This Data Processing Agreement (“Agreement”) governs the processing of personal data carried out by Datintel, S.L., operating under the commercial name Golden Owl® (hereinafter, the “PROCESSOR”), on behalf of and under the documented instructions of the client (hereinafter, the “CONTROLLER”), in connection with the use of Golden Owl® platforms, infrastructure, technologies, systems, operational environments, or associated functionalities.
This Agreement supplements and forms an integral part of the applicable Terms of Use, Privacy Policy, General Terms & Conditions of Contract, commercial agreements, subscription frameworks, or other contractual documentation governing the relationship between the parties. In the event of contradiction, the specific written agreement executed between the parties shall prevail.
On one side:
Datintel, S.L. (Golden Owl®)
Alicante Science Park, West Campus of the University of Alicante
03005 Alicante, Spain
NIF: B56582307
Email: info@goldenowl.ai
Hereinafter, the “PROCESSOR”.
On the other side:
The client, entity, organization, institution, or authorized user contracting or accessing Golden Owl® services or infrastructure and acting as data controller under applicable data protection legislation.
Hereinafter, the “CONTROLLER”.
The purpose of this Agreement is to regulate the processing of personal data carried out by the PROCESSOR on behalf of the CONTROLLER in accordance with Regulation (EU) 2016/679 (“GDPR”), Organic Law 3/2018 (“LOPDGDD”), and any other applicable data protection legislation.
The PROCESSOR provides technological, analytical, intelligence, operational, infrastructure, AI-assisted, monitoring, and data processing capabilities which may involve access to, consultation of, structuring of, correlation of, visualization of, or temporary processing of personal data under the responsibility and documented instructions of the CONTROLLER.
The PROCESSOR does not determine the purposes of the processing carried out by the CONTROLLER and does not independently decide what information the CONTROLLER searches for, accesses, analyzes, or processes through Golden Owl® systems.
The PROCESSOR may process personal data exclusively for the purposes necessary to enable the operation, provision, security, maintenance, support, monitoring, analysis, deployment, compliance, or lawful functioning of the contracted platforms, systems, or operational environments.
Depending on the nature of the services, processing operations may include:
collection
consultation
structuring
indexing
organization
correlation
visualization
temporary storage
transmission
extraction
comparison
analysis
secure deletion
restricted retention where legally required
Processing activities shall be limited to what is necessary, proportionate, and operationally justified in accordance with the applicable contractual framework and documented instructions of the CONTROLLER.
Golden Owl® primarily facilitates access to publicly available, lawfully accessible, licensed, client-provided, or externally sourced information. The PROCESSOR does not claim ownership over such external data sources and cannot modify or delete information hosted in third-party systems outside its control.
Unless expressly agreed otherwise in writing, Golden Owl® does not use client data, uploaded information, intelligence outputs, or processing activities for its own independent commercial purposes or for training public artificial intelligence models.
Depending on the operational use case, the PROCESSOR may process categories of personal data relating to:
employees
contractors
collaborators
suppliers
contact persons
legal representatives
customers
publicly identifiable individuals
third parties lawfully included within the CONTROLLER’s operational scope
Categories of data may include:
identification data
professional data
commercial information
corporate affiliations
publicly available online identifiers
communication metadata
economic or transactional information
publicly accessible digital activity
other categories lawfully processed under the responsibility of the CONTROLLER
Special categories of personal data shall only be processed where strictly necessary, lawfully authorized, and supported by an appropriate legal basis under applicable law.
This Agreement shall remain in force for as long as the PROCESSOR provides services, infrastructure, systems, or processing activities on behalf of the CONTROLLER.
Termination of the contractual relationship shall terminate this Agreement, without prejudice to any legal obligations that must survive termination.
Upon termination, expiration, suspension, or completion of the applicable contractual relationship, and subject to applicable legal, regulatory, cybersecurity, audit, backup, fraud-prevention, evidentiary, compliance, business continuity, or information security obligations, the PROCESSOR shall, upon the CONTROLLER’s documented request and where technically and operationally feasible:
Notwithstanding the foregoing, the PROCESSOR may retain strictly limited data, logs, backups, security records, audit trails, evidentiary records, or other information where such retention is required or justified under applicable law, regulatory obligations, cybersecurity obligations, dispute resolution requirements, fraud prevention, incident investigation, contractual defense, business continuity measures, or compliance with applicable security and governance frameworks, including but not limited to GDPR, ISO 27001, ENS, or equivalent standards.
Any retained data shall remain subject to the confidentiality, security, access control, and data protection obligations established in this Agreement and applicable law, and shall not be processed for purposes incompatible with the original processing purpose or beyond what is strictly necessary for the lawful retention basis.
