will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A description of the measures in place as of the Effective Date of this DPA is set out in Annex 2.

Evenhand may update its security measures from time to time, provided that any update will not materially reduce the level of protection. Evenhand will revise Annex 2 to reflect material updates.

5.2 Personnel

Evenhand will:

(a) ensure that personnel with access to Customer Personal Information are subject to written confidentiality obligations or are bound by an appropriate statutory or professional obligation of confidentiality; (b) provide training on data protection and security appropriate to their role and access level; (c) limit personnel access to Customer Personal Information to those with a legitimate need-to-know for the performance of the Services; (d) maintain a process for promptly revoking access on termination of employment or change of role; and (e) require multi-factor authentication and the use of hardware security factors for personnel accessing production systems containing Customer Personal Information.

5.3 Sub-Processor Security

Evenhand will impose on each Sub-Processor written obligations that are substantially equivalent to those imposed on Evenhand under this Section 5 and Section 4. Evenhand remains responsible to Customer for the acts and omissions of its Sub-Processors with respect to Customer Personal Information.

6. Assistance with Consumer Requests

6.1 Receipt of Consumer Requests by Evenhand

If Evenhand receives a Consumer Request directed to Customer Personal Information, Evenhand will:

(a) without undue delay, and in any event within five (5) business days of receipt, forward the request to Customer's designated contact (or, if none, to the Customer billing contact); and (b) not respond to the request directly, except to confirm receipt and to direct the Consumer to Customer, unless Customer instructs otherwise or Applicable Privacy Law requires direct response.

6.2 Assistance to Customer

Evenhand will, taking into account the nature of the Processing and the information available to Evenhand, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill its obligation to respond to Consumer Requests, including:

(a) Right to Know / Access: Customer can export Customer Personal Information through the in-product export tools (account exports, Deal Data exports, audit log exports). Where a Consumer Request requires data not available through these tools, Evenhand will make reasonable efforts to provide the data to Customer in a structured, commonly used, machine-readable format. (b) Right to Delete: Customer can delete records and accounts through the in-product controls (subject to the retention exceptions in the Privacy Policy and Section 9 below). For deletions that cannot be effected through the in-product controls, Customer can submit a request to legal@evenhandhq.com; Evenhand will action verified requests within thirty (30) days unless a longer period is permitted under Applicable Privacy Law. (c) Right to Correct: Customer can correct records through the in-product editing tools. For corrections that cannot be effected through the in-product tools (e.g., immutable audit log entries), Evenhand will make reasonable efforts to assist, recognizing that some records cannot be modified consistent with their integrity purpose. (d) Right to Opt Out of Sale / Sharing / Targeted Advertising / Profiling: Evenhand does not Sell or Share Customer Personal Information, does not use it for targeted advertising, and does not engage in profiling that produces legal or similarly significant effects. No opt-out action is required. (e) Right to Limit Use of Sensitive Personal Information: Evenhand uses Sensitive Personal Information only for the limited Business Purposes described in Section 4.3. Customers (and through them, Consumers) may request that Evenhand further limit use by contacting legal@evenhandhq.com.

6.3 Costs

Evenhand will provide assistance under this Section 6 at no additional charge for ordinary requests. For unusually voluminous, complex, or repeated requests, Evenhand may charge a reasonable fee based on its administrative costs, with prior notice to Customer.

6.4 Verification

Customer is responsible for verifying the identity of the Consumer making the request. Evenhand may decline to action a Consumer Request forwarded by Customer if Customer has not represented in writing that it has verified the Consumer's identity in accordance with Applicable Privacy Law.

7. Security Incidents

7.1 Notification

If Evenhand becomes aware of a Security Incident affecting Customer Personal Information, Evenhand will:

(a) notify Customer's designated contact (or, if none, the Customer billing contact) without undue delay and in any event within seventy-two (72) hours of becoming aware of the Security Incident; (b) provide information reasonably available to Evenhand to enable Customer to comply with its own notification obligations under Applicable Privacy Law, including (to the extent known and as it becomes available) (i) a description of the nature of the Security Incident, the categories of Customer Personal Information affected, and the approximate number of records affected; (ii) the likely consequences; (iii) the measures taken or proposed to address the Security Incident and to mitigate its possible adverse effects; and (iv) the contact details of a person at Evenhand from whom further information can be obtained; (c) take reasonable steps to mitigate the effects of the Security Incident and to prevent its recurrence; and (d) cooperate with Customer's reasonable requests for further information and assistance in connection with the Security Incident.

