TABLE OF CONTENTS
ISO/IEC 27001:2022SOC 2 Type IIInformation Security ManagementData Privacy & Regulatory ComplianceEmployee Security PracticesVendor & Sub-Processor ManagementFAQ
Oddr Secure Cloud
Data Protection
Infrastructure & Security
Availability & Reliability
Compliance & Certifications
Data Integration
Cloud Policies
Cloud Maintenance Policy
Sandbox Policy
Tenant Access Policy
Deprecated Features Policy
Customer Data Retention Policy
Cloud Policy
Secure CloudCompliance & Certifications
Effective - 12th May, 2025

Compliance
& Certifications

Oddr's controls are independently audited and certified — SOC 2 Type II and ISO/IEC 27001:2022 — and maintained on an ongoing basis.

Achieving and maintaining security compliance certifications demonstrates Oddr’s commitment to implementing robust information security measures and aligning with industry best practices. These certifications are not a one-time milestone — they reflect an ongoing investment in security protocols, data protection, and effective risk management.

ISO/IEC 27001:2022

ISO/IEC 27001:2022

Provides independent assurance that Oddr has a certified information security management system.

Oddr is certified to the ISO/IEC 27001:2022 standard, the internationally recognized framework for information security management systems (ISMS).

Certification Details:

Issued by: InterCert Inc. - Registration Number: IC-IS-2408113 - Standard: ISO/IEC 27001:2022 - Initial Certification Date: August 13, 2024 - Surveillance Validity: August 12, 2026 - Recertification Date: August 12, 2027.

Scope:

The ISMS applies to the AI-enabled Revenue Intelligence platform for Law Firms, hosted as a SaaS platform, with the support functions of IT Infrastructure, Human Resources, Legal, and Governance.

Covered Locations:

Oddr, Inc. — 1098 Phelps Ave, San Jose, CA 95117
Oddr Technologies Pvt Limited — Bavdhan, Pune (MH), India

A copy of the ISO 27001 certificate is available upon request.

SOC 2 Type II

SOC 2 Type II

Provides independent assurance that Oddr’s security controls are audited and operating effectively over time.

Oddr has completed a SOC 2 Type II audit, which examines the design and operating effectiveness of controls over an extended period — not just a point-in-time snapshot.

Audit Details:

Auditor: Accorp Partners CPA LLC - Audit Period: July 1, 2024 through June 30, 2025 - Trust Services Criteria: Security, Availability, and Confidentiality - Sub-service Organization: Microsoft Azure (data center services) - Opinion: Unqualified (controls suitably designed and operating effectively) - Exceptions: None noted across all tested controls.

The SOC 2 Type II report is available under NDA to current and prospective customers.

Information Security Management

Oddr operates a formal Information Security Management System (ISMS) that governs how systems and data are protected across the organization. Key components include:

Risk Management

Risk assessments are performed annually and whenever significant changes in security posture occur. Risks are identified, evaluated for likelihood and impact, and treated with appropriate controls. A risk register and treatment plan are maintained and tracked to completion.

Information Security Policies

Oddr maintains a comprehensive set of security policies covering access control, change management, incident response, data classification, cryptography, backup and recovery, and media handling. Policies are reviewed at planned intervals or when significant environmental changes occur.

Internal Audits

Information systems are reviewed on at least an annual basis for compliance with Oddr’s security policies and standards. Audit findings are tracked through to closure with corrective actions.

Management Reviews

The leadership team conducts annual management review meetings to discuss the security posture, internal audit results, risk landscape, technology trends, incident reports, and security initiatives.

Data Privacy & Regulatory Compliance

For firms processing personal data subject to the GDPR, UK GDPR, Swiss data protection law, or CCPA, Oddr's Data Processing Addendum (DPA) is incorporated into the customer agreement and governs how that data is processed and protected. The DPA includes Standard Contractual Clauses for applicable cross-border transfers.

The DPA is available at https://www.oddr.com/legal/dpa

Employee Security Practices

Background Checks

All employees and contractors undergo background verification checks in accordance with relevant laws and regulations prior to gaining access to Oddr systems.

Security Training

Employees complete mandatory security and privacy awareness training upon hire and annually thereafter. This training covers security requirements, expectations for protecting information assets, and the process for reporting security concerns.

Confidentiality Agreements

All employees sign confidentiality agreements and NDAs upon joining. Similar agreements are established with third-party vendors and contractors.

Code of Conduct

Oddr requires directors, officers, and employees to observe high standards of business and personal ethics. Annual code of conduct training reinforces these expectations.

Vendor & Sub-Processor Management

Oddr maintains a formal vendor management process. All vendor relationships require signed contracts that include scope of services, roles and responsibilities, compliance requirements, and service levels where applicable.

Oddr reviews the annual SOC report for its sub-processors (including Microsoft Azure) to confirm that outsourced controls are appropriately designed and operating effectively. NDAs are established with all vendors who may access sensitive information.

FAQ

1. What compliance certifications does Oddr hold?
A: Oddr holds ISO/IEC 27001:2022 certification and has completed a SOC 2 Type II audit covering Security, Availability, and Confidentiality trust service criteria.
2. How often is Oddr audited?
A: The SOC 2 Type II audit covers a continuous 12-month period and is performed annually. The ISO 27001 certification includes annual surveillance audits with a full recertification cycle every three years.
3. Were there any exceptions in the SOC 2 report?
A: No. The most recent SOC 2 Type II report (covering July 2024 through June 2025) had no exceptions noted across all tested controls.
4. How can I request a copy of the SOC 2 report?
A: The SOC 2 Type II report is available under NDA. Contact your Oddr account team or email security@oddr.com to request a copy.
5. Does Oddr offer a Data Processing Addendum for GDPR/CCPA?
A: Yes. For personal data subject to the GDPR, UK GDPR, or CCPA, Oddr's DPA forms part of the customer agreement and is available at https://www.oddr.com/legal/dpa
6. Does Oddr perform risk assessments?
A: Yes. Formal risk assessments are performed annually and whenever there are significant changes to the security environment. Risks are evaluated for likelihood and impact, and treated with appropriate controls tracked through a risk register.
7. Are Oddr employees trained on security?
A: Yes. All employees complete mandatory security and privacy awareness training upon hire and annually thereafter. Background checks are completed for all employees and contractors prior to system access.
TABLE OF CONTENTS
ISO/IEC 27001:2022SOC 2 Type IIInformation Security ManagementData Privacy & Regulatory ComplianceEmployee Security PracticesVendor & Sub-Processor ManagementFAQ