DARKALITICS

Data Processing Agreement (DPA)

Last updated: 2026-06-08

This Data Processing Agreement (the "DPA") forms part of the Terms of Service and applies to customers processing personal data subject to GDPR (or equivalent regulations).

1. Roles

For personal data you upload to the Service (including data of your team, contracted models, monitored competitors), you are the Data Controller and Darkalitics acts as the Data Processor.

2. Subject Matter & Duration

  • Subject matter: provision of the OFM agency intelligence Service.
  • Duration: while your Service subscription is active.
  • Nature & purpose: storage, analytical processing, visualisation, alerting and reporting.

3. Categories of Personal Data

  • Account data (emails, names, hashed passwords)
  • Public social media data (IG handles, public metrics)
  • Aggregated OnlyFans metrics (no individual subscriber data)
  • Anonymised click metrics (countries, devices, no IPs)

4. Categories of Data Subjects

  • Members of your team (owners, account managers, analysts)
  • Contracted models (adult public, 18+)
  • Monitored competitors (public profiles)

5. Processor Obligations (Darkalitics)

  • Process data only on your documented instructions.
  • Ensure confidentiality of personnel with data access.
  • Implement appropriate technical and organisational measures (see section 7).
  • Assist you with data-subject requests under GDPR.
  • Notify security incidents without undue delay (target: 72 hours).
  • Return or delete your data upon contract termination.

6. Sub-processors

You authorise the following sub-processors:

  • Supabase Inc. (DB hosting) — United States / EU
  • Vercel Inc. (app hosting) — Global
  • Stripe Inc. (payment processing) — United States / Ireland
  • Resend Inc. (email delivery) — United States
  • Anthropic PBC (Claude API for AI) — United States
  • HikerAPI (Instagram public scraping) — EU
  • Infloww (OnlyFans analytics, optional) — EU
  • GetMySocial (link shortener, optional) — Global

We will notify by email at least 30 days in advance of any change or addition to this list, giving you the opportunity to object (in which case you may terminate your subscription with a pro-rata refund).

7. Technical and Organisational Measures

  • TLS 1.3 in transit; AES-256 at rest.
  • Multi-tenant Row-Level Security in PostgreSQL.
  • Bcrypt for password hashing.
  • Mandatory 2FA for administrative access.
  • Centralised logging and 24/7 anomaly monitoring.
  • Daily backups with 30-day retention.
  • Periodic disaster recovery testing.
  • Least-privilege policy and quarterly access review.

8. International Transfers

For EU transfers to countries without adequacy decision we rely on Standard Contractual Clauses (SCC) approved by the European Commission (2021/914/EU), supplemented with transfer impact assessments (TIA) as necessary.

9. Audits

Once per year you may request compliance reports (security policies, sub-processor certifications). On-site audits require prior agreement, 60-day notice and are at your cost, subject to confidentiality.

10. Termination

Upon termination you may request export of your data in JSON format within 30 days. After that period, data is irreversibly deleted (except for records with legal retention obligation).

11. Acceptance

By using the Service you accept this DPA in your capacity as Data Controller. If you need a signed version for your legal department, email privacy@darkalitics.com.

12. DPO Contact

Email: privacy@darkalitics.com

See also:
Terms of ServicePrivacyRefundsDPAPricing