7.2 Scope

A Security Incident does not include unsuccessful access attempts, unsuccessful login attempts, port scans, denial-of-service attacks that did not result in unauthorized access to Personal Information, or similar events that did not result in actual unauthorized access to or acquisition of Customer Personal Information. Evenhand may aggregate routine security event data in periodic security reports rather than reporting them as Security Incidents.

7.3 No Admission of Liability

Notification of a Security Incident is not an acknowledgment of fault or liability. Evenhand's notification will not be used as evidence of fault or liability in any proceeding except as required by law.

7.4 Coordination

Customer and Evenhand will coordinate, in good faith, on the content, recipients, and timing of any external communications (including consumer notifications, regulator notifications, and public statements) relating to a Security Incident. Where notification to consumers or regulators is required by law, the obligated party will fulfill that obligation; the other party will cooperate as reasonably necessary to enable compliance.

8. Sub-Processors

8.1 Authorized Sub-Processors

Customer authorizes Evenhand to engage the Sub-Processors listed in Annex 3, which is identical to (or a reference to) the Sub-Processor list maintained in Section 5 of the Privacy Policy. Customer's acceptance of this DPA constitutes a general written authorization for Evenhand to engage these Sub-Processors and to make changes to the list in accordance with Section 8.2.

8.2 New Sub-Processors

Evenhand will provide Customer with at least thirty (30) days' prior notice of any addition or replacement of a Sub-Processor that will Process Customer Personal Information. Notice will be provided by (i) updating the Sub-Processor list in the Privacy Policy, (ii) by email to Customer's designated contact where Customer has subscribed to Sub-Processor notifications at https://evenhandhq.com/subprocessors (or successor URL), or (iii) via the Platform.

8.3 Right to Object

Customer may object to a new Sub-Processor on reasonable data-protection grounds (e.g., the Sub-Processor's known security failures, prior breaches, or material inability to provide equivalent protections) by notifying legal@evenhandhq.com within fifteen (15) days of the notice. Customer's objection must include the specific data-protection grounds for the objection.

If Customer objects on reasonable data-protection grounds, the parties will work in good faith to find a commercially reasonable alternative. If no alternative is available, Customer may, as its sole remedy, terminate the Agreement (or the affected portion of the Agreement) by written notice to Evenhand, in which case Evenhand will refund any prepaid fees for the unused portion of the term. If Customer does not object within the fifteen (15) day period, Customer is deemed to have consented to the new Sub-Processor.

8.4 Sub-Processor Obligations

Before engaging a new Sub-Processor to Process Customer Personal Information, Evenhand will:

(a) conduct reasonable due diligence on the Sub-Processor's data-protection and security practices; (b) enter into a written agreement with the Sub-Processor imposing data-protection obligations substantially equivalent to those in this DPA, including obligations of confidentiality, security, restricted Processing purposes, and assistance with rights requests; and (c) remain liable to Customer for the acts and omissions of the Sub-Processor with respect to Customer Personal Information, to the same extent as if performed by Evenhand directly.

8.5 Onward Sub-Processors

A Sub-Processor's engagement of its own sub-processors (e.g., Vercel's use of CDN partners; Anthropic's use of cloud infrastructure providers) is governed by the Sub-Processor's own agreements and is not subject to this Section 8 directly. Evenhand's obligation is to flow down protective terms to its immediate Sub-Processors.

9. Return and Deletion of Customer Personal Information

9.1 During the Term

During the term of the Agreement, Customer may export, delete, or otherwise manage Customer Personal Information through the in-product controls and the API.

9.2 At Termination

Within thirty (30) days following the termination or expiration of the Agreement, Customer may export Customer Personal Information through the in-product export tools. Within an additional thirty (30) days following the end of that export period (a total of sixty (60) days from termination), Evenhand will delete or anonymize Customer Personal Information from its production systems, subject to the exceptions in Section 9.3.

9.3 Retention Exceptions

Evenhand may retain Customer Personal Information after termination to the extent (and for so long as):

(a) required by applicable law, regulation, court order, or governmental request; (b) reasonably necessary to establish, exercise, or defend legal claims, including data subject to a litigation hold; (c) necessary for the operation of immutable audit logs, hash-chained transaction records, and supersedes chains, which serve as integrity-bearing evidence of past activity and cannot be selectively modified; (d) retained in encrypted backup tapes or snapshots that are not actively used and that will roll off in accordance with Evenhand's backup retention policy; (e) anonymized or Aggregated Data that no longer constitutes Personal Information; or (f) reasonably necessary for fraud prevention, security incident investigation, or enforcement of the Terms or the AUP.

