Data Processing Addendum

This Data Processing Addendum (the DPA) supplements the agreement between Convexly (operated by Estus Holdings LLC) and the customer (Customer) under which Convexly provides its services (the Agreement).

For personal data that Customer submits or that Convexly processes on Customer's behalf, Customer is the controller (or business) and Convexly is the processor (or service provider), as those terms are used under the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended (CCPA/CPRA).

Convexly processes Customer personal data only to provide the services and only on Customer's documented instructions, which include the Agreement and Customer's configured use of the services.

Subject matter: provision of the Convexly intelligence and audit services for prediction markets.

Duration: for the term of the Agreement plus the retention and deletion periods described in clause 8.

Nature and purpose: hosting, storing, and processing Customer account data and Customer-submitted inputs to deliver wallet analysis, watchlists, research surfaces, exports, and API access.

Categories of data subjects: Customer's authorized users, and any individuals whose public on-chain records Customer chooses to analyze using public wallet addresses.

Categories of personal data: account identifiers (email, display name), authentication metadata, billing contact data (payment instruments are tokenized by the payment processor and do not reach Convexly), and any content Customer chooses to submit. Convexly does not request or store special-category data.

Convexly ensures that persons authorized to process Customer personal data are bound by confidentiality obligations and process the data only as needed to provide the services.

Convexly maintains technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.3) and at rest (AES-256 on the managed database), PostgreSQL row-level security on app-owned user tables, authenticated access via Supabase JWT, server-side enforcement of paid features, restriction of the administrative service key to background jobs and webhooks, and a documented vulnerability-disclosure channel.

The current description of these measures is maintained at the security page and is incorporated here by reference.

Customer authorizes Convexly to engage the subprocessors listed on the public subprocessor page to process Customer personal data. Each subprocessor is bound by data-protection terms comparable to those in this DPA.

Convexly maintains the subprocessor list publicly and provides advance notice of the addition or replacement of a subprocessor to Customers under a signed DPA, so Customer has a reasonable opportunity to object on legitimate data-protection grounds.

Convexly stores and processes Customer personal data in United States regions. Where Customer personal data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States, the parties will rely on a lawful transfer mechanism, including the European Commission Standard Contractual Clauses and the UK International Data Transfer Addendum, which the parties agree to incorporate by reference and complete on execution where applicable.

Taking into account the nature of the processing, Convexly assists Customer by appropriate technical and organizational measures, insofar as possible, to respond to data-subject requests to exercise rights of access, correction, deletion, restriction, portability, and objection.

Convexly provides Customer self-serve export of Customer data in CSV and JSON formats to support portability.

If Convexly receives a data-subject request relating to Customer data directly, it will, where legally permitted, direct the request to Customer rather than respond on Customer's behalf.

On termination or expiry of the Agreement, Convexly deletes or returns Customer personal data on Customer's request, subject to any retention required by law. Inactive account data is removed under the retention practices stated in the privacy policy.

Public on-chain wallet addresses submitted to the free analyzer are not persisted beyond the analysis round-trip.

Convexly does not sell Customer personal data and does not share it for cross-context behavioral advertising, as those terms are used under the CCPA/CPRA.

Convexly does not use Customer data to train any model. AI features process only the specific text Customer chooses to submit at the time of use, and the AI subprocessor does not train on that text under its terms.

Convexly notifies Customer without undue delay after becoming aware of a personal-data breach affecting Customer personal data, and provides the information reasonably available to assist Customer in meeting its own notification obligations.

Specific notification timelines for an enterprise engagement are set in the Agreement.

Convexly makes available the information reasonably necessary to demonstrate compliance with this DPA, including its security documentation and subprocessor list, and supports reasonable diligence requests. As external assurance artifacts such as a SOC 2 report become available, they will be offered in place of, or alongside, direct audits where appropriate.

On execution, this DPA forms part of the Agreement. If there is a conflict between this DPA and the Agreement on the processing of personal data, this DPA governs to the extent of the conflict.