Tribunal OS
Back to Home

Data Processing Agreement

Effective Date: January 1, 2026 | Last Updated: April 20, 2026

Preamble

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tribunal OS ("Processor," "we," "us," or "our") and the entity or individual accessing or using the Tribunal OS platform ("Controller," "you," or "your"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Controller's use of the Tribunal OS AI-powered war crimes investigation platform (the "Platform").

This DPA is entered into to ensure compliance with applicable data protection legislation, including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable data protection laws (collectively, "Data Protection Laws").

By using the Platform, the Controller agrees to the terms of this DPA. If the Controller does not agree to this DPA, the Controller must discontinue use of the Platform.

1. Definitions

For the purposes of this DPA, the following definitions apply:

  • "Controller" means the entity or individual that determines the purposes and means of the processing of personal data through the Platform.
  • "Processor" means Tribunal OS, which processes personal data on behalf of the Controller.
  • "Sub-Processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed through the Platform.
  • "Processing" means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
  • "Security Incident" means any unauthorized or unlawful access to, acquisition of, use of, or disclosure of personal data that compromises the security, confidentiality, or integrity of such data.
  • "Standard Contractual Clauses" means the contractual clauses adopted by the relevant supervisory authority for the transfer of personal data to processors established outside the jurisdiction of the Controller.

2. Scope and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Platform services to the Controller. The specific processing activities include:

2.1 Categories of Personal Data

The following categories of personal data may be processed through the Platform:

  • Account authentication data (user identifiers, session tokens)
  • User-submitted evidentiary materials that may contain personal data of data subjects referenced in investigations
  • Witness and survivor testimony content submitted for AI analysis
  • Case management metadata (case titles, descriptions, assigned personnel identifiers)
  • Usage data and platform interaction logs
  • Contact form submissions (name, organizational affiliation, inquiry content)
  • File uploads processed through AI analysis services (documents, images, structured data)

2.2 Categories of Data Subjects

The personal data processed through the Platform may relate to the following categories of data subjects:

  • Authorized users of the Platform (investigators, prosecutors, researchers)
  • Witnesses and survivors referenced in submitted evidentiary materials
  • Individuals identified in uploaded documents, images, or datasets
  • Individuals who submit inquiries through the Platform's contact form

2.3 Nature of Processing

Processing operations performed by the Processor include:

  • Storage of user-submitted data in encrypted cloud databases
  • AI-powered analysis of submitted evidence, testimony, and legal documents
  • Natural language processing for narrative analysis, sentiment extraction, and multilingual transcription
  • Digital forensic analysis including metadata extraction and authenticity verification
  • Temporary storage of files in cloud object storage for processing purposes
  • Generation of analytical reports and case management outputs
  • Authentication and session management

2.4 Duration of Processing

The Processor will process personal data for the duration of the Controller's use of the Platform. Upon termination of the Controller's account, the Processor will delete or return all personal data within thirty (30) days, unless retention is required by applicable law or the Controller provides written instructions to the contrary.

3. Processor Obligations

The Processor agrees to the following obligations:

3.1 Documented Instructions

The Processor will process personal data only on documented instructions from the Controller, including with respect to transfers of personal data, unless required to do so by applicable law. If the Processor is required by applicable law to process personal data other than on the Controller's instructions, the Processor will inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

3.2 Confidentiality

The Processor will ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation survives the termination of this DPA.

3.3 Security Measures

The Processor implements and maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, including:

  • Encryption: Personal data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
  • Access Controls: Role-based access controls restrict access to personal data to authorized personnel only. Authentication is enforced through OAuth 2.0 protocols.
  • Audit Logging: All access to and processing of personal data is logged with immutable audit trails, including user identity, timestamp, and action performed.
  • Infrastructure Security: The Platform is hosted on cloud infrastructure with SOC 2 Type II certification, with network segmentation, intrusion detection, and regular vulnerability scanning.
  • Data Isolation: Controller data is logically isolated from other Controllers' data within the Platform's multi-tenant architecture.
  • Backup and Recovery: Regular encrypted backups are maintained with tested disaster recovery procedures.
  • Incident Response: A documented incident response plan is maintained and tested at regular intervals.

3.4 Sub-Processing

The Controller provides general authorization for the Processor to engage Sub-Processors for the processing of personal data. The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-Processors, giving the Controller the opportunity to object to such changes within fourteen (14) days of notification.

The Processor will impose data protection obligations on any Sub-Processor that are no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

The following Sub-Processors are currently engaged by the Processor:

Sub-ProcessorPurposeData Processed
Cloud Infrastructure ProviderPlatform hosting, database services, and compute resourcesAll categories of personal data processed through the Platform
Object Storage ProviderSecure file storage for uploaded evidence and generated reportsUser-submitted files and AI-generated outputs
AI Model ProviderNatural language processing, analysis, and inference servicesText content submitted for AI analysis (processed transiently)
Authentication ProviderUser identity verification and session managementAccount authentication data

3.5 Data Subject Rights

The Processor will assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Data Protection Laws, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. The Processor will promptly notify the Controller if it receives a request from a data subject directly and will not respond to such request without the Controller's prior written authorization, unless required by applicable law.