Customer Personal Information retained under this Section 9.3 remains subject to the security, confidentiality, and use restrictions of this DPA for so long as it remains in Evenhand's possession or control.

9.4 Certification

Upon Customer's reasonable written request following the deletion period in Section 9.2, Evenhand will provide a written confirmation that it has deleted or anonymized Customer Personal Information in accordance with this Section 9, subject to the retention exceptions in Section 9.3.

10. Information, Audits, and Cooperation

10.1 Information Rights

To enable Customer to demonstrate compliance with its obligations under Applicable Privacy Law, Evenhand will make available to Customer on reasonable written request:

(a) the then-current DPA and Privacy Policy; (b) the then-current Sub-Processor list (Annex 3); (c) the then-current technical and organizational measures (Annex 2); (d) summary descriptions of Evenhand's security program, incident-response procedures, and personnel-training program; (e) any third-party audit reports, certifications, or attestations Evenhand maintains (e.g., SOC 2 reports, ISO 27001 certification, penetration test summaries, where available), subject to confidentiality obligations; and (f) any other information reasonably necessary to demonstrate compliance with this DPA and Applicable Privacy Law, to the extent it can be provided consistent with Evenhand's confidentiality and security obligations to its other customers and Sub-Processors.

10.2 Audits

To the extent Applicable Privacy Law requires that Customer be permitted to audit Evenhand's compliance with this DPA, Customer's audit rights are satisfied by Evenhand's provision of the materials in Section 10.1. If those materials are insufficient under Applicable Privacy Law for a specific Processing activity, Customer may, on at least sixty (60) days' prior written notice and no more than once in any twelve (12) month period (except where required following a Security Incident affecting Customer Personal Information or where required by a regulator), conduct an on-site or remote audit of Evenhand's Processing of Customer Personal Information.

Each audit will be conducted (i) by Customer's own qualified personnel or by an independent qualified third-party auditor engaged by Customer (and not a competitor of Evenhand), each subject to written confidentiality obligations at least as protective as Section 11; (ii) during Evenhand's normal business hours; (iii) in a manner that does not unreasonably interfere with Evenhand's operations; (iv) subject to Evenhand's reasonable security and confidentiality requirements; and (v) at Customer's expense, except that if the audit reveals a material breach of this DPA by Evenhand, the reasonable costs of the audit will be reimbursed by Evenhand.

Audits will not include access to (a) any data of Evenhand's other customers; (b) any personnel records of Evenhand's employees; (c) any source code or confidential business information of Evenhand that is not reasonably necessary to assess compliance with this DPA; or (d) any system that Evenhand demonstrates is not used to Process Customer Personal Information.

10.3 Regulator Inquiries

If Evenhand receives a regulatory inquiry, subpoena, or order relating to Customer Personal Information, Evenhand will, to the extent legally permitted, promptly notify Customer's designated contact before responding. Evenhand will cooperate with Customer on the content and timing of any response, except to the extent prohibited by law.

11. Confidentiality

Each party will treat the other party's Confidential Information disclosed in connection with this DPA in accordance with the confidentiality provisions of the Agreement (Terms §10 if no separately negotiated confidentiality terms apply). The terms of this DPA and any audit results obtained under Section 10.2 are themselves Confidential Information of both parties.

12. Liability

12.1 Aggregate Liability Cap

Each party's liability arising out of or related to this DPA (including any breach of this DPA), whether in contract, tort, or under any other theory of liability, is subject to the aggregate liability cap and exclusions in the Agreement. Multiple claims will not enlarge that cap.

12.2 Indemnification

The indemnification provisions of the Agreement (Terms §16) apply to claims arising out of or related to this DPA, except that:

(a) Evenhand will defend, indemnify, and hold harmless Customer against third-party claims to the extent arising from Evenhand's material breach of its obligations under Section 4 (Service Provider restrictions), Section 5 (Security), Section 7 (Security Incident notification), or Section 9 (return/deletion); and (b) Customer will defend, indemnify, and hold harmless Evenhand against third-party claims to the extent arising from Customer's breach of Section 3 (Customer obligations and instructions), including Customer's failure to obtain required consents or notices, Customer's submission of Processing Instructions that violate Applicable Privacy Law, or Customer's upload of prohibited content.

