Data Protection and Information Security FAQs

Version: 1.0

Last Updated: February 25th, 2025

Who Are DarkInvader?

DarkInvader specialises in providing External Attack Surface Management (EASM) services to organisations. EASM involves the identification, analysis, and management of external attack surfaces—components of an organisation’s infrastructure that are accessible from outside the network, such as internet-facing systems.

Leveraging a combination of custom-built and industry-standard tools, alongside the expertise of seasoned researchers, DarkInvader uncovers threats that could potentially disrupt business operations. Our comprehensive services include monitoring both the surface web and the dark web to identify vulnerabilities and detect publicly exposed company-related information that could be exploited by attackers.

During the course of these assessments, highly sensitive personal data may occasionally be identified. When this occurs, the findings are promptly reported to the client, who retains responsibility for determining the appropriate course of action.

Is DarkInvader a Data Controller or a Data Processor?

A data controller is an organisation that determines the purposes for which personal data is processed, as well as the means of that processing. In contrast, a data processor is an organisation that processes personal data on behalf of, and under the instructions of, a data controller.

When providing External Attack Surface Management (EASM) services, DarkInvader typically acts as a data processor, operating under the instructions of its customers to identify threats and vulnerabilities within an organisation’s public-facing assets.

However, part of DarkInvader’s service involves the use of open-source intelligence (OSINT) gathering tools, which index publicly available data in a manner similar to search engines like Google. DarkInvader employs a combination of open-source tools, off-the-shelf (OTS) third-party solutions, and its own proprietary tools. In cases where DarkInvader collects and indexes publicly available personal data using its proprietary tools, it acts as the data controller for that data, as it determines the purposes and means of processing.

What Personal Data Does DarkInvader Process?

DarkInvader processes personal data related to individuals connected with its clients, as discovered on the surface, deep, and dark web. It is difficult to determine in advance what personal data may be found.

Organisations provide us with their domains and optionally their VIPs. DarkInvader scans for public-facing assets, threat intelligence, and vulnerabilities related to the domains and VIPs.

When monitoring for references to our clients or their personnel, our searches include (but are not limited to):

  • Network details (IP addresses, subdomains, APIs, web applications, exposed cloud infrastructure)
  • Leaked credentials (usernames, passwords, multi-factor authentication (MFA) tokens)
  • Mentions on dark web sites (forums, marketplaces, ransomware group leaks, Telegram channels)
  • Stealer logs containing employee references (credentials, session cookies, browser-stored passwords)
  • General OSINT data (work email addresses, social media profiles, phone numbers, leaked documents)
  • Threat actor discussions (chatter about specific employees, executives, or planned attacks)
  • Data leaks (internal files, customer databases, source code repositories, intellectual property)
  • Exposed sensitive infrastructure (open ports, misconfigured servers, publicly accessible admin panels)
  • Malware infections (stolen credentials, compromised devices, keylogging activity linked to employees)
  • Phishing kits and impersonation attempts (fake login pages, cloned company domains, fraud campaigns)

We cannot determine the precise nature of personal data we will find until it is encountered. However, typical data may include:

  • Names
  • Work email addresses
  • Leaked credentials from personal data breaches
  • Usernames
  • Signatures
  • Addresses
  • Dates of birth
  • Phone numbers
  • Financial data (bank details, cryptocurrency wallet addresses if linked to an organisation)

What Are Your Legal Obligations as a Data Controller When Using the EASM Service?

As a data controller, you are ultimately responsible for ensuring the lawful processing of personal data in accordance with UK data protection law, including the UK GDPR and the Data Protection Act 2018.

To support your compliance, we have engaged a data protection specialist to help ensure our services meet legal requirements. Below is a summary of your key obligations:

  • Purpose of Processing:
    The primary purpose of processing is to identify threats and vulnerabilities within public-facing assets, helping to protect against external risks such as phishing, blackmail, extortion, and fraud.

  • Lawful Basis for Processing:
    The most appropriate lawful basis for this type of processing is likely legitimate interests under Article 6(1)(f) of the UK GDPR. To support this, we provide a Legitimate Interest Assessment (LIA) to help you evaluate and balance your organisation’s interests against the rights and freedoms of data subjects.

  • Right to Be Informed:
    As the data controller, you are responsible for informing data subjects about how and why their personal data is processed, in accordance with the transparency requirements of Articles 12–14 of the UK GDPR. To assist with this, we have prepared a privacy notice compliant with Article 13, which you can share with relevant data subjects.

