Data Processing Agreement (DPA)
Data Processing Agreement (DPA)
Last updated: July 2025
Effective date: July 2025
This Data Processing Agreement ("DPA") is entered into between Cursed Tools ("Processor," "we," "us," or "our") and the customer using our cybersecurity investigation services ("Controller," "you," or "your"). This DPA governs the processing of personal data contained within security investigation files, event logs, forensic data, and other investigation materials in accordance with applicable data protection laws.
1. Definitions
1.1 Data Protection Laws
- GDPR: General Data Protection Regulation (EU) 2016/679
- Data Protection Laws: GDPR, CCPA, and other applicable privacy regulations
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data
1.2 Cybersecurity Investigation Terms
- Investigation Data: Security event logs, forensic files, incident response data, and related investigation materials
- Log Files: System-generated records including event logs, syslog files, and other security monitoring data
- Detection Rules: Detection rules and analytics used for analyzing security events and identifying potential threats
- Incident Data: Information collected during cybersecurity incident response and threat investigation activities
- Forensic Artifacts: Digital evidence collected during security investigations including file system data, network logs, memory dumps, and other digital evidence formats
1.3 Roles and Responsibilities
- Controller: The entity that determines the purposes and means of processing personal data
- Processor: The entity that processes personal data on behalf of the Controller
- Data Subject: The individual whose personal data is being processed
2. Scope and Application
2.1 Scope
This DPA applies to all personal data processed through the Cursed Tools cybersecurity investigation platform, including:
- Investigation Files: log files, forensic artifacts, and incident response data containing personal data
- Security Event Logs: Event logs, syslog entries, and other system-generated logs with personal identifiers
- Digital Forensic Evidence: File system data, network traffic logs, memory dumps, and other forensic artifacts
- Threat Intelligence Data: IOCs (Indicators of Compromise), threat actor information, and security intelligence containing personal data
- Account and Billing Information: User registration, subscription, and payment data
- Platform Usage Data: Service utilization, feature usage, and analytics data
2.2 Services Covered
- Forensic Log Analysis Services: Processing and analysis of various log files for security investigations
- Detection Rule Processing: Application of detection rules and analytics to support detection engineering, threat hunting and incident analysis
- Log File Analysis: Processing of various log formats including syslog, web server logs, and custom log formats
- Digital Forensics Tools: File system analysis, registry examination, and artifact extraction services for various file formats that can generate evidence during a cybersecurity incident
- Threat Detection Services: IOC matching, behavioral analysis, and security event correlation
- Investigation Workflow Management: Case organization, evidence tracking, and collaborative investigation features
- Data Enrichment Services: Event ID lookups, file signature analysis, and threat intelligence correlation
- API Access Services: Programmatic access to analysis capabilities and investigation data
- Account Management and Billing: User authentication, subscription management, and payment processing
3. Data Processing Details
3.1 Categories of Data Subjects
- Platform Users: Security analysts, incident responders, system administrators, Artificial Intelligence agents and investigators
- Investigation Subjects: Individuals whose personal data appears in uploaded security event logs, forensic files, or investigation materials
- Enterprise Users: Employees, contractors, and authorized personnel of organizational customers
- System or Network Users: End users whose activities are recorded in Windows Event Logs, security logs, network trace logs, packet captures and system monitoring data
- Security Personnel: SOC analysts, threat hunters, and cybersecurity professionals using the platform for investigations
3.2 Categories of Personal Data
- Account and Authentication Data: Names, email addresses, company information, account credentials, API keys
- Billing and Subscription Data: Payment information, billing addresses, subscription details, usage records
- Investigation File Data: Personal data contained within uploaded log files, forensic artifacts, and investigation data including:
- User Identity Information: Usernames, domain names, security identifiers, group memberships
- System Activity Data: Process names, file paths, registry keys, command line arguments, network connections
- Network and Communication Data: IP addresses, MAC addresses, hostnames, email addresses, URLs accessed
- Authentication Events: Login/logout times, authentication methods, failed login attempts, privilege escalations
- File System Data: File names, paths, creation/modification times, file ownership, access permissions
- Technical and Diagnostic Data: Device identifiers, browser information, platform usage logs, performance metrics
- Threat Intelligence Data: IOCs, threat actor information, security intelligence containing personal identifiers
