Data Processing Agreement

Specification v2.0.3 — Effective Date: February 2026

This page describes general data processing principles. It is not a legally operative data processing agreement. Binding data processing terms, including specific technical and organizational measures, subprocessor lists, and cross-border transfer mechanisms, are established through separately executed data processing addenda between Finality and institutional participants.

Processing Scope

Finality processes data for the purpose of providing deterministic constraint evaluation and procedural record capture. Processing scope and limitations are defined in the applicable data processing addendum.

Security Measures

Technical and organizational measures are implemented to protect institutional data. Specific measures, including encryption standards, access controls, and audit logging, are described in the applicable data processing addendum and under /security.

Subprocessors

Finality may engage subprocessors for infrastructure hosting and operational support. Prior to engaging a new subprocessor, institutional participants with executed data processing addenda are notified with reasonable advance notice. The current subprocessor list and objection mechanisms are provided to institutional participants as part of the applicable data processing addendum.

Breach Notification

Breach notification obligations, including timelines and content requirements, are defined in the applicable data processing addendum and in accordance with applicable law.

Specification Version 2.0.3 — Effective Date: February 2026