The PROCESSOR undertakes to:
process personal data solely in accordance with documented instructions from the CONTROLLER, unless otherwise required by applicable law;
implement appropriate technical and organizational security measures in accordance with Article 32 GDPR;
apply security, confidentiality, governance, access-control, monitoring, and operational resilience measures aligned with recognized industry standards and risk-based practices;
ensure that personnel authorized to process data are bound by confidentiality obligations;
restrict access to personal data to authorized individuals with legitimate operational need;
maintain appropriate records of processing activities where legally required;
notify the CONTROLLER without undue delay of personal data breaches affecting data processed under this Agreement where legally required;
reasonably assist the CONTROLLER in fulfilling its GDPR obligations where applicable and proportionate;
implement measures designed to ensure confidentiality, integrity, availability, resilience, traceability, and restoration capacity of systems and services;
maintain periodic verification, assessment, and evaluation procedures relating to security controls and operational safeguards;
apply authentication, access management, monitoring, logging, segmentation, encryption, or equivalent security mechanisms where appropriate to the risk profile of the services.
The PROCESSOR may implement additional operational, security, fraud prevention, cybersecurity, monitoring, or compliance measures where reasonably necessary to protect systems, infrastructure, clients, users, or legal obligations.
The CONTROLLER represents and warrants that:
it has an appropriate legal basis for the processing activities it carries out through Golden Owl®;
it complies with GDPR, LOPDGDD, AI-related obligations where applicable, and other relevant legislation;
it is responsible for defining the purposes and lawful basis of processing;
it has fulfilled any required transparency, information, consent, impact assessment, proportionality, or legitimate interest obligations;
it shall only process personal data lawfully and proportionately;
it shall not use Golden Owl® systems for unlawful, discriminatory, abusive, unethical, or rights-infringing purposes;
it shall provide accurate instructions and lawful data access authorization;
it remains solely responsible for decisions, actions, investigations, profiling, or measures adopted on the basis of outputs obtained through Golden Owl® systems.
The CONTROLLER acknowledges that Golden Owl® acts primarily as a technological and operational processor under client instruction and does not independently validate the legitimacy of each individual search, investigation, query, or analytical purpose conducted by the CONTROLLER.
The CONTROLLER authorizes the PROCESSOR to engage subprocessors, infrastructure providers, cloud providers, technical service providers, cybersecurity providers, hosting providers, support providers, analytics providers, auditors, or other auxiliary service providers necessary for the lawful and secure operation of its systems and services.
The PROCESSOR shall ensure that subprocessors are subject to appropriate contractual obligations regarding confidentiality, security, data protection, and lawful processing consistent with applicable legislation.
A current list or categories of subprocessors may be made available upon reasonable request where applicable.
Where international data transfers occur, the PROCESSOR shall implement appropriate safeguards in accordance with Chapter V GDPR, including adequacy decisions, Standard Contractual Clauses, supplementary measures, or other lawful transfer mechanisms where required.
The CONTROLLER acknowledges that certain infrastructure, cloud, cybersecurity, communications, or support providers may operate internationally.
Golden Owl® applies operational, organizational, and technical security measures designed according to risk-based security principles and aligned, where applicable, with recognized standards, governance frameworks, certifications, or regulatory schemes such as:
GDPR
LOPDGDD
ISO 27001
ENS
cybersecurity best practices
access-control and authentication standards
logging and monitoring procedures
incident response mechanisms
business continuity and resilience measures
References to such frameworks do not constitute a guarantee of uninterrupted security, universal applicability, or certification coverage for every specific service, feature, deployment, or operational environment unless expressly agreed in writing.
The parties undertake to maintain strict confidentiality regarding any non-public information, personal data, technical information, security information, operational details, intelligence outputs, methodologies, credentials, reports, documentation, or materials accessed in connection with this Agreement.
The confidentiality obligations shall remain in force during the contractual relationship and after its termination for as long as the information retains confidential nature under applicable law.
The PROCESSOR shall not disclose confidential information to third parties except:
where authorized by the CONTROLLER;
where necessary for lawful subprocessing;
where legally required;
or where necessary to protect legal rights, security, infrastructure integrity, or compliance obligations.
Each party shall be liable for damages resulting from its own negligent, unlawful, or wrongful conduct in breach of applicable law or this Agreement.
The PROCESSOR shall not be liable for:
the legality of the CONTROLLER’s processing purposes;
decisions made by the CONTROLLER;
unlawful instructions issued by the CONTROLLER;
misuse of information by the CONTROLLER;
external source inaccuracies;
third-party system failures outside its reasonable control;
force majeure events;
indirect or consequential damages unless required by mandatory law.
Nothing in this Agreement excludes liability where exclusion is prohibited under applicable law.
The parties act as independent entities. Nothing in this Agreement creates any employment relationship, partnership, agency, joint venture, or representation relationship between the parties.
If any provision of this Agreement is held invalid, illegal, or unenforceable, the remaining provisions shall remain valid and enforceable to the fullest extent permitted by law.
This Agreement shall be governed by the laws of the Kingdom of Spain.
Any dispute arising from this Agreement shall be subject to the jurisdiction provisions established in the applicable General Terms & Conditions or specific contractual agreement between the parties.
Date of Last Modification: May 2026