Legal Framework
For institutional clients — PE funds, M&A advisory firms, and royalty audit practices.
Last updated: February 25, 2026
Attorney review in progress. All template documents below are subject to review by qualified legal counsel before use in any transaction. The frameworks described on this page reflect Fluxiem's operational and contractual posture — not legal advice.
For General Counsel and Compliance Teams
When your legal team asks what protections Fluxiem has in place before royalty statement data is transferred, this page is the answer. Fluxiem operates with the same contractual infrastructure as the royalty audit practices your organization already works with — a bilateral NDA, a GDPR Article 28-aligned Data Processing Agreement with SEC Reg S-P provisions, and an engagement letter defining scope, deliverables, and success fee terms.
No data changes hands before all four documents are executed. That sequence is not a formality — it is the operating procedure on every engagement.
Document Execution Sequence
Every Fluxiem engagement follows this sequence in order. No step is skipped.
Mutual NDA
Before any business discussion
Bilateral non-disclosure agreement covering methodology, pricing, product architecture, and all client confidential information — catalog data, LP identities, deal pipeline, and royalty statements. Trade secret provisions are perpetual; general confidential information is protected for a minimum of three years.
Data Processing Agreement (DPA)
Before any data changes hands
GDPR Article 28-aligned DPA with SEC Regulation S-P provisions. Defines Fluxiem as the Data Processor; client organization as the Data Controller. Includes the 72-hour breach notification clause required by SEC Reg S-P, sub-processor disclosure, data minimization obligations, audit rights, and written deletion certification at engagement end.
Engagement Letter
Before any royalty statements are transferred
Defines scope, catalog coverage, statement sources, deliverables, timeline, and fee structure — base engagement fee plus success fee. Incorporates the NDA by reference. Establishes liability cap, accuracy disclaimer, and conversion terms for pilot engagements.
Success Fee Addendum
Annexed to the Engagement Letter
Defines "Recovery" with precision: net royalty payments actually received by client following claim submission, from payors and periods identified in the Fluxiem discrepancy report, within 24 months of the engagement date. Sliding scale: 20% on first $500K recovered, 15% on $500K–$2M, 10% above $2M.
Regulatory Compliance Posture
Institutional clients subject to SEC oversight are now legally required to conduct formal vendor due diligence before sharing data with third parties. Fluxiem's contractual and technical posture is designed to satisfy that review.
SEC Regulation S-P (Amended 2024)
Effective December 2025 for large entities (RIAs with $1.5B+ AUM) and June 2026 for smaller entities. Requires covered institutions to have written vendor agreements that include a 72-hour breach notification requirement. Fluxiem's DPA includes this clause as a mandatory provision, and our internal incident response procedures are designed to honor it operationally.
Covered institutions must also document vendor due diligence and maintain records for five years. Fluxiem retains signed copies of all client agreements for a minimum of five years to support your compliance documentation obligations.
GDPR Article 28 — Data Processing Agreement Standard
Fluxiem's DPA template is structured against GDPR Article 28 requirements, which is the de facto global standard even for US-only operations. Any client with EU-based LP investors, European catalog assets, or royalties from EU collection societies (GEMA, PRS, SOCAN, SACEM) is likely subject to GDPR. Fluxiem's DPA includes provisions for Standard Contractual Clauses (SCCs) for international data transfers upon request.
GLBA / CCPA
Fluxiem's data handling commitments align with Gramm-Leach-Bliley Act requirements for financial data and California Consumer Privacy Act obligations where applicable. Client data is never sold, shared with third parties for commercial purposes, or used for any purpose outside the defined engagement scope.
Data Processing Commitments
These commitments are included in Fluxiem's DPA and are binding in every engagement.
No model training
Client royalty data is never used to train, fine-tune, or improve any AI model — including the models powering Fluxiem's own pipeline. Processing occurs solely for the purpose defined in the applicable Engagement Letter.
72-hour breach notification
If a security incident involving client data is discovered, Fluxiem notifies the client within 72 hours of becoming aware — as required by SEC Regulation S-P. Notification includes the nature of the incident, data affected, likely consequences, and remediation steps.
Data minimization
Only the statement data defined in the engagement scope is ingested. Fluxiem does not collect catalog data outside the defined reconciliation scope.
