Skip to content

Data Processing Agreement (summary)

Draft — pending legal review

This Data Processing Agreement summary is a draft generated for internal review. It has not yet been reviewed or approved by legal counsel and is not a final, binding legal document. It will be finalized with counsel before being relied upon. Do not treat it as legal advice.

This page summarizes how Tecnicora processes data on your behalf when you use the MCP for Odoo connector. The full Data Processing Agreement (DPA) is available on request — contact your Tecnicora consultant.

Roles

  • You (the customer) are the data controller of your Odoo business data.
  • Tecnicora acts as a data processor, processing that data only to deliver the Service (answering your questions through Claude over a read-only connection).

Subject matter and nature of processing

  • Subject matter. Read-only access to your Odoo business data to produce answers in Claude.
  • Nature. Transient, real-time processing. Data is read, used to form an answer, and then discarded. Tecnicora stores neither your credentials nor your business data at rest, and does not log your business data.
  • Duration. For the lifetime of each request only; there is no at-rest retention by Tecnicora.

Categories of data

  • Odoo business data that your connected user is permitted to read (for example sales, purchases, inventory).
  • Your Odoo credential (API key), encrypted (Fernet) inside your own session token held by Anthropic's connector system.
  • Authentication data (your email) for magic-link login.

The three-party data path

Data passes through your Odoo → Tecnicora's server (Fly.io) → Anthropic's cloud in real time, then is discarded. See Legal & data handling.

Sub-processors

Sub-processor Role
Fly.io Hosting and compute for Tecnicora's MCP connector server.
Anthropic Claude and the connector store that holds your encrypted session token.
WorkOS Authentication and magic-link login.
Stripe Subscription billing — if and when a paid tier exists.

Security measures

  • Read-only connection to Odoo (cannot create, edit, or delete).
  • Odoo API key encrypted (Fernet) inside the user's session token.
  • No at-rest storage of credentials or business data on Tecnicora servers; no logging of business data.
  • Customer can revoke the API key in Odoo at any time.

Data subject rights and assistance

Because Tecnicora does not retain your business data at rest, the data of record always lives in your Odoo, where you can exercise control directly (including revoking access). Tecnicora will reasonably assist you with data-subject requests to the extent applicable.

The full DPA

The complete DPA — including the full sub-processor list, security annex, and any cross-border transfer terms — is available on request. Contact your Tecnicora consultant or Tecnicora support.