12.3 Allocation Between Parties

In the case of a Security Incident or Processing failure where both parties bear some responsibility (e.g., Customer's misconfiguration of access controls combined with Evenhand's failure to enforce a security control), liability will be allocated in accordance with each party's relative fault, as determined by mutual agreement or, failing agreement, by the dispute-resolution process in the Agreement.

13. Term

This DPA takes effect on the date of countersignature by Evenhand (or, in the case of click-through acceptance per Annex 5, the date of acceptance by Customer) and continues for the term of the Agreement. Provisions that by their nature should survive termination (including Sections 7 with respect to Security Incidents occurring during the term, 9, 10.2 with respect to the audit period, 11, 12, and this Section 13) will survive.

14. Order of Precedence

In the event of conflict between this DPA and any other component of the Agreement with respect to the Processing of Customer Personal Information, the order of precedence is:

1. Any executed Order Form or Master Service Agreement that expressly amends this DPA
2. This DPA
3. The Terms
4. The Privacy Policy
5. The Documentation

This DPA does not apply to, and does not amend, any provisions of the Agreement that do not relate to the Processing of Personal Information.

15. Miscellaneous

15.1 Amendments

Evenhand may update this DPA template from time to time to reflect changes in Applicable Privacy Law, in Evenhand's Sub-Processor list, or in Evenhand's security measures, provided that no update will materially reduce the protections provided to Customer Personal Information. The current template will be posted at https://evenhandhq.com/legal/dpa. Updates that materially expand Customer's obligations require Customer's written consent (which may be provided by re-acceptance through the click-through flow in Annex 5).

15.2 Notices

Notices under this DPA should be sent in accordance with the notice provisions of the Terms.

15.3 Governing Law

This DPA is governed by the law specified in the Terms.

15.4 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force, and the parties will negotiate in good faith to replace the invalid provision with a valid provision that achieves the same intent to the maximum extent permitted by law.

15.5 No Third-Party Beneficiaries

Except as expressly stated, this DPA does not confer rights on any third party.

15.6 Counterparts and Electronic Signature

This DPA may be executed in counterparts, including by electronic signature or by click-through acceptance per Annex 5. Each counterpart is an original; together they form a single agreement.

ANNEX 1 — DESCRIPTION OF PROCESSING

A. Subject Matter and Duration

Evenhand's Processing of Customer Personal Information consists of providing the Services described in the Agreement. Processing continues for the term of the Agreement, subject to the post-termination retention and deletion provisions in Section 9 of the DPA.

B. Nature and Purpose

The nature of the Processing consists of: receiving, storing, organizing, structuring, transmitting, displaying, analyzing, generating outputs from, encrypting, securing, retrieving, deleting, anonymizing, and providing access to Customer Personal Information for the purposes set out in Section 2.3 of the DPA.

C. Categories of Data Subjects

Customer Personal Information may relate to the following categories of data subjects:

• Customer's officers, directors, employees, agents, and authorized users of the Platform (Broker Users, Brokerage Administrators, Brokerage Managers);
• Buyers invited to or self-enrolled in Deals managed by Customer through the Platform;
• Sellers of businesses listed by or for Customer on the Platform;
• Service Providers engaged in connection with Deals;
• Post-Close Observers granted access by Customer;
• Issuers of financing prequalification or proof-of-funds documents (third-party data subjects);
• Other individuals named in or whose Personal Information appears within documents uploaded to Deals (e.g., key employees of target businesses; references); and
• Visitors to evenhandhq.com associated with Customer's account.

D. Categories of Personal Information

Customer Personal Information may include the following categories:

• Identifiers: name, email address, phone number, account identifier, IP address, user-agent string
• Professional information: title, role, brokerage affiliation, professional credentials, license numbers
• Authentication credentials: hashed passwords, MFA factors (held by Evenhand's authentication Sub-Processor; not visible to Evenhand staff)
• Commercial information: Deal terms, offer amounts, transaction records, fee structures
• Financial information: financial statements, tax returns, bank statements, accounting system data (via OAuth), customer concentration data, proof of funds documentation
• Behavioral and usage data: Platform usage logs, audit logs, attestation records, IP-based collision signals
• AI-processed content: documents and structured data submitted to AI-assisted features for extraction, mapping, or summarization
• Communications: in-app messages, comments, document annotations
• Geolocation (approximate): city/region inferred from IP address
• Sensitive Personal Information (as defined in the CCPA/CPRA): account log-in credentials and financial account information contained in uploaded documents or OAuth-authorized integrations

E. Frequency of Processing

Continuous, for the duration of the Agreement.

