Data Processing Agreement

Specification v2.0.3 — Effective Date: February 2026

This page describes general data processing principles. It is not a legally operative data processing agreement. Binding data processing terms, including specific technical and organizational measures, subprocessor lists, and cross-border transfer mechanisms, are established through separately executed data processing addenda between Finality and institutional participants.

Processing Scope

Finality processes data for the purpose of providing deterministic constraint evaluation, procedural record capture, and procedural record production services. Data processing is limited to the categories of data necessary to perform the contracted services and does not extend to secondary purposes.

Categories of data processed include: governance event metadata, engagement configuration data, actor identity and role assignments, submitted material hashes and submission metadata, attestation records, and procedural state. The system does not process data for marketing, profiling, advertising, or any purpose unrelated to the contracted governance services.

Controller and Processor Roles

For the purposes of applicable data protection law, the institutional participant is the data controller and Finality acts as the data processor. Finality processes personal data solely on the documented instructions of the controller as specified in the applicable data processing addendum. Finality does not determine the purposes or means of processing beyond what is necessary to provide the contracted services.

Technical and Organizational Measures

  • Encryption. Data at rest is encrypted using industry-standard symmetric encryption with managed key rotation. Data in transit is encrypted using TLS. Encryption keys are stored in a dedicated key management service isolated from the application data layer.
  • Access Control. Access to personal data is restricted to authorized personnel on a need-to-know basis. All access is authenticated, logged, and subject to role-based authorization. Administrative access requires multi-factor authentication.
  • Data Isolation. Engagement data is logically isolated at the data layer. Cross-engagement data access is architecturally prevented. Isolation controls are enforced at the database query level, not solely at the application level.
  • Audit Logging. All data access, modification, and administrative operations are recorded in append-only audit logs. Logs capture the actor, timestamp, operation type, and affected data scope. Audit logs are retained in accordance with the applicable retention schedule.

Subprocessors

Finality may engage subprocessors for infrastructure hosting, cloud computing, and operational support. Subprocessors are subject to contractual obligations that provide at least the same level of data protection as the applicable data processing addendum.

Prior to engaging a new subprocessor, institutional participants with executed data processing addenda are notified with reasonable advance notice. The notification includes the subprocessor identity, processing location, and the category of processing to be performed. Participants may object to a new subprocessor in accordance with the objection mechanism defined in the applicable data processing addendum. The current subprocessor list is provided to institutional participants as part of the applicable data processing addendum.

Cross-Border Transfers

Where personal data is transferred outside the jurisdiction of the data controller, Finality ensures that appropriate transfer mechanisms are in place as required by applicable data protection law. Transfer mechanisms, data residency commitments, and applicable safeguards are specified in the applicable data processing addendum.

Data Subject Rights

Finality assists the data controller in responding to data subject requests — including access, rectification, erasure, and portability requests — to the extent technically feasible and as specified in the applicable data processing addendum. Requests are processed in accordance with the timelines and procedures defined in the addendum and applicable law.

Breach Notification

In the event of a personal data breach, Finality notifies the affected data controller without undue delay after becoming aware of the breach. The notification includes the nature of the breach, the categories of data affected, the estimated number of affected data subjects, and the measures taken or proposed to address the breach. Specific notification timelines and content requirements are defined in the applicable data processing addendum and in accordance with applicable law.

Term and Deletion

Upon termination of the data processing relationship, Finality deletes or returns all personal data processed under the addendum, at the controller's election, unless retention is required by applicable law. Deletion is performed in accordance with the procedures and timelines specified in the applicable data processing addendum and the Retention Policy.

Specification Version 2.0.3 — Effective Date: February 2026