THEOSINT ROOM

Data Processing Addendum

Last updated: March 2026

This page outlines the baseline data processing terms that apply where The OSINT Room processes personal data on behalf of a client in connection with its services. A signed client-specific Data Processing Addendum ("DPA") may be provided on request or incorporated into the applicable Master Service Agreement, Statement of Work, or other written engagement terms.

This page is intended as a public summary of our processing framework. It does not replace a signed agreement where Article 28 GDPR terms are required for a specific engagement.

1. Scope

The OSINT Room provides open-source intelligence, due diligence, adverse media, sanctions-context, and related risk intelligence services for professional and institutional clients.

Where The OSINT Room processes personal data solely on a client's behalf and under the client's documented instructions, it acts as a processor for the purposes of Article 28 GDPR.

Where The OSINT Room processes personal data for its own purposes — including website administration, intake handling, invoicing, legal compliance, recordkeeping, service security, and defence of legal claims — it acts as an independent controller. Those activities are governed separately by our Privacy Policy.

2. Roles of the Parties

For in-scope client engagements:

  • the Client is the data controller, unless the parties expressly agree otherwise in writing;
  • The OSINT Room acts as the processor only to the extent it processes personal data on the Client's behalf and on documented instructions.

The parties acknowledge that role allocation depends on the factual circumstances of the engagement and the actual purposes and means of processing.

3. Subject Matter and Duration of Processing

The subject matter of the processing is the provision of open-source intelligence and related analytical support services described in the applicable engagement documentation.

Processing begins when relevant personal data is provided to or otherwise made available to The OSINT Room for the agreed engagement and continues for the duration of the engagement, plus any limited retention period required by contract, law, or legitimate records-management and security obligations.

Unless otherwise agreed in writing, research materials relating to a completed engagement are retained for up to 90 days after delivery, after which they are securely deleted or rendered inaccessible, subject to any legal or contractual retention requirement.

4. Nature and Purpose of Processing

Processing may include collection, review, organisation, analysis, storage, limited internal dissemination, and secure transmission of information necessary to perform the agreed services.

The purpose of the processing is limited to supporting the Client's documented lawful purpose, such as:

  • open-source due diligence;
  • adverse media and reputational review;
  • public-record corporate research;
  • ownership and control mapping;
  • sanctions or exposure context analysis;
  • litigation-adjacent factual research support; or
  • other legitimate compliance, legal, or risk-management use cases defined in writing.

All work is conducted using lawful, publicly available or lawfully accessible sources only. The OSINT Room does not engage in hacking, unlawful access, intrusive surveillance, pretexting, or other prohibited collection methods.

5. Categories of Personal Data

Depending on the engagement, processing may involve the following categories of personal data, to the extent relevant and proportionate to the Client's instructions:

  • identity and biographical details;
  • professional and corporate affiliation data;
  • company registry and beneficial ownership information;
  • litigation, insolvency, or regulatory-enforcement information available from lawful sources;
  • adverse media and reputational information;
  • contact details contained in public records or provided by the Client;
  • correspondence and project administration data;
  • technical and access data relating to secure delivery and engagement management.

The OSINT Room does not intentionally seek special-category or highly sensitive personal data unless this is clearly relevant, lawful, and necessary to the documented engagement purpose.

6. Categories of Data Subjects

Depending on the engagement, data subjects may include:

  • client personnel and authorised representatives;
  • prospective counterparties;
  • directors, officers, shareholders, beneficial owners, or affiliates;
  • vendors, intermediaries, or other relevant business contacts;
  • individuals named in public corporate, court, regulatory, or media records;
  • other persons reasonably connected to the agreed subject matter.

7. Documented Instructions

The OSINT Room will process personal data only on the Client's documented instructions, unless otherwise required by applicable Union or Member State law.

The Client is responsible for ensuring that:

  • it has an appropriate legal basis for the processing;
  • its instructions are lawful;
  • the requested scope is necessary and proportionate;
  • the intended use of the deliverables complies with applicable law, regulation, privilege, and internal policy.

If The OSINT Room considers that an instruction may infringe applicable data protection law, it may suspend the relevant processing and notify the Client.

8. Confidentiality

The OSINT Room ensures that personnel and contractors authorised to process personal data are subject to appropriate confidentiality obligations and access controls.

Access to engagement data is limited to persons with a legitimate operational need to know.

9. Security Measures

The OSINT Room implements appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

Such measures may include, as appropriate:

  • access restriction on a need-to-know basis;
  • password protection and account security controls;
  • encrypted transmission or secure file delivery where appropriate;
  • logical separation of client materials;
  • device and account hygiene controls;
  • retention and deletion procedures;
  • incident escalation procedures; and
  • vendor due diligence appropriate to the service used.

No security measure can guarantee absolute security. Measures are applied in light of the nature of the processing and the risks presented.

10. Sub-processors

The OSINT Room may use carefully selected third-party service providers where reasonably necessary for secure hosting, communications, file storage, analytics, or operational support.

Where a service provider processes personal data on behalf of The OSINT Room in connection with a client engagement, The OSINT Room will ensure that appropriate data protection obligations are imposed on that provider.

Where required, current sub-processor information will be made available to the Client in the signed DPA, engagement documentation, or upon written request before or during the engagement.

11. International Transfers

The OSINT Room seeks to process engagement data within the European Economic Area where practicable.

If a transfer of personal data outside the EEA is required in connection with an authorised service provider or engagement workflow, such transfer will be subject to an appropriate GDPR transfer mechanism and documented safeguards where applicable.

Controller-processor contractual clauses under Article 28 GDPR do not by themselves serve as Chapter V transfer safeguards; separate transfer safeguards may be required where relevant.

12. Assistance to the Client

Taking into account the nature of the processing and the information available to it, The OSINT Room will provide reasonable assistance to the Client in relation to:

  • data subject rights requests;
  • personal data breach management and notification support;
  • data protection impact assessment support where relevant;
  • consultations with supervisory authorities where applicable; and
  • compliance information reasonably required to demonstrate Article 28 GDPR compliance.

13. Personal Data Breaches

If The OSINT Room becomes aware of a personal data breach affecting personal data processed on the Client's behalf, it will notify the Client without undue delay and provide available information reasonably necessary to support the Client's assessment and response obligations.

14. Return and Deletion

Upon termination of the relevant processing activities, and subject to the applicable agreement and any legal retention requirement, The OSINT Room will, at the Client's choice where contractually applicable:

  • return the relevant personal data; or
  • securely delete it and delete existing copies,

except to the extent continued retention is required by applicable law or is strictly necessary for the establishment, exercise, or defence of legal claims.

15. Audit and Compliance Information

Upon reasonable written request, and subject to confidentiality, privilege, security, and proportionality limitations, The OSINT Room will make available information reasonably necessary to demonstrate compliance with its processor obligations.

Where appropriate, this may include written responses, policy summaries, or other suitable compliance materials. On-site inspections or more intrusive audit measures should be limited to circumstances where proportionate and contractually agreed.

16. Order of Precedence

If a signed DPA or negotiated client agreement applies to a specific engagement, that signed agreement prevails over this public page to the extent of any inconsistency.

17. Contact

For DPA requests, sub-processor information, or data processing questions relating to client engagements, contact:

legal@theosintroom.com

A signed client-specific DPA can be provided where required for onboarding or procurement review.

For DPA requests, sub-processor information, or data processing questions relating to client engagements:

contact@theosintroom.com