Data Processing Agreement
Effective date: 13-10-2022
We are OSINT Central. This document explain the rules regarding data processing.
We call these rules our Data Processing Agreement. By we, we mean OSINT Central and our affiliates, which we may also refer to as *us. ****By you we mean the Researcher, Agency or Sponsor entering into this agreement, which we may also refer to as your*.
If you decide to make use of our services, you pass along personal data (in the sense of the GDPR) of third parties (data subjects) to us. You are therefore under an obligation to conclude a Data Processing Agreement (this “Agreement”) with us.
This Agreement is part of the Terms of Service. By clicking to accept the Terms of Service on the Site or by continuing to use the Site or the Site Services on or after the effective date noted above, you accept and agree to this Agreement.
To the extent permitted by applicable law, we may modify this Agreement without prior notice to you, and any revisions will take effect when posted on the Site unless otherwise stated. So it’s important you check the site on a regular basis for updates.
To make these terms a little easier to understand, we capitalize certain terms and capitalizing them means they have a special meaning. The definitions section in this document defines some capitalized terms and others are defined throughout the Terms of Service, mainly in the User Agreement (look for quotation marks and bold font).
Table of Contents
- Definitions
- 1. Background
- 2. Execution of the processing
- 3. Warranty Data Controller
- 4. Transfer of personal data
- 5. Security measures
- 6. Security incidents
- 7. Duration and termination
- 8. Confidentiality and non-disclosure
- 9. Rights of Data Subjects
- 10. People working under the authority of Data Processor
- 11. Sub Processors
- 12. Indemnification
Definitions
Capitalized terms not defined below or above have the meanings described in the Site Terms of Use or elsewhere in the Terms of Service.
“GDPR” means the General Data Protection Regulation.
“Data Subjects” means the persons of which personal data is collected on the basis of this data processing agreement; data subjects within the meaning of what is specified in the GDPR.
“Parties” means Processor and Controller referred to jointly.
“Personal Data” means data which can be used either directly or indirectly to identify a natural person, as intended in the GDPR.
“Controller” means you, who as a user makes use of our services and therefore you supply us with personal data of Data subjects. As such, you are the Controller in the sense of the GDPR.
“Processor” means us, operating as a processor of personal data with which Controller supplies us.
“Sub Processors” means third parties, employed by Processor for the processing of personal data for the benefit of Controller.
1. Background
Controller acts as a controller (also called a ‘data controller’), in the sense of the GDPR. This means that the purpose and the means of the processing of personal data are determined by Controller, and that Controller uses this data for its own personal purposes.
Processor acts as a ‘processor’ in the sense of the GDPR. This means that Processor only processes the personal data supplied by Controller in accordance with Controller’s written instructions, as described in this Data Processing Agreement. Processor shall not process the data for its own personal purposes.
2. Execution of the processing
By entering into this Agreement, you instruct us to process the Personal Data you provide to provide the Service, and further specified through your use of the Service and as documented in the rest of the Terms of Service, including this DPA.
In the execution of the assignment, Data Processor will handle the personal data in a careful manner and only process the personal data based on the assignment of Data Controller, in accordance with its written instructions and in accordance with this Agreement and the GDPR.
Data Processor will not process the personal data for any other purpose than as determined by Data Controller. Data Processor has no control over the purpose and means of the processing of the personal data.
Data Processor further guarantees that every person acting under its authority will process the personal data lawfully and in accordance with this Agreement and the GDPR.
At the request of Data Controller, Data Processor will provide Data Controller with information about the (security) measures taken in order to comply with the obligations under the GDPR, this Agreement and other instructions from Data Controller.
3. Warranty Data Controller
Data Controller guarantees the processing of the personal data of the Data Subjects, as referred to in this Agreement, is not unlawful and does not violate the rights of others. Data Controller indemnifies Data Processor against all claims relating to this.
4. Transfer of personal data
Processor shall only process the data within the confines of the European Union. Passing along personal data to third countries outside the European Union is not allowed. Processor shall only pass along personal data outside the European Union if he is under a legal obligation to do so.
