Security & Data Protection Addendum

Last modified: May 21, 2026 (view changelog)

This Security & Data Protection Addendum (the “SDPA”) describes the technical, organizational, and operational measures Eleven applies to protect Customer Data, and the corresponding rights and responsibilities of Customer. This SDPA is incorporated by reference into, and forms part of, the Manager Account Agreement and any other written agreement between Eleven and Customer governing use of the Software (each, the “Agreement”). Capitalized terms not defined here have the meanings given in the Agreement. In the event of any conflict between this SDPA and the Agreement with respect to security and data protection obligations, this SDPA controls.

1. Definitions

2. Information Security Program

Eleven maintains a written information security program designed to protect the confidentiality, integrity, and availability of Customer Data. The program includes administrative, technical, and physical safeguards appropriate to the nature and sensitivity of the information processed, and is aligned with the AICPA System and Organization Controls (SOC 2) Trust Services Criteria. Eleven undergoes an annual SOC 2 Type II audit by an independent third-party auditor and makes the corresponding report available to Customer in accordance with Section 9 (Audit Rights).

Eleven personnel with access to Customer Data are bound by written confidentiality obligations, receive regular security and privacy training, and are granted access only as necessary to perform their duties.

3. Security Controls

Without limiting the foregoing, Eleven implements and maintains the following categories of safeguards, the specific operation of which is further described in Eleven’s SOC 2 Type II report:

• Encryption in transit. Customer Data transmitted between Customer and the Software, and between the Software and external services, is protected in transit using current industry-standard transport encryption (e.g., TLS).
• Encryption at rest. Customer Data stored within the Software’s production environment is protected at rest using current industry-standard encryption.
• Authentication. Eleven maintains authentication controls reasonably designed to protect Customer accounts, including password policies and support for multi-factor authentication.
• Access controls. Internal access to systems that process Customer Data is granted on a least-privilege, role-based basis, is reviewed on a periodic basis, and is revoked promptly upon role change or termination.
• Logging and monitoring. Eleven logs material security-relevant events and monitors the production environment for indicators of compromise.
• Vulnerability management. Eleven applies patches, monitors for known vulnerabilities in software components, and conducts vulnerability scanning of its production environment on a regular basis.
• Change management and software development. Eleven maintains processes for software development, testing, and deployment intended to reduce operational and security risk.

4. Subprocessors

Customer authorizes Eleven to engage Subprocessors to process Customer Data in connection with the Software, subject to the requirements of this Section 4 and, where applicable, the Data Processing Addendum. Each Subprocessor processes Customer Data subject to a written agreement with Eleven (whether through the Subprocessor’s customer agreement, data processing addendum, or other contractual terms accepted by Eleven) that imposes data protection obligations no less protective than those set forth in this SDPA.

Eleven maintains a current list of Subprocessors and will provide Customer with at least thirty (30) days' prior notice of any new or replacement Subprocessor by updating the Subprocessors page and notifying administrative contacts through the Platform or by email. Customer is responsible for maintaining current administrative contact information within the Software.

Customer may object to a new or replacement Subprocessor on reasonable grounds relating to data protection, security, or compliance with Applicable Data Protection Laws by written notice given within fifteen (15) days of Eleven's notice. The parties will then work in good faith for an additional fifteen (15) days to resolve the objection. If the objection remains unresolved at the end of that period, Customer may terminate only the portion of the Software materially affected by such Subprocessor by written notice given within fifteen (15) days thereafter, without further obligation other than payment of fees accrued through the effective date of termination. Customer's failure to deliver a timely objection, or to exercise its termination right within the time periods specified above, constitutes acceptance of the Subprocessor.

Where a Manager Account or other Account is provisioned by, or billed through, another Customer of Eleven, Eleven may discharge its notification obligations under this Section by providing notice to the originating Customer, who is responsible for any onward notification to its affiliated users.

Notwithstanding the foregoing, Eleven may engage a new or replacement Subprocessor immediately where reasonably necessary to address a security, availability, legal, or regulatory issue, provided Eleven gives notice as soon as reasonably practicable thereafter.

Customer is responsible for reviewing the Subprocessors list periodically. Customer questions or concerns regarding a Subprocessor may be directed to Eleven in writing, and the parties will discuss any such concerns in good faith.

