Data Processing Agreement
This Data Processing Agreement ("DPA") governs the processing of personal data by Tribunal OS on behalf of institutional customers.
Version 2.0 | Effective: January 1, 2026
Need a signed copy?
Download the DPA for your records or for signature
This Data Processing Agreement is entered into between:
Your Organization
The entity that has entered into a Service Agreement with Tribunal OS and determines the purposes and means of processing personal data.
Tribunal OS
International Justice Technology Foundation, operating as Tribunal OS, processing personal data on behalf of the Controller.
Scope of Processing
Details of the personal data processing activities covered by this DPA.
Subject Matter
The provision of AI-powered war crimes investigation services, including evidence analysis, case management, and legal research tools as described in the Service Agreement.
Duration
Processing will continue for the duration of the Service Agreement plus any retention period required by law or agreed upon for data return/deletion.
Nature and Purpose
Processing includes storage, analysis, and presentation of case-related data; AI-powered evidence authentication and analysis; user account management; and audit trail maintenance.
Categories of Data Subjects
- • Controller's employees and authorized users
- • Individuals referenced in case files (victims, witnesses, suspects)
- • Third parties mentioned in uploaded evidence
Types of Personal Data
- • User account information (name, email, credentials)
- • Case data as uploaded by Controller
- • Evidence files and associated metadata
- • Usage logs and audit trails
Special Categories of Data
The Services may involve processing of special category data including information revealing racial or ethnic origin, political opinions, religious beliefs, health data, and data concerning criminal convictions. Enhanced protections apply to such data.
Processor Obligations
As Data Processor, Tribunal OS commits to the following obligations under GDPR Article 28.
Documented Instructions
Process personal data only on documented instructions from the Controller
Confidentiality
Ensure persons authorized to process data are bound by confidentiality
Security Measures
Implement appropriate technical and organizational security measures
Sub-processor Management
Engage sub-processors only with prior authorization and equivalent obligations
Data Subject Rights
Assist Controller in responding to data subject requests
Breach Notification
Notify Controller of personal data breaches without undue delay
Technical & Organizational Measures
Security measures implemented to protect personal data (GDPR Article 32).
- ISO 27001 certified data centers
- 24/7 security personnel and monitoring
- Biometric access controls
- Environmental controls (fire, flood, power)
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Multi-factor authentication
- Intrusion detection and prevention
- Background checks for personnel
- Regular security training
- Access control policies
- Incident response procedures
- Regular vulnerability assessments
- Penetration testing (annual)
- Security audit logging
- Business continuity planning
Authorized Sub-processors
The following sub-processors are authorized to process personal data on our behalf.
| Sub-processor | Location | Purpose |
|---|---|---|
| Amazon Web Services (AWS) | Secured Data Centers | Cloud infrastructure and hosting |
| Cloudflare | Secured Data Centers | CDN and DDoS protection |
| Stripe | Secured Data Centers | Payment processing |
| SendGrid | Secured Data Centers | Transactional email delivery |
| Sentry | Secured Data Centers | Error monitoring and diagnostics |
Controller will be notified of any changes to sub-processors with 30 days advance notice.
International Data Transfers
Safeguards for international transfers of personal data.
Where personal data is transferred internationally, Tribunal OS ensures appropriate safeguards are in place in accordance with applicable data protection regulations:
- Standard Contractual Clauses (SCCs): We use approved SCCs for international transfers without an adequacy decision.
- Data Privacy Framework: For transfers to certified organizations.
- Supplementary Measures: Additional technical and organizational measures are implemented where required by the Schrems II decision.
- Transfer Impact Assessments: We conduct and document TIAs for all international transfers.
Upon request, Controller may obtain copies of the relevant transfer mechanisms and supplementary measures documentation.
Additional Terms
Questions About This DPA?
Contact our Data Protection Officer for any questions regarding this agreement.
Contact Us