3.3 Purpose of Processing
- Cybersecurity Investigation Services:
- Analyzing security event logs for threat detection and incident response
- Processing forensic files and log data for security investigation
- Applying detection rules and analytics for threat hunting and detection engineering
- Correlating security events across multiple data sources
- Extracting and analyzing digital forensic artifacts
- Threat Detection and Analysis:
- Identifying indicators of compromise (IOCs) and malicious activity
- Behavioral analysis of user and system activities
- Timeline reconstruction for incident investigation
- Attribution analysis and threat intelligence correlation
- Platform Operations:
- User authentication and authorization management
- API access control and usage monitoring
- Service performance optimization and troubleshooting
- Data integrity verification and quality assurance
- Business Operations:
- Payment processing and subscription management
- Customer service and technical support provision
- Usage analytics and service improvement
- Legal and Regulatory Compliance:
- Meeting cybersecurity reporting requirements
- Supporting legal discovery and litigation holds
- Compliance with data protection and privacy regulations
- Law enforcement cooperation where legally required
4. Processor Obligations
4.1 Lawful Processing
We will:
- Process personal data only on documented instructions from you
- Ensure processing is lawful under applicable data protection laws
- Not process personal data for our own purposes
- Promptly inform you if we believe an instruction violates data protection laws
4.2 Data Security
We implement comprehensive technical and organizational measures specifically designed for cybersecurity investigation data protection:
Advanced Technical Measures
End-to-End Encryption for all registered users by default
- Transport Layer Security via TLS encryption for all data in transit
- Envelope encryption with per-user master keys derived from user credentials using Argon2id with unique salt and server pepper
- Volatile memory-only processing ensuring no plaintext data is written to persistent storage
- Per-file encryption keys generated uniquely for each file and data point, encrypted with user's master key
- Just-in-time encryption where master keys are generated only upon login and never stored
- Private by default for all authenticated users, with optional sharing that decrypts data for public access
Encryption and Key Management
- AES-256-GCM encryption for all files at rest (default encryption at rest)
- TLS 1.3 encryption for all data transmission
- Per-file encryption using unique cryptographic keys for each file and data point
- Per-user master key derivation using Argon2id with unique salt and server pepper
- Immediate encryption upon file upload receipt with volatile memory processing
- Master key generation only upon user login, never stored across the service
- User-controlled data visibility with authenticated users having private data by default
Data Processing Security
- Containerized processing with isolated execution environments
- Volatile memory processing ensuring no plaintext data persists on disk
- Secure memory allocation with automatic clearing after processing
- Process isolation preventing cross-contamination between investigations
- Audit logging of all data access and processing operations
Data Visibility and User Responsibility
- Authenticated users: All data is private and encrypted by default
- User-controlled sharing: Users may choose to share data via unique links, which decrypts the data for public access
- Unauthenticated users: Data is public and unencrypted by default
- User responsibility: Data controllers are solely responsible for data visibility decisions and any sharing actions
- No platform liability: Cursed Tools is not responsible for accidental disclosure resulting from user sharing decisions
Infrastructure Security
- Multi-layered network security with firewalls, IDS/IPS, and DDoS protection
- Geo-redundant storage with encryption in transit and at rest
- Regular vulnerability scanning and penetration testing
- Security monitoring with 24/7 SOC coverage
- Immutable infrastructure with infrastructure-as-code deployment
Enhanced Organizational Measures
Access Controls and Authentication
- Multi-factor authentication required for all administrative access
- Role-based access control (RBAC) with principle of least privilege
- Just-in-time access for administrative operations
- Session monitoring and automatic timeout policies
- API key management with regular rotation and audit trails
Personnel Security
- Background checks for all personnel with potential data access
- Security awareness training with quarterly updates and testing
- Confidentiality agreements and data protection obligations
- Insider threat monitoring and behavioral analytics
- Incident response training specific to data protection breaches
Operational Security
- Change management with security review for all modifications
- Vendor risk assessment and continuous monitoring
- Data retention policies with automated deletion capabilities
- Business continuity planning with tested disaster recovery procedures
- Compliance monitoring with automated policy enforcement
4.3 Data Minimization and Purpose Limitation