5. Security Incident Notification

Eleven shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours after reasonably determining that a Security Incident involving Customer Data has occurred. A “Security Incident” means unauthorized access to, acquisition of, or disclosure of Customer Data, or another material compromise of the confidentiality, integrity, or security of Customer Data maintained by Eleven. A Security Incident does not include unsuccessful attempts or activities that do not result in unauthorized access to Customer Data, including pings, port scans, failed login attempts, denial-of-service attacks, or similar unsuccessful activities. Initial notification may be based on preliminary information and may be supplemented as additional information becomes available.

Such notification shall include, to the extent reasonably known at the time, a description of the nature of the Security Incident, the categories of Customer Data affected, and remediation measures taken or proposed.

Eleven shall take commercially reasonable steps, consistent with the nature and severity of the Security Incident, to contain, investigate, and remediate the Security Incident and shall reasonably cooperate with Customer regarding Customer’s legal or regulatory notification obligations.

Eleven shall not notify affected individuals or regulatory authorities on Customer’s behalf without Customer’s prior written consent, except where required by applicable law or governmental order and, where legally permitted, Eleven shall provide advance notice of such disclosure. Customer shall treat any notification of a Security Incident as Confidential Information until such time as Eleven or Customer is required by law or regulation to publicly disclose the Security Incident. Eleven’s notification of a Security Incident shall not be construed as an acknowledgment of fault or liability by Eleven. Except as expressly provided in the Agreement, this Section does not create any independent right to damages, indemnification, or other remedies.

Where Customer obtains access to the Software through another customer of Eleven (for example, where a fund administrator grants access to a downstream manager), Eleven may discharge its notification obligations under this Section by providing notice to the originating customer, who is responsible for any onward notification to its affiliated users.

6. Customer Cooperation

Customer shall promptly notify Eleven if Customer becomes aware of any actual or suspected unauthorized access to Customer accounts or Authorized User credentials.

7. Customer Responsibilities

Customer is responsible for its own security practices as they relate to its use of the Software, including:

• Configuring and managing Authorized User permissions and roles within the Software, including the principle of least privilege and timely removal of access on personnel changes;
• Establishing and maintaining a lawful basis for the collection, submission, and processing of Personal Data through the Software, including obtaining any required consents and providing required notices to data subjects;
• Performing know-your-customer, anti-money-laundering, sanctions screening, and other regulatory diligence obligations applicable to Customer and its investors, with the Software serving as a tool to assist (but not replace) Customer’s judgment;
• Ensuring the accuracy of Customer Data submitted to the Software and correcting inaccurate or outdated information;
• Maintaining the confidentiality of credentials and protecting the devices used to access the Software; and
• Promptly reporting suspected unauthorized access or other security concerns to Eleven.

8. Data Return and Deletion

Customer is the controller (or, where Customer is itself a processor for an underlying controller, acts on the controller's behalf) of Customer Data submitted to or processed by the Software in connection with Customer's Accounts. Subject to Eleven's self-retention rights described below and any applicable legal hold or regulatory obligation, Customer's instructions govern the retention, return, and deletion of Customer Data.

During the term of the Agreement, Customer may export Customer Data using the Software’s standard export and reporting tools. Customer and its Authorized Users may also delete Customer Data using the Software’s standard deletion tools, subject to Eleven’s standard backup retention and rotation schedule.

Following termination or expiration of the Agreement, Customer’s and its Authorized Users’ access to the Software will cease and Customer Data will be deactivated such that it is no longer accessible through the standard application interface. For a period of thirty (30) days following termination, Customer may request assisted return of Customer Data in a commercially reasonable format, and Eleven may charge a reasonable fee for such assistance.

Eleven retains, following termination or expiration, only such Customer Data as exists within Eleven’s systems at the time of termination or expiration. Customer Data that Customer or its Authorized Users permanently deleted during the term may have aged out of routine system backups on Eleven’s standard retention and rotation schedule and is not available for return through the standard application interface. Customer is responsible for ensuring that its use of the Software, including any deletion of Customer Data during the term, is consistent with Customer’s own legal, regulatory, and recordkeeping obligations.

