This Information Security Policy sets out the framework through which DATINTEL, S.L. (hereinafter referred to as Golden Owl®) governs the security of its information systems and the services it provides to its customers through the Golden Owl® Intelligence-as-a-Service platform.
The Policy applies to all information systems operated by Golden Owl®, to all personnel forming part of the organisation (employees and contractors), and to the service providers and technology partners that support the delivery of Golden Owl® services.
This Policy is publicly available in accordance with the transparency principle established in the Esquema Nacional de Seguridad (ENS) and is published alongside the Terms of Use, General Terms and Conditions of Contract, and Privacy Policy of the Golden Owl® website.
Owner Information
In accordance with Spanish Law on Information Society Services and Electronic Commerce (LSSICE 34/2002), Golden Owl® provides the following owner information:
Identification: Datintel, S.L.
Tax ID (NIF): B56582307
Address: Alicante Science Park, West Campus of the University of Alicante, 03005, Spain
Email: info@golden-owl.eu
Golden Owl® depends on information systems to deliver its Intelligence-as-a-Service platform to customers, including businesses, public authorities, and governmental entities. These systems are administered with diligence, applying risk-proportionate measures to protect them against accidental or deliberate events that could affect the authenticity, traceability, integrity, or confidentiality of the information processed, or the availability of the services provided.
The ultimate goal of information security at Golden Owl® is to ensure the organisation can fulfil its mission, discharge its functions, and deliver its services at the required quality level and with continuity, acting preventively, supervising daily activity, and responding promptly to incidents.
Information security is considered a fundamental business enabler. It is essential to protect customer trust and reputation, ensure compliance with applicable regulations, maintain service continuity and operational resilience, safeguard intellectual property and business information, and enable secure growth and innovation.
Golden Owl® ensures that information and communications technology (ICT) security is an integral part of every stage of the system lifecycle, from conception through to decommissioning, including development or acquisition decisions and operational activities. Security requirements are identified and incorporated into planning, procurement processes, and the provision of services affecting information systems.
Golden Owl® provides an Intelligence-as-a-Service platform built on distributed microservices that collect and analyse data from open sources, presenting results to customers through dashboards and reports. The company operates as a fully remote organisation.
The Information Security Management System (ISMS) covers the people, processes, and technologies used to:
Operate and maintain the Golden Owl® platform and its supporting microservices