.svg)
Data Protection
Your data, your control. Oddr provides the safeguards law firms need to protect sensitive client and financial information.
Client confidentiality and regulatory compliance are core to every law firm’s business. Oddr was designed from the ground up with data protection at the center giving firms control over where their data resides, how it is isolated, and what happens to it throughout its lifecycle.
Data Sovereignty
Law firms often have specific requirements about where their data is physically stored, driven by internal policy, client expectations, or regulatory mandates. Oddr addresses this by leveraging Microsoft Azure’s global data center footprint and letting firms choose the geographic region where their data resides.
This means an Australian firm can keep data in the APAC region, a Canadian firm can keep data within Canadian borders, a European firm can remain under EU data residency requirements, and a US firm can keep data within US borders all on the same platform.
Once a region is selected during onboarding, all of the firm’s data and platform resources are provisioned within that region.
Per-Tenant Data Isolation
Oddr uses a multitenant SaaS architecture, but tenant data is strictly isolated at the platform level. Each firm’s data is logically separated and is never commingled with another tenant’s data for any purpose — not for analytics, not for training, and not for operational convenience.
This isolation is enforced at the application layer and the database layer, and it is part of Oddr's control environment, which is covered by the SOC 2 Type II audit and ISO 27001 certification.
Data Ownership & Control
Your firm retains full ownership of its data at all times. Oddr’s service agreements make this explicit: neither Oddr nor any of its sub-processors will use your data for purposes outside the scope of contracted services.
Oddr provides real-time visibility into your data through the platform, and access is governed by role-based permissions that your firm’s administrators control.
Encryption
.png){kind=icon}
All communication between the Oddr Secure Cloud and users' devices is encrypted in transit using TLS 1.2 or higher. The only publicly accessible endpoint is a WAF-enabled Azure Application Gateway.
.png){kind=icon}
Data at rest is encrypted with AES-256 using Azure-managed keys held in Azure Key Vault. This covers the PostgreSQL databases, Blob Storage, and backups.
Data Retention & Disposal
Oddr has established a formal Data Retention and Disposal Policy that defines procedures for the appropriate retention, disclosure, and disposal of sensitive, confidential, and personal information.
When a firm’s contract with Oddr ends, customer data is securely deleted in accordance with the agreed contractual terms. Media disposal follows secure procedures proportional to the sensitivity of the information stored.
Sub-Processors
Oddr maintains a limited set of sub-processors and is transparent about who they are and what role they play.
.png){kind=icon}
Cloud infrastructure hosting, platform services, data storage, and compute resources.
.png){kind=icon}
Transactional email delivery only, such as invoice notifications, statements, and reminders. Postmark is not the system of record for billing, invoices, payments, or application data. Postmark processes email data under a data processing agreement covering GDPR, UK GDPR, and CCPA with Standard Contractual Clauses, with TLS in transit and documented technical and organizational measures.
References: postmarkapp.com/eu-privacy, postmarkapp.com/dpa, postmarkapp.com/support/article/1218-gdpr-faq.
Oddr’s service agreements detail the role of each sub-processor. Oddr does not share customer data with sub-processors for purposes outside the contracted scope of services.
Privacy & Regulatory Alignment
Oddr’s data handling practices are designed to align with the privacy and regulatory expectations of law firms operating across multiple jurisdictions. Key elements include:
For firms subject to the EU General Data Protection Regulation, Oddr’s European data residency option (West Europe / North Europe), combined with its data processing practices, supports compliance with GDPR data localization and protection requirements. Oddr’s service agreements include data processing terms that address GDPR obligations.
.png){kind=icon}
Oddr does not use customer data for advertising, profiling, resale, or any purpose beyond delivering the contracted platform services. This commitment extends to all sub-processors.
.png){kind=icon}
Oddr collects and processes only the data necessary to operate the platform and deliver services. The scope of data ingested from your FMS is defined collaboratively during implementation and limited to what is needed for invoicing, collections, and revenue intelligence.
.png){kind=icon}
Customers may request the deletion of their data at any time. Upon contract termination, data is securely deleted in accordance with the agreed contractual terms and Oddr’s Data Retention and Disposal Policy.