  • Data Processing Agreement (DPA):
    The relationship between DarkInvader (as the data processor) and your organisation (as the data controller) must be governed by a legally binding Data Processing Agreement (DPA), as required under Article 28 of the UK GDPR.
    Our data processing terms are incorporated into our standard terms of service. Additionally, you must provide clear, written instructions specifying the scope and nature of the processing activities to be carried out on your behalf.

Do We Need to Enter Into a Data Processing Agreement with DarkInvader?

Yes.

Since DarkInvader acts as a data processor under the instructions of its customers (the data controllers), UK data protection law requires that a Data Processing Agreement (DPA) is in place. This is a legal obligation under Article 28 of the UK GDPR.

The DPA clearly defines the roles and responsibilities of both parties, outlining how personal data will be processed, protected, and managed. Failure to have a compliant DPA in place may result in both parties breaching data protection laws, potentially leading to regulatory penalties.

All contracts for our services are governed by DarkInvader’s Data Processing Agreement, which can be accessed here:
🔗 DarkInvader Data Processing Agreement

For any questions or further information, please contact us at: 📧 [email protected]

What Security Measures Have DarkInvader Implemented?

Protecting personal data is a top priority for DarkInvader. As data processors, we are committed to safeguarding personal data against unauthorised access, loss, destruction, or unlawful processing.

We have implemented the following Technical and Organisational Measures (TOMs) to ensure robust data protection:

Technical Security Measures:

  • Access Controls: Role-based access controls (RBAC) with the principle of least privilege to restrict data access to authorised personnel only. Multi-factor authentication (MFA) is enforced for critical systems.
  • Encryption: Strong encryption protocols are used for data at rest and in transit (e.g., AES-256, TLS 1.2/1.3) to ensure data confidentiality and integrity.
  • Firewalls: Advanced firewalls and intrusion detection/prevention systems (IDS/IPS) are in place to monitor and protect against unauthorised network access.
  • Vulnerability Management: Regular vulnerability scanning, patch management, and penetration testing to identify and remediate security weaknesses.
  • Audit Logging and Monitoring: Continuous monitoring with comprehensive audit logs to detect, investigate, and respond to security incidents in real-time.
  • Secure Development Practices: Implementation of secure coding practices, regular code reviews, and application security testing (e.g., static and dynamic analysis).

Organisational Security Measures:

  • Staff Security Awareness Training: All employees receive regular security awareness training, including data protection principles, phishing prevention, and incident response procedures.
  • Data Protection Policies: Comprehensive data protection and security policies are in place, regularly reviewed, and communicated to all staff.
  • Incident Response Plan: A defined incident response plan to detect, respond to, and recover from security breaches, with regular drills and updates.
  • Third-Party Risk Management: Security assessments and due diligence processes for third-party vendors to ensure they meet our data protection standards.

For more details on our security measures and processes, please contact us at: 📧 [email protected]

Who Does DarkInvader Share Personal Data With?

To deliver our services effectively, DarkInvader works with a carefully selected group of third-party providers. We ensure that all data sharing is carried out in compliance with UK data protection laws, including the UK GDPR.

Hosting and Infrastructure Providers:

Our servers are hosted by Amazon Web Services (AWS), with data securely stored in data centres located in the UK and Ireland. AWS implements robust security measures to protect the data we process.

Open-Source Intelligence (OSINT) Providers:

To support data discovery, we engage with four dark web crawlers. These organisations operate as independent data controllers, indexing publicly available information in a manner similar to search engines like Google. The crawlers we currently use are:

  • Intelligence X – Based in Prague, Czech Republic (data storage location unknown).
  • Onion Search – Location undisclosed.
  • Torch – Location undisclosed.
  • Ahmia – Location undisclosed.

As these crawlers operate independently, DarkInvader does not control how they process or store the data they collect.

International Data Transfers:

Where personal data is transferred outside the UK, we ensure that all international transfers comply with Chapter V of the UK GDPR. This includes the implementation of appropriate safeguards, such as:

  • Adequacy Regulations: Where the destination country has been deemed to provide an adequate level of data protection.
  • Binding Corporate Rules (BCRs): For intra-group transfers within multinational organisations.
  • International Data Transfer Agreements (IDTAs): Specific to UK data transfers.
  • EU Standard Contractual Clauses (SCCs): Where applicable for transfers to third countries.

Additional Safeguards:

Where required, we implement supplementary security measures, such as:

  • Data encryption
  • Pseudonymisation
  • Strict access controls

For more information about how we share and protect personal data, please contact us at: 📧 [email protected]

Next Steps

If you have any questions regarding our data protection practices, please get in touch with us at: 📧 [email protected]

Contact Information

DarkInvader (13636918), Calls Wharf, 2 The Calls, Leeds, LS2 7JU
[email protected]    [email protected]