Sub-processors.
Sub-processors are third parties Evenhand engages to deliver the platform. Each is bound by a written agreement that imposes data-protection obligations substantially equivalent to those Evenhand owes its customers. This list is the same registry referenced by Privacy Policy §5 and Data Processing Addendum Annex 3.
Change notification.
Evenhand posts at least thirty (30) days' prior notice before adding or replacing a sub-processor. For Brokerages with an executed DPA, notice is also delivered by email to the contact on file. Until the in-product notification subscription form is published, customers who want change notifications should email legal@evenhandhq.com to be added to the notification list.
Current sub-processors (13).
| Provider | Purpose | Data categories | Location |
|---|---|---|---|
Clerk, Inc. Privacy policy | Authentication, account management, session management, multi-factor authentication, organization membership | Email, name, hashed password, MFA credentials, session tokens, organization membership | United States |
Neon, Inc. (on AWS) Privacy policy | Database hosting (PostgreSQL) | All Platform data stored in the database | AWS US-West-2 (Oregon, USA) |
Vercel Inc. Privacy policy | Application hosting, content delivery, preview deployments | IP address, request logs, application code and assets, security/bot-protection cookies | United States (global edge network) |
Anthropic, PBC Privacy policy | AI-assisted PDF extraction and CSV/XLSX column mapping | Contents of uploaded financial documents (PDF) and structured-data column headers / sample rows submitted to the extraction API | United States |
Stripe, Inc. Privacy policy | Payment processing, subscription management, invoicing | Name, email, billing address, payment method details (held by Stripe), transaction history, subscription state | United States |
Resend, Inc. Privacy policy | Transactional email delivery (outbound) and inbound email parsing (per-broker marketplace-inquiry forwarding addresses and per-buyer pipeline-capture forwarding addresses, ADR 0008) | Outbound: recipient email address, email subject and content, delivery metadata. Inbound: sender address, subject, body, headers, and any attachments of emails forwarded to platform-minted forwarding addresses (retained on Resend only during webhook delivery; body bytes streamed via the Receiving API and stored in the platform's own Vercel Blob private store) | United States |
Sentry (Functional Software, Inc.) Privacy policy | Error tracking and application monitoring | IP address (anonymized), browser/OS info, error stack traces, scrubbed application state, user ID for error attribution | United States |
PostHog, Inc. Privacy policy | Product analytics (cookieless mode) | Anonymized usage events, page views, feature interactions, device / browser type | United States |
Cloudflare, Inc. Privacy policy | DNS management, DDoS protection, edge security, Turnstile bot detection | DNS query data, IP address for security filtering, Turnstile challenge metadata | Global edge network |
Upstash, Inc. Privacy policy | Distributed rate limiting | IP address, action identifier, timestamp | United States / global |
Better Stack Privacy policy | Uptime monitoring and status page | Monitoring endpoint URLs, response metadata; no User data is transmitted | United States |
Dropbox Sign (HelloSign, Dropbox, Inc.) Privacy policy | E-signature for click-through NDAs, LOIs, and purchase agreements (Evenhand-managed and BYO modes) | Signer name, email, IP address at signature time, document content for signing, signed PDF | United States |
DocuSign, Inc. Privacy policy | E-signature (BYO mode) | Same as Dropbox Sign | United States / region per Brokerage's DocuSign account |
User-authorized integrations.
These providers process information only when you (or your Brokerage) expressly connect them. They operate under your direct relationship with them. Evenhand acts as the bridge; the third party's own privacy policy and terms govern their use of your data.
| Provider | Purpose | When activated |
|---|---|---|
| Google LLC (Calendar API) | Calendar event creation and read for closing-timeline integration | User connects Google Calendar in profile settings |
| Microsoft Corporation (Microsoft Graph) | Calendar event creation and read | User connects Microsoft 365 Calendar |
| Intuit Inc. (QuickBooks Online) | Read-only accounting snapshots for QoE | Seller authorizes QBO connection for a Deal |
| Xero Limited | Read-only accounting snapshots for QoE | Seller authorizes Xero connection for a Deal |
| Oracle NetSuite | Read-only accounting snapshots for QoE | Seller authorizes NetSuite connection for a Deal |
| Firmex Inc. | Virtual data room document storage | Brokerage configures Firmex as the document-storage adapter |
| iDeals Solutions Group | Virtual data room document storage | Brokerage configures iDeals as the document-storage adapter |
| Google LLC (Drive API) | Document storage in your Google Drive | Brokerage or Deal owner configures Google Drive |
| Dropbox, Inc. (Dropbox Business) | Document storage in your Dropbox Business account | Brokerage or Deal owner configures Dropbox Business |
| DocuSign / Dropbox Sign (BYO) | E-signature using your own account | Brokerage connects its own e-signature account |
Customer-configured webhook recipients.
If a Brokerage configures an outbound webhook endpoint, Evenhand transmits event payloads to that endpoint at the Brokerage's direction. The operator of the endpoint is not an Evenhand sub-processor; the Brokerage is responsible for the security and data-protection posture of any endpoint it configures.