Data Processing Agreement for B2B Customers

1. Definitions

"Agreement" means the Terms of Service, order form, customer agreement, or other agreement governing the Customer's use of Odin.

"Customer" means the organization using Odin.

"Customer Personal Data" means personal data processed by Odin on behalf of Customer in connection with the service.

"Data Protection Laws" means applicable data protection and privacy laws, including the GDPR, UK GDPR where applicable, and other applicable laws.

"GDPR" means Regulation (EU) 2016/679.

"Processor", "controller", "personal data", "processing", "data subject", and "supervisory authority" have the meanings given in applicable Data Protection Laws.

"Subprocessor" means a third party engaged by Odin to process Customer Personal Data.

2. Roles of the parties

For Customer Personal Data, Customer is the controller and Odin is the processor, unless the parties agree otherwise in writing.

Customer determines the purposes and means of processing Customer Personal Data. Odin processes Customer Personal Data only on Customer's documented instructions, including instructions in the Agreement, this DPA, product configuration, integration settings, and lawful user actions in Odin.

Odin may act as an independent controller for account administration, billing or payment records if applicable, security logs, analytics, legal compliance, and direct communications with users. That processing is governed by Odin's Privacy Policy, not this DPA.

3. Subject matter and duration

The subject matter of processing is the provision, maintenance, security, support, and improvement of Odin.

The duration of processing is the term of the Agreement, plus any period required for deletion, return, backup retention, legal compliance, or dispute resolution.

4. Nature and purpose of processing

Odin processes Customer Personal Data to provide authentication and access control, manage organizations and projects, process uploaded files and connected source data, generate and maintain wiki content, provide search and AI-assisted chat, process integrations and sync jobs, generate summaries, classifications, citations, embeddings, and derived knowledge, maintain security and audit logs, provide support, monitor usage, enforce limits, and comply with legal obligations.

5. Categories of data subjects

Customer Personal Data may relate to Customer's employees, contractors, users, organization members, invited users, people mentioned in Customer Content, people appearing in uploaded files or connected source data, people appearing in selected emails, messages, tickets, issues, documents, designs, code metadata, meeting notes, or summaries, and integration account holders and workspace users.

6. Categories of personal data

Customer Personal Data may include names, email addresses, user IDs and account identifiers, profile images or avatar URLs, IP addresses and user agents, organization, team, project, and role data, authentication and session metadata, uploaded file content, extracted text, chat messages and AI prompts, AI-generated answers and wiki content, citations and references, connected tool data, Slack messages directed to Odin, selected Gmail messages or threads, selected Google Drive files, Fireflies meeting summaries, GitHub, Jira, Linear, Figma, Slack, Google, Gmail, and Fireflies metadata, audit logs and access-control decisions, usage metering data, and derived facts, summaries, classifications, and embeddings.

7. Special categories of data

Customer should not submit special categories of personal data to Odin unless permitted by the Agreement and unless Customer has a valid legal basis and has implemented appropriate safeguards.

Special categories may include health data, biometric data, political opinions, religious beliefs, trade union membership, sex life or sexual orientation data, and similar sensitive information under applicable law.

If Customer chooses to upload or connect sources containing sensitive data, Customer remains responsible for ensuring that such processing is lawful.

8. Customer obligations

Customer will comply with Data Protection Laws, have a lawful basis for processing Customer Personal Data through Odin, provide required notices to data subjects, obtain required consents where necessary, ensure Customer Personal Data is accurate and lawful, ensure it has rights to connect third-party tools to Odin, configure roles and access controls appropriately, respond to data subject requests where Customer is controller, and avoid uploading or connecting data that violates law or third-party rights.

9. Odin obligations

Odin will process Customer Personal Data only on Customer's documented instructions, ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations, implement appropriate technical and organizational measures, assist Customer with data subject requests where reasonably possible, assist Customer with security, DPIA, and consultation obligations where reasonably possible, notify Customer of personal data breaches as required by law, make available information reasonably necessary to demonstrate compliance with this DPA, and delete or return Customer Personal Data as described in this DPA.

10. Confidentiality

Odin will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

11. Security measures

Odin will implement appropriate technical and organizational measures designed to protect Customer Personal Data.

Current measures may include:

• HTTPS in production
• Role-based access control
• Organization and project permissions
• Classification labels
• Access audit logging
• OAuth token encryption at rest where configured
• Railway-hosted project asset storage
• Controlled access to project assets
• Invite-only access
• Background job controls
• Restricted production access
• Infrastructure monitoring
• Incident response procedures

Annex II describes security measures in more detail.

12. Subprocessors

Customer authorizes Odin to use Subprocessors to provide the service.

Odin will maintain a public subprocessor list and will impose data protection obligations on Subprocessors that are substantially similar to those in this DPA.

Odin remains responsible for Subprocessors' performance of their data protection obligations, subject to the liability limits in the Agreement.