F. Retention

Customer Personal Information is retained in accordance with the retention schedule in Section 8 of the Privacy Policy and the post-termination provisions in Section 9 of this DPA. Material retention periods include:

• Account information: duration of subscription + 90 days
• Deal Data (identified): 7 years after Deal closure
• Audit logs: 7 years minimum after Deal closure (immutable)
• Buyer offer attestation records: 7 years from submission
• Issuer confirmation records: 3 years from submission
• Aggregated Data: indefinite (no longer constitutes Personal Information)

ANNEX 2 — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

A. Information Security Program

Evenhand maintains an information security program designed to protect the confidentiality, integrity, and availability of Customer Personal Information. The program is reviewed at least annually and updated to address evolving threats and technologies.

B. Access Controls

• Role-based access controls within the Platform, with two authorization paths: organization-based access for Broker Users (Clerk Organizations) and user-based access linked through deal_participants for Buyers, Sellers, Service Providers, and Post-Close Observers.
• Row-level security (RLS) enforced at the database layer using ten session GUCs (general user configuration parameters).
• Cross-tenant access probe suite enforced as a continuous-integration gate on every code change to detect regressions in tenant isolation.
• Multi-factor authentication available for all User accounts and required for accounts with elevated privileges.
• Hardware security keys (e.g., YubiKey) required for personnel accessing critical production infrastructure.
• Principle of least privilege for internal personnel access.
• Automated access revocation on personnel separation or role change.

C. Encryption

• Encryption in transit using TLS 1.2 or higher for all client–server communications and inter-service communications.
• Encryption at rest in the production database and backup systems.
• AES-256-GCM encryption with key material held outside the database for OAuth refresh tokens (Calendar, accounting, e-signature, document storage integrations).

D. Integrity and Auditability

• Append-only, cryptographically hash-chained audit log.
• Tamper-evident accounting snapshots with SHA-256 integrity hashes of provider payloads.
• Append-only QoE financial uploads with explicit supersedes chain; previous versions are preserved and visible in the supersedes graph.
• Buyer offer attestation records preserved with timestamp, IP address, user-agent, attestation version identifier, and SHA-256 hash of the attested text.

E. Personnel Security

• Background checks (criminal record check, employment verification) for personnel with access to production systems containing Customer Personal Information, to the extent permitted by law.
• Written confidentiality obligations binding on all personnel.
• Mandatory data-protection and security training on hire and annually thereafter.
• Acceptable Use Policy applicable to personnel use of internal systems.

F. Vendor and Sub-Processor Management

• Due diligence on Sub-Processors prior to engagement.
• Written agreements with Sub-Processors imposing data-protection obligations substantially equivalent to those in this DPA.
• Periodic review of Sub-Processor compliance.

G. Operational Security

• Automated continuous integration / continuous deployment pipeline with type checking, linting, automated testing, and cross-tenant access probes.
• Signed commits required for code changes.
• Error tracking and security alerting through Sentry with immediate notification on security-tagged events.
• Centralized credential management through an enterprise password manager with vault separation.
• Documented runbooks for incident response, token rotation, and revocation flows.

H. Network Security

• Bot detection and rate-limiting via Cloudflare Turnstile and Upstash Redis.
• Web Application Firewall protections via Vercel and Cloudflare.
• Geographic and IP-reputation-based access controls.

I. Business Continuity

• Database backups taken on a rolling 30-day cycle.
• Application hosting on a globally distributed edge network (Vercel) with multi-region failover.
• Documented disaster-recovery plan.

J. Incident Response

• Documented Security Incident response procedures.
• Designated security contact (security@evenhandhq.com) monitored during business hours and via on-call rotation.
• Coordination with Customer for Security Incidents affecting Customer Personal Information as described in Section 7 of the DPA.

K. Certifications and Audits

• Evenhand has not completed a SOC 2 audit, ISO 27001 certification, HIPAA assessment, or PCI-DSS assessment. Evenhand pursues independent security audits and attestations as its security program matures and will update this Annex when its certification status changes.
• Evenhand conducts internal security reviews and engages independent third-party security testing as appropriate to the maturity of its security program.
• The Platform is not designed to process protected health information under HIPAA, full payment card data, or other regulated data classes for which formal certification is required.