Processor shall, at the request of Controller, notify him in which countries he processes personal data for the benefit of Controller.
5. Security measures
Data Processor implements all appropriate technical and organisational measures to prevent loss of personal data or any form of unlawful processing. These measures shall guarantee an adequate level of protection of the personal data being processed.
Data Processor will at least take the following security measures:
- Encryption of digital files containing personal data
- Security of the network connection with Secure Socket Layer (SSL) technology or a similar technology
- Restriction of access to the personal data to authorised employees
- Back-ups of the personal data to restore them in time in case of physical or technical incidents
- Employee confidentiality statements and NDAs with third parties
Data Processor shall provide Data Controller with all available information to provide Data Controller assistance in carrying out security measures, conducting audits and inspections and carrying out data protection impact assessments.
6. Security incidents
Data Processor will report any theft, loss, misuse or other form of data breach to Data Controller as soon as possible. This report includes, as far as possible, at least the following: the nature of the breach, the categories and scope of the personal data concerned, the likely consequences of the data breach, the measures Data Processor has taken and the contact details for Data Controller to obtain more information.
If needed, Data Processor will fully cooperate to inform the authorities and Data Subjects about such security incidents or data breaches. In addition, Data Processor will fully cooperate in carrying out risk assessments, analysing the cause of the incident or breach, identifying required corrective measures and implementing those measures.
7. Duration and termination
This Agreement will remain in effect until, and automatically expire upon, deletion of all Customer Data by us as described in this DPA.
If this Agreement is terminated or dissolved, Parties must continue to comply with the provisions of this Agreement regarding confidentiality, liability, indemnification and all other provisions that are intended by nature to remain applicable between the parties after terminations or dissolution of this Agreement.
If this Agreement is terminated or dissolved, Data Processor will return all data, including personal data, which are processed by Data Processor based on this Agreement, to Data Controller at his request. Data Controller must submit this request to Data Processor within three months. After this period, Data Processor will safely remove or destroy all personal data, including any copies of it, unless Data Processor is legally obliged to store the (personal) data for a longer period.
8. Confidentiality and non-disclosure
Data Processor will treat all personal data and other data received by Data Controller as confidential. Data Processor will limit the access to this data to persons working for Data Processor, who need access to correctly process the data on behalf of Data Controller.
All (personal) data, Data Processor receives based on this Agreement are subject to a non-disclosure obligation towards third parties. All persons employed by or working for Data Processor, as well as Data Processor itself, are required to remain secrecy regarding the personal data.
Data Processor will not provide third parties with the (personal)data or copy, multiply or otherwise make the personal data public, without permission of Data Controller.
9. Rights of Data Subjects
Data Processor will assist Data Controller with all requests which may be received from Data Subjects, such as the right to access, rectification or erasure.
If Data Processor receives a request from a third party to provide access to the personal data based on an alleged (legal) obligation, data Processor will inform Data Controller in writing before he provides the third party access, so Data Controller can assess whether the request is legitimate.
10. People working under the authority of Data Processor
The obligations for Data Processor arising from this Agreement also apply to those who process personal data under the authority of Data Processor, including but not limited to employees.
11. Sub Processors
Data Processor may sub-contract the processing of the personal data to external parties. Data Processor has sub-contracted (part of) the processing of the personal data to its hosting provider, e-mail service, analytics service and payment providers.
Data Processor may appoint new Sub Processors for the processing of the personal data. Data Processor will notify Data Controller of the addition or replacement of any Sub Processors. Data Processor is then also offered the possibility to object to this. In addition, Data Controller may request an overview of all appointed Sub Processors.
12. Indemnification
Data Processor is responsible for all all personal data (or other data) that Data Controller has shared with Data Processor. Data Processor indemnifies Data Controller against all claims by third parties or fines by the Autoriteit Persoonsgegevens because of the transfer of this Data.
Data Processor is only liable for direct damage suffered by Data Controller, that is unequivocally caused by a shortcoming of Data Processor.
The limitations of liability included in this article do not apply if the damage is caused as a consequence of the wilful intent or gross negligence of Processor.