Customer Data retained after termination will be held by Eleven subject to access controls commensurate with the limited purposes for which it is retained, in accordance with Eleven’s standard records retention practices. Eleven will retain Customer Data only for so long as required to meet applicable legal, regulatory, tax, and recordkeeping requirements applicable to Eleven and to the services performed for Customer, and will delete Customer Data when no longer required for such purposes. During the retention period, Customer Data will remain subject to the security and confidentiality protections of this SDPA, and access will be restricted to Eleven personnel with a legitimate business need, including in connection with legal, regulatory, audit, or compliance matters, response to lawful requests from authorities, defense or assertion of legal claims, recovery from service-impacting events, and assistance with data subject requests forwarded by Customer.

From time to time during the retention period, Customer may request deletion of specific Customer Data from Eleven’s retained records, including in order to assist Customer in responding to data subject requests under applicable law. Eleven will comply with such requests within a reasonable period, subject to any continuing legal, regulatory, or legal-hold obligation that requires Eleven to retain specific Customer Data. Where Eleven is required to retain Customer Data beyond Customer’s deletion request, Eleven will retain only the specific data required, for only the period required, and subject to the protections of this SDPA. Eleven may charge a reasonable fee for assistance with deletion requests made after termination.

Where an investor or other data subject submits a deletion or other data subject request directly to Eleven with respect to Customer Data held in connection with Customer's Accounts, Eleven will direct the requester to submit the request to the applicable Customer, who is the controller responsible for evaluating the request under applicable law. Eleven will reasonably cooperate with Customer in actioning any resulting instructions in accordance with this SDPA and the Data Processing Addendum.

At the end of the applicable retention period, Customer Data will be deleted from Eleven’s systems in the ordinary course. Customer Data residing in routine system backups, archives, or disaster recovery snapshots will be deleted as such backups expire on Eleven’s standard retention and rotation schedule, and will not be restored to production systems except to recover from a service-impacting event affecting the Software. Any such restored data will remain subject to the protections of this SDPA.

Notwithstanding the foregoing, Eleven may retain Customer Data to the limited extent reasonably necessary for: (a) Eleven's own legal, tax, accounting, or regulatory obligations (including financial records relating to invoicing and payments); (b) defense or assertion of legal claims, subject to applicable statutes of limitations; (c) security incident records, access logs, and audit logs required for Eleven's information security program, SOC 2 audit, or other applicable compliance frameworks; and (d) aggregated, de-identified, or pseudonymized data that cannot reasonably be associated with Customer or any identifiable individual. Such retention is limited to the minimum reasonably necessary for the stated purpose and is governed by Eleven's internal records retention practices.

For the avoidance of doubt, nothing in this Section requires Eleven to retain Customer Data for any minimum period, and Eleven may delete Customer Data earlier than otherwise contemplated where consistent with applicable law and Eleven’s legitimate business purposes.

9. Audit Rights

On reasonable written request and not more frequently than once per twelve (12) month period, Eleven will make available to Customer, under the terms of a mutually acceptable non-disclosure agreement, a copy of Eleven’s then-current SOC 2 Type II report and a summary of any material findings. The parties agree that Eleven’s provision of such report satisfies Customer’s ordinary information security audit and assurance requests under this SDPA.

Where Customer is required by applicable law or by a binding regulatory request to conduct an on-site audit of Eleven’s practices relating to the processing of Customer Data, the parties shall first attempt to satisfy such requirement through review of the SOC 2 Type II report. If an on-site audit is nonetheless required, the parties shall agree in advance on reasonable scope, timing, and access conditions designed to minimize disruption to Eleven’s operations and the security or confidentiality of other Eleven customers’ data, and any such audit shall be conducted at Customer’s expense.

10. Changes

Eleven may update this SDPA from time to time to reflect changes in its security practices, the legal or regulatory environment, or its product offerings. Eleven will not make changes that materially diminish the security protections provided to Customer Data without prior notice to Customer. Material changes will be communicated through the Platform or by email to administrative contacts and reflected in the changelog below.

11. Contact

Questions about this SDPA, or requests under it, may be directed to Eleven at legal@platformeleven.io.

Changelog