L. Sub-Processors

The current list of Sub-Processors and their respective security and data-protection postures is set out in Annex 3 and at https://evenhandhq.com/privacy (Section 5).

ANNEX 3 — SUB-PROCESSOR LIST

The following Sub-Processors are authorized to Process Customer Personal Information as of the Effective Date of this DPA. This list is identical to (and may be incorporated by reference from) Section 5 of the Privacy Policy at https://evenhandhq.com/privacy. Customers may subscribe to notifications of changes at https://evenhandhq.com/subprocessors.

User-authorized OAuth integrations (engaged on Customer's explicit direction, processing data only on Customer's authorization): Google (Calendar, Drive), Microsoft (Graph / Outlook), QuickBooks Online, Xero, NetSuite, Firmex, iDeals, Dropbox Business. The privacy practices of these providers are governed by their respective agreements with Customer.

Webhook recipients (Customer-configured endpoints to which Evenhand transmits event payloads at Customer's direction): the operators of those endpoints are not Evenhand Sub-Processors; they are recipients designated by Customer. Customer is responsible for the security and data-protection posture of its Webhook endpoints.

ANNEX 4 — DESIGNATED CONTACTS

For the avoidance of doubt, the following designated contacts apply to communications under this DPA.

A. Evenhand Designated Contacts

• Data Protection / Privacy Inquiries: legal@evenhandhq.com
• Security Incidents and Vulnerabilities: security@evenhandhq.com
• Sub-Processor Notifications and Objections: legal@evenhandhq.com
• Audit Requests: legal@evenhandhq.com
• General Account Support: support@evenhandhq.com

B. Customer Designated Contacts

Customer's designated contacts are set out on the cover sheet at the end of this DPA, or as updated from time to time by written notice to Evenhand. If Customer has not designated specific contacts, the email address associated with the Brokerage Administrator role on Customer's account will be used.

ANNEX 5 — EXECUTION MECHANICS

This DPA may be executed in one of three ways:

Option A — Wet or Electronic Signature on the Cover Sheet

The Customer's authorized signatory completes and signs the cover sheet below. The signed cover sheet is returned to legal@evenhandhq.com. Evenhand countersigns and returns a fully executed copy. The Effective Date is the date of Evenhand's countersignature unless otherwise indicated on the cover sheet.

Option B — Click-Through Acceptance in the Platform

Customer's authorized Brokerage Administrator may accept this DPA on behalf of Customer through the in-product DPA acceptance flow at Settings → Compliance → Data Processing Addendum. The acceptance flow:

(a) presents the then-current DPA in full; (b) requires the Brokerage Administrator to certify their authority to bind the Customer; (c) captures the entity name, signatory name, signatory title, email address, IP address, user agent, timestamp, and SHA-256 hash of the accepted DPA text; (d) generates a counter-signed PDF copy that is emailed to the Customer's billing and legal contacts and made available for download in the account; and (e) takes effect immediately upon acceptance.

Click-through acceptance constitutes Customer's binding agreement to this DPA. Customer represents that the individual completing the click-through flow is authorized to bind the Customer.

Option C — Incorporation by Reference in an Order Form

Where an Order Form or Master Service Agreement references this DPA by URL or by attachment, this DPA is incorporated into and forms part of that Agreement upon execution of the Order Form or MSA, without separate signature.

COVER SHEET

This page is to be completed and signed by Customer for execution under Option A.

Customer (legal entity name): __

Entity type and state of formation: __

Customer's address:

___

___

Customer's authorized signatory:

Name: __

Title: __

Email: __

Customer's designated data-protection contact (if different from signatory):

Name: __

Title: __

Email: __

Customer's designated security-incident contact (if different from signatory):

Name: __

Title: __

Email (24/7 monitored, if any): __

Customer Authorized Affiliates (entities other than the named Customer that are entitled to receive Services under the Agreement and are covered by this DPA):

___

___

For Customer:

Signature: __ Date: __

Printed name: __

Title: __

For Evenhand LLC:

Signature: __ Date: __

Printed name: __

Title: __

This Data Processing Addendum is a template provided for execution by Brokerage Customers. Customer-side liability and indemnification allocations in Section 12 are read together with any executed Order Form or Master Service Agreement.