Deletion certificate
Upon engagement completion or client request, all client data is securely deleted from Fluxiem systems and sub-processors within 30 days. A written deletion certificate is provided as a matter of standard procedure, not on request.
Audit rights
Clients have the right to audit Fluxiem's data processing activities once per calendar year with 30 days written notice. Fluxiem satisfies audit obligations by providing SOC 2 reports, penetration test results, or security questionnaire responses in lieu of on-site audits.
Logical data isolation
Client data is logically separated from other clients' data using organization-scoped identifiers and PostgreSQL Row-Level Security. No client's data is accessible to another client's processing context.
Sub-Processor Disclosure
GDPR Article 28 and SEC Reg S-P require disclosure of all sub-processors with access to client data. The following parties process client royalty data as part of Fluxiem's service. All sub-processors are subject to equivalent data protection obligations. Fluxiem provides 30 days advance notice of any sub-processor change; clients may object within that period.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting — S3 storage, Aurora PostgreSQL database, Lambda compute | US regions (us-east-1) |
| AWS Textract | OCR processing of royalty statement PDFs | US regions |
| Amazon Bedrock / Anthropic Claude | AI-powered semantic field extraction and anomaly detection | US regions |
| AWS KMS | Encryption key management and automatic key rotation | US regions |
| AWS CloudTrail / CloudWatch | Immutable audit logging and access monitoring | US regions |
Technical Security Measures
AES-256 encryption at rest via AWS KMS
TLS 1.3 encryption in transit
Multi-factor authentication required for all staff with data access
Role-based access control (RBAC)
Immutable CloudTrail audit logs for all data access events
Automatic KMS key rotation
PostgreSQL Row-Level Security for tenant data isolation
Annual third-party penetration testing
SOC 2 Type I audit in progress
Engagement and Fee Structure
Fluxiem uses an engagement letter model identical to the structure used by royalty audit practices at major accounting firms. This is a professional services engagement, not a SaaS subscription — and the contractual posture reflects that.
Pilot Engagement
Paid pilots for advisory firms are structured at $10,000–$20,000, credited 100% toward the first year's engagement on conversion. For PE and investment funds, complimentary pilots are available in exchange for a 45-day committed evaluation period and an executive presentation of findings. Pilot scope is defined precisely before commencement: one statement source, one quarter, one catalog — results within 72 hours.
Success Fee
20% of documented recoveries up to $500K, 15% on $500K–$2M, 10% above $2M. “Recovery” means net royalty payments actually received from payors identified in Fluxiem's discrepancy report, for the periods and line items identified, within 24 months of the engagement date. The success fee survives engagement termination for the full 24-month recovery window.
Liability Limitation
Fluxiem's aggregate liability is capped at the total fees paid under the applicable engagement letter. Consequential, indirect, and punitive damages are excluded. Fluxiem does not warrant that all discrepancies have been identified or that all identified discrepancies will result in recoveries — findings represent Fluxiem's analysis of the data provided and require human review before any claim is filed.
Intellectual Property
Fluxiem's reconciliation methodology, matching algorithms, Bedrock prompt architecture, and all underlying systems are proprietary trade secrets. Clients receive analysis outputs — discrepancy reports, claim documentation, executive summaries. The underlying methodology is not disclosed. The NDA provides perpetual trade secret protection for Fluxiem's IP; the engagement letter includes explicit reverse-engineering prohibitions.
Request the Document Package
Fluxiem's standard legal package — bilateral NDA, GDPR Article 28-aligned DPA with SEC Reg S-P provisions, and engagement letter template — is available to prospective clients for review prior to any engagement discussion. Send this page to your General Counsel. They can request the full package directly.
Legal inquiries: hello@fluxiem.com — include “Legal Package Request” in the subject line.
Disclaimer. The frameworks described on this page represent Fluxiem's intended operational and contractual posture. Template documents are subject to ongoing attorney review and revision. No content on this page constitutes legal advice. All engagement documents are finalized by qualified legal counsel before execution in any transaction. The regulatory landscape governing financial data privacy (SEC Regulation S-P, GDPR, GLBA, CCPA) changes frequently — clients should consult their own counsel on applicable obligations.