Records of Processing Activities

Purpose of Processing

Create and maintain user accounts for platform access, authentication and role-based access control.

Legal Basis

Art. 6(1)(b) — Performance of a contract

Data Subjects

Registered users (journalists, editors, administrators)

Categories of Data

• Name, email address
• Hashed password (bcrypt)
• Organisation membership & role
• Account status & lockout metadata
• Session tokens (JWT, 8-hour expiry)

Recipients

• Internal platform services
• Abacus AI (hosting provider)

Retention Period

Duration of account + 30 days post-deletion (anonymisation)

Purpose of Processing

Store and manage investigative topics, AI-generated research summaries, timelines, entity graphs and evidence chains.

Legal Basis

Art. 6(1)(b) — Performance of a contract; Art. 6(1)(f) — Legitimate interest (journalism)

Data Subjects

Subjects of investigation, sources, registered users

Categories of Data

• Topic titles, descriptions, tags, country
• Research summaries & source URLs
• Timeline events & entity relationships
• Risk assessments & safety metadata
• Leads and investigation tasks

Recipients

• Organisation members with topic access
• Abacus AI LLM API (research generation)

Retention Period

Active: for duration of investigation. Archived: retained per evidence-retention policy (configurable, default 7 years)

Purpose of Processing

Upload, store, scan and manage investigative documents. Includes malware scanning via VirusTotal.

Legal Basis

Art. 6(1)(b) — Performance of a contract; Art. 6(1)(f) — Legitimate interest

Data Subjects

Document subjects, uploading users

Categories of Data

• Document files (PDF, DOCX, images, etc.)
• File metadata (name, size, type, upload date)
• VirusTotal scan results (scan status, detections, threat labels)
• Cloud storage paths

Recipients

• Cloud storage (AWS S3)
• VirusTotal (file hash & URL scanning)
• Organisation members with access

Retention Period

Duration of investigation + evidence retention period

Purpose of Processing

Generate research summaries, investigation scripts, deepfake analysis and country-risk reports using large language models.

Legal Basis

Art. 6(1)(b) — Performance of a contract

Data Subjects

Subjects referenced in prompts and generated content

Categories of Data

• Prompts containing investigation context
• Generated scripts, summaries, and analysis
• AI usage records (model, tokens, cost, timestamps)
• Deepfake analysis results

Recipients

• Abacus AI LLM API

Retention Period

Generated content: duration of parent topic. Usage records: 2 years

Purpose of Processing

Record all significant platform actions for security monitoring, incident investigation and compliance evidence.

Legal Basis

Art. 6(1)(c) — Legal obligation; Art. 6(1)(f) — Legitimate interest (security)

Data Subjects

All platform users

Categories of Data

• User ID, action type, resource type & ID
• IP address, user agent
• Timestamps
• Request metadata (method, path, status)

Recipients

• System administrators
• Automated security monitoring daemons

Retention Period

Audit logs: minimum 1 year, maximum 7 years (configurable)

Purpose of Processing

Receive and manage contact form submissions, anonymous tips, and source communications.

Legal Basis

Art. 6(1)(a) — Consent; Art. 6(1)(f) — Legitimate interest (journalism)

Data Subjects

Tipsters, sources, general enquirers

Categories of Data

• Name, email (optional for anonymous tips)
• Message content
• Tip metadata (urgency, category, evidence attachments)
• Reply threads

Recipients

• Assigned journalists/investigators
• Organisation administrators

Retention Period

Tips: duration of investigation + 1 year. Contacts: 2 years

Purpose of Processing

Draft, track and manage Freedom of Information requests to public authorities.

Legal Basis

Art. 6(1)(f) — Legitimate interest (journalism, public accountability)

Data Subjects

Public authority contacts, requesting journalists

Categories of Data

• Authority name & contact details
• Request text & legal basis
• Response tracking (status, deadlines)
• Internal notes

Recipients

• Target public authorities
• Organisation members

Retention Period

Active: duration of request cycle. Closed: 5 years

Purpose of Processing

Automated health monitoring, security scanning, vulnerability assessment and incident alerting.

Legal Basis

Art. 6(1)(f) — Legitimate interest (IT security)

Data Subjects

Platform infrastructure (no personal data directly)

Categories of Data

• Health check results
• Security header configurations
• SSL certificate status
• Dependency vulnerability reports
• Bug reports from beta testers

Recipients

• System administrators ([email protected])
• Automated daemon processes

Retention Period

Monitoring logs: 90 days. Vulnerability reports: 1 year

Purpose of Processing

Manage user authentication sessions and cookie consent preferences.

Legal Basis

Art. 6(1)(b) — Contract (essential cookies); Art. 6(1)(a) — Consent (optional cookies)

Data Subjects

All website visitors and registered users

Categories of Data

• Session tokens (NextAuth JWT)
• Cookie consent preferences (essential, analytics, marketing)
• Local storage consent timestamps

Recipients

• Browser (client-side storage)

Retention Period

Session cookies: 8-hour expiry. Consent records: 13 months (ePrivacy)