Odin may add or replace Subprocessors. Where required by law or contract, Odin will provide notice of material changes and allow Customer to object on reasonable data protection grounds.

If Customer objects to a new Subprocessor, the parties will work in good faith to resolve the objection. If no reasonable resolution is available, Customer may stop using the affected service feature or terminate the affected services according to the Agreement.

13. International transfers

Customer authorizes Odin and its Subprocessors to process Customer Personal Data in countries where Odin or its Subprocessors operate.

Where Customer Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country that does not provide an adequate level of protection, Odin will use appropriate transfer safeguards, such as Standard Contractual Clauses, UK addendum or equivalent mechanisms, where required.

14. Data subject requests

If Odin receives a request from a data subject relating to Customer Personal Data, Odin will, where appropriate, direct the data subject to Customer or notify Customer, unless prohibited by law.

Odin will reasonably assist Customer in responding to data subject requests, taking into account the nature of processing and information available to Odin.

15. Personal data breaches

Odin will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.

The notice will include available information reasonably required by Data Protection Laws, such as the nature of the breach, affected data subjects and records where known, likely consequences where known, and measures taken or proposed to address the breach.

Odin's notification is not an admission of fault or liability.

16. Audits and compliance information

Odin will make available information reasonably necessary to demonstrate compliance with this DPA.

Customer may request an audit no more than once per year, unless required by a supervisory authority or following a confirmed personal data breach.

Audits must be conducted during normal business hours, with reasonable notice, in a way that does not disrupt Odin's operations or compromise other customers' data or security.

Odin may satisfy audit requests by providing security documentation, policies, summaries, third-party certifications if available, or written responses.

17. Deletion and return

Upon termination of the Agreement, or upon Customer's written request, Odin will delete or return Customer Personal Data unless retention is required by law.

Deletion may be subject to technical limitations, backup retention, legal obligations, and security requirements.

Recommended retention after deletion request:

• Active production data: deleted or anonymized within 30 days
• Backups: deleted or overwritten within 30 to 90 days
• Audit and security logs: retained according to security retention schedule unless legally required to delete earlier

18. Customer instructions

Customer instructs Odin to process Customer Personal Data as necessary to provide Odin and as further configured by Customer and its authorized users.

Customer may provide additional instructions by contacting legal@odinbrain.wiki. Odin may reject instructions that are unlawful, technically infeasible, outside the scope of the service, or would create security or privacy risks.

19. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, unless prohibited by applicable law.

20. Conflict

If there is a conflict between this DPA and the Agreement, this DPA controls for personal data processing matters. If SCCs apply and conflict with this DPA, the SCCs control for the relevant transfer.

Annex I: Processing details

A. Parties

Data exporter / controller: Customer organization using Odin

Data importer / processor: Piotr Graczyk, Ludowa 26/8, 64-920 Pila, Poland, NIP: 7642716927

B. Subject matter

Provision of Odin, a B2B SaaS product for AI-assisted project wiki creation, connected source processing, search, chat, and integrations.

C. Duration

For the term of the Agreement, plus deletion, backup, compliance, and dispute-resolution periods.

D. Nature and purpose

Hosting, storage, retrieval, ingestion, extraction, indexing, summarization, classification, embedding, AI inference, access control, audit logging, support, and related processing necessary to provide Odin.

E. Categories of data subjects

Customer users, invited users, organization members, project members, people mentioned in Customer Content, integration users, message participants, email participants, issue participants, meeting participants, and other people whose data appears in connected sources.

F. Categories of personal data

Names, email addresses, user identifiers, organization and project roles, IP addresses, user agents, session metadata, uploaded content, selected emails, selected files, Slack messages directed to Odin, issue data, design metadata, repository metadata, meeting summaries, prompts, chat messages, AI outputs, citations, access logs, usage logs, and derived metadata.

G. Sensitive data

Not intentionally required by Odin. Customer is responsible for avoiding sensitive data unless legally permitted and contractually allowed.

H. Frequency of processing

Continuous during Customer's use of Odin.

I. Subprocessors

See the public subprocessor list.

Annex II: Technical and organizational measures

Access control

• Invite-only access
• Magic link authentication
• Role-based permissions
• Organization-level membership
• Project-level access
• Classification-based access restrictions

Application security

• HTTPS in production
• Secure session cookies
• SameSite cookie configuration depending on deployment
• Server-side authorization checks
• Access denial logging

Data protection

• Railway-hosted project asset storage
• Controlled access to project assets
• OAuth token encryption at rest where configured
• Separation of organizations and projects in the data model

Logging and monitoring

• Access audit logs
• Tool call audit logs
• Error tracking
• Usage metering
• Security-relevant deny logs

Operational security

• Limited production access
• Environment-based secrets management
• Background job isolation
• Incident response procedures