3.6 Security Incident Notification

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting personal data processed under this DPA. The notification will include:

  • A description of the nature of the Security Incident, including the categories and approximate number of data subjects and personal data records concerned
  • The name and contact details of the Processor's point of contact for further information
  • A description of the likely consequences of the Security Incident
  • A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects

3.7 Data Protection Impact Assessments

The Processor will provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Data Protection Laws, taking into account the nature of processing and the information available to the Processor.

4. Controller Obligations

The Controller agrees to the following obligations:

  • The Controller is responsible for ensuring that it has a lawful basis for the processing of personal data through the Platform, including obtaining any necessary consents from data subjects.
  • The Controller will ensure that any personal data submitted to the Platform is accurate, relevant, and limited to what is necessary for the purposes of processing.
  • The Controller will provide documented instructions to the Processor regarding the processing of personal data and will ensure that such instructions comply with applicable Data Protection Laws.
  • The Controller is responsible for implementing appropriate safeguards for any special categories of personal data (sensitive data) submitted to the Platform, including data relating to victims, witnesses, and survivors of armed conflict.
  • The Controller will promptly inform the Processor of any changes to applicable data protection requirements that may affect the Processor's obligations under this DPA.

5. International Data Transfers

Where the processing of personal data involves the transfer of personal data outside the jurisdiction of the Controller, the Processor will ensure that appropriate safeguards are in place in accordance with applicable Data Protection Laws. Such safeguards may include:

  • Standard Contractual Clauses approved by the relevant supervisory authority
  • Binding Corporate Rules where applicable
  • Adequacy decisions by the relevant supervisory authority recognizing the destination jurisdiction as providing an adequate level of data protection
  • Other legally recognized transfer mechanisms under applicable Data Protection Laws

The Processor will inform the Controller of the specific transfer mechanism relied upon for any international transfer of personal data and will provide documentation of such mechanism upon request.

6. Audit Rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and applicable Data Protection Laws. The Processor will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

  • The Controller will provide at least thirty (30) days' written notice of any audit request.
  • Audits will be conducted during normal business hours and will not unreasonably interfere with the Processor's operations.
  • The Controller will bear the costs of any audit, unless the audit reveals material non-compliance by the Processor.
  • The Controller's auditor will be bound by confidentiality obligations no less protective than those in this DPA.
  • The Processor may satisfy audit requests by providing relevant third-party audit reports (such as SOC 2 Type II reports) where available.

7. Data Retention and Deletion

Upon termination of the Controller's use of the Platform, or upon the Controller's written request, the Processor will:

  • Delete all personal data processed on behalf of the Controller within thirty (30) days, unless retention is required by applicable law
  • Provide the Controller with a copy of the personal data in a commonly used, machine-readable format upon request, prior to deletion
  • Certify in writing that all personal data has been deleted, including from backup systems, within ninety (90) days of the deletion request
  • Ensure that Sub-Processors delete all copies of personal data in accordance with the same timeline

Where applicable law requires the Processor to retain personal data beyond the Controller's deletion request, the Processor will inform the Controller of the applicable retention requirement and will limit processing of such data to the purposes required by law.

8. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that neither party excludes or limits its liability for damages arising from a breach of this DPA to the extent that such exclusion or limitation is prohibited by applicable Data Protection Laws.

The Processor will indemnify the Controller against any costs, claims, damages, or expenses incurred by the Controller as a result of the Processor's material breach of this DPA or applicable Data Protection Laws, provided that the Controller has complied with its obligations under this DPA and has given the Processor prompt written notice of any claim.

9. Term and Termination

This DPA takes effect upon the Controller's acceptance of the Terms of Service and remains in effect for the duration of the Controller's use of the Platform. The obligations of the Processor under this DPA with respect to the processing of personal data will continue until the Processor has deleted all personal data in accordance with Section 7 of this DPA.

Either party may terminate this DPA by providing written notice to the other party in the event of a material breach that remains uncured for thirty (30) days after written notice of such breach. Termination of this DPA will result in termination of the Controller's access to the Platform.

10. Amendments

The Processor may update this DPA from time to time to reflect changes in processing activities, Sub-Processors, security measures, or applicable Data Protection Laws. Material changes will be communicated to the Controller at least thirty (30) days before they take effect. Continued use of the Platform after the effective date of any amendment constitutes acceptance of the updated DPA. If the Controller does not agree to the amended DPA, the Controller must discontinue use of the Platform.

11. Governing Law

This DPA is governed by and construed in accordance with the laws applicable to the Terms of Service, without regard to conflict of law principles. Any disputes arising under or in connection with this DPA will be resolved in accordance with the dispute resolution provisions of the Terms of Service.

12. Contact Information

For questions, requests, or concerns regarding this Data Processing Agreement or the processing of personal data through the Platform, please contact us through our Contact page.

To exercise data subject rights, request an audit, or report a Security Incident, please submit a detailed inquiry through the Contact page and select "Data Protection" as the inquiry type.