Investigation Data Processing Principles
- Data minimization: We process only personal data necessary for legitimate cybersecurity investigation purposes
- Purpose limitation: Personal data is used solely for security analysis, threat detection, and incident response
- Automated processing: Investigation data is processed through automated analysis engines without human review unless specifically requested
- Selective extraction: Only relevant security events and artifacts are extracted from uploaded files
- Temporal limitation: Processing is limited to the timeframes specified in investigation parameters
User Responsibility for Data Visibility
- Data controllers are solely responsible for determining the visibility and sharing of their investigation data
- Authenticated users have all data private and encrypted by default, with full control over sharing decisions
- Unauthenticated users have data public and unencrypted by default
- Deliberate sharing actions by users through unique sharing links decrypt data for public access
- Platform disclaimer: Cursed Tools is not responsible for accidental disclosure resulting from user sharing decisions or data visibility choices made by the data controller
Technical Implementation of Data Minimization
- Automated filtering to exclude irrelevant personal data from analysis results
- Configurable scope allowing customers to limit processing to specific event types, time ranges, or data categories
- Zero-retention processing for temporary analysis where results are immediately provided and processing artifacts are deleted
4.4 Personnel Security and Training
- Confidentiality obligations: All personnel processing personal data are bound by strict confidentiality agreements
- Specialized training: Personnel receive cybersecurity-specific data protection training including GDPR, incident response, and forensic data handling
- Access restrictions: Personal data access is restricted to authorized personnel on a strict need-to-know basis
- Background verification: Enhanced background checks for personnel with potential access to investigation data
4.5 Data Subject Rights
We will assist you in responding to data subject requests while considering the unique challenges of cybersecurity investigation data:
Standard Data Subject Rights
- Access requests: Providing copies of personal data, with consideration for investigation confidentiality and security
- Rectification: Correcting inaccurate personal data where technically feasible in forensic contexts
- Erasure: Secure deletion of personal data when requested, subject to legal retention requirements
- Portability: Exporting personal data in structured formats where technically possible
- Restriction: Limiting processing when requested, with consideration for ongoing security investigations
Special Considerations for Investigation Data
- Forensic integrity: Data subject rights requests are fulfilled in a manner that preserves the forensic integrity of investigation files
- Security implications: Certain rights may be restricted where exercise would compromise ongoing security investigations or threat detection
- Legal obligations: Data retention may be required for legal compliance, regulatory requirements, or law enforcement cooperation
- Technical limitations: Some rights may be technically limited due to the encrypted, forensic nature of investigation data
- Third-party implications: Rights exercises are coordinated to avoid impact on other data subjects or ongoing investigations
Response Procedures
- Request submission: All data subject access requests must be submitted through our official Termly DSAR form at https://app.termly.io/dsar/897e6d64-e080-48b5-8de6-cac3cc129dff
- Identity verification: Enhanced verification procedures for data subject rights requests involving investigation data
- Impact assessment: Evaluation of potential security and legal implications before fulfilling requests
- Coordinated response: Collaboration between legal, security, and technical teams for complex requests
- Documentation: Detailed records of data subject rights exercises and any limitations applied
5. Sub-Processing
5.1 Authorized Sub-Processors
We use the following sub-processors:
Sub-Processor | Service | Location | Safeguards |
---|---|---|---|
Stripe | Payment Processing | Global | PCI DSS Compliance |
Hetzner | Infrastructure Hosting | EU | GDPR Compliance |
CloudFlare | Content Distribution Network | Global | GDPR Compliance |
Posthog | Customer Analytics | EU | GDPR Compliance |
Resend | Communications | EU/US | DPA Agreement |
Honeycomb | Infrastructure Observability | EU | GDPR Compliance |
Slack | Customer Feedback Processing | EU/US | GDPR Compliance |
5.2 Sub-Processor Changes
- We will inform you of any changes to sub-processors
- You may object to new sub-processors within 30 days
- If objection cannot be resolved, you may terminate the service
5.3 Sub-Processor Obligations
- All sub-processors are bound by data protection obligations equivalent to this DPA
- Sub-processors must implement appropriate security measures
- We remain fully liable for sub-processor performance
6. International Data Transfers
6.1 Transfer Mechanisms
When personal data is transferred outside the EEA, we ensure adequate protection through:
- Adequacy decisions by the European Commission
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Certification schemes where available
- Binding Corporate Rules where applicable
6.2 Supplementary Measures
We implement additional safeguards for international transfers:
- Technical measures: End-to-end encryption, access controls
- Organizational measures: Data processing agreements, audit rights
- Legal measures: Government access provisions, legal remedies
7. Data Retention and Deletion
7.1 Retention Periods
- Account data: Retained while account is active
- Investigation files: Retained for 1 calendar year or until deleted by customer
- Billing data: Retained for legal and tax requirements
- Cursed Tools Logs and analytics: Retained for operational purposes (anonymized where possible)
7.2 Data Deletion
- Customer-initiated: Immediate deletion upon customer request
- Account termination: All data deleted within 30 days
- Legal compliance: Some data may be retained longer for legal requirements
- Secure deletion: Data is securely deleted from all systems and backups
8. Security Incident Management
8.1 Enhanced Incident Response for Investigation Data
In the event of a personal data breach involving cybersecurity investigation data:
Immediate Response (0-24 hours)
- Automated detection and alerting through security monitoring systems
- Immediate containment of the security incident with isolation procedures
- Preliminary assessment of potential investigation data exposure
- Evidence preservation and forensic data collection
- Incident classification based on investigation data sensitivity
Extended Response (24-72 hours)
- Detailed forensic analysis of the breach impact on investigation files
- Impact assessment specific to log files, forensic data, and digital artifacts
- Investigation data inventory to determine scope of personal data exposure
- Regulatory notification within 72 hours as required by applicable laws
- Customer notification within 72 hours with preliminary assessment
Recovery and Remediation
- Secure data recovery procedures for affected investigation files
- Forensic integrity verification of recovered investigation data
- Additional security controls implementation to prevent recurrence
- Investigation process review and security enhancement measures
8.2 Specialized Breach Notification for Investigation Data
We will provide detailed notification including:
Technical Details
- Nature of the breach and specific investigation data categories affected (logs, forensic artifacts, digital evidence)
- Encryption status and technical controls that remained effective during the incident
- Data exposure timeframe and potential access to investigation files
- Forensic analysis results of the breach impact
Impact Assessment
- Number of investigation files potentially affected
- Categories of personal data within affected investigation materials
- Data subjects potentially impacted based on investigation file analysis
- Consequences assessment specific to cybersecurity investigation contexts
Response and Mitigation
- Immediate measures taken to secure investigation data and prevent further exposure
- Additional security controls implemented for investigation data protection
- Recommendations for customer actions regarding affected investigation files
- Ongoing monitoring and enhanced security measures for investigation data processing
9. Legal Basis and Lawfulness of Processing
9.1 Legal Basis for Investigation Data Processing
Processing of personal data within cybersecurity investigation files is based on the following legal grounds:
Legitimate Interests (Article 6(1)(f) GDPR)
- Cybersecurity protection: Protecting against cyber threats, malicious activity, and security incidents
- Network and information security: Ensuring the security and integrity of information systems
- Incident response: Investigating and responding to security breaches and cyber attacks
- Threat prevention: Preventing fraud, unauthorized access, and malicious activities
Legal Obligation (Article 6(1)(c) GDPR)
- Regulatory compliance: Meeting cybersecurity reporting and notification requirements
- Industry standards: Compliance with sector-specific security regulations and standards
- Law enforcement cooperation: Providing assistance to law enforcement investigations where legally required
Public Interest (Article 6(1)(e) GDPR)
- Public security: Contributing to national and international cybersecurity efforts
- Critical infrastructure protection: Supporting the security of critical infrastructure and essential services
9.2 Special Categories of Personal Data
Where investigation data contains special categories of personal data (Article 9 GDPR):
Processing Conditions
- Substantial public interest (Article 9(2)(g)): Processing for cybersecurity and protection of critical infrastructure
- Archiving purposes (Article 9(2)(j)): Maintaining forensic evidence for security analysis and investigation
- Consent by usage of the platform in accordance with its Terms of Service or where obtained from data subjects for specific processing activities
Additional Safeguards
- Data minimization: Processing limited to what is strictly necessary for cybersecurity purposes
- Purpose limitation: Use restricted to legitimate cybersecurity investigation activities
- Enhanced security: Additional technical and organizational measures for special category data
9.3 Balancing Test and Legitimate Interests Assessment
We conduct regular balancing tests considering:
Legitimate Interests
- Fundamental importance of cybersecurity and threat protection
- Public benefit of improved security and threat intelligence
- Customer expectations for comprehensive security analysis services
Data Subject Interests
- Nature of personal data and potential sensitivity
- Reasonable expectations regarding cybersecurity processing
- Available safeguards and data protection measures
Balancing Outcome
- Proportionality: Processing is proportionate to the cybersecurity objectives
- Necessity: Processing is necessary and cannot be achieved through less intrusive means
- Safeguards: Comprehensive technical and organizational measures protect data subject rights
10. Audits and Compliance
10.1 Audit Rights
You have the right to:
- Audit our compliance with this DPA (with reasonable notice)
- Request information about our data protection practices
- Review security measures and certifications (within reason and without causing harm, disruption or in infringing on the service in any way)
- Engage third-party auditors (at your expense)
11. Liability and Indemnification
11.1 Liability Allocation
- Controller liability: For lawfulness of processing instructions and data subject communications
- Processor liability: For unauthorized processing or failure to implement security measures
- Joint liability: Where both parties contribute to damage
11.2 Limitation of Liability
Our liability is limited as set forth in our Terms of Service, except where:
- Liability cannot be limited under applicable law
- Damage results from intentional or grossly negligent acts
- Data protection violations result from our non-compliance
12. Term and Termination
12.1 Term
This DPA:
- Takes effect when you first use our services
- Remains in effect for the duration of our service agreement
- Survives termination for data retention and deletion obligations
12.2 Termination Effects
Upon termination:
- Processing stops except for data retention requirements
- Data is returned or deleted as instructed
- Sub-processor agreements are terminated where applicable
- Audit rights continue for a reasonable period
13. Governing Law and Disputes
13.1 Governing Law
This DPA is governed by:
- EU law for EU customers
- Local data protection law where applicable
- Service agreement law for other provisions
13.2 Dispute Resolution
Disputes will be resolved through:
- Good faith negotiations as the preferred method
- Supervisory authority involvement for data protection issues
- Arbitration or court proceedings as specified in the service agreement
14. Contact Information
14.1 Data Protection Contacts
- General inquiries: [email protected]
- Data protection officer: Available upon request for EU customers
- Security incidents: [email protected] (subject: "Security Incident")
14.2 Supervisory Authority
EU customers may contact their local supervisory authority regarding data protection matters.
15. Amendments and Updates
This DPA may be updated to:
- Reflect changes in data protection law
- Address new processing activities
- Improve security measures
- Respond to supervisory authority guidance
We will provide reasonable notice of material changes to this DPA.
Technical Specifications: End-to-End Encryption Investigation Data Protection
Advanced Encryption Architecture All investigation data is protected through an end-to-end encryption architecture specifically designed for cybersecurity forensic data:
- AES-256-GCM encryption for all files at rest (default encryption at rest)
- TLS 1.3 encryption for all data transmission with perfect forward secrecy
- Immediate encryption with volatile memory-only processing
- Per-file encryption keys generated uniquely for each file and data point
- Master key derivation using Argon2id with unique salt and server pepper
- Just-in-time encryption where master keys are generated only upon login and never stored
User-Controlled Data Visibility
- Authenticated users: All data is private and encrypted by default
- User-controlled sharing: Users may choose to share data via unique links, which decrypts the data for public access
- Unauthenticated users: Data is public and unencrypted by default
- User responsibility: Data controllers are solely responsible for data visibility decisions and any sharing actions
- Envelope encryption with per-user master keys ensuring data isolation between users
Standard Contractual Clauses (SCC)
For data transfers outside the EEA, Cursed Tools incorporates the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a transfer mechanism. By executing this DPA, the parties are deemed to have executed Modules 2 & 3 of the SCCs, including Annexes I–III as follows:
- Annex I (A–C): Parties, description of transfer, and competent supervisory authority
- Annex II: Technical and Organisational Measures (see section above)
- Annex III: Authorised subprocessors (see Subprocessor Disclosure table)
Copies of executed SCCs are available on request.
By using our services, you acknowledge that you have read and agree to the terms of this Data Processing Agreement.
Legal Policies & Terms
Comprehensive overview of all legal policies, terms of service, and data protection agreements governing your use of Cursed Tools.
Product Roadmap
Our development roadmap for expanding Cursed Tools cybersecurity investigation capabilities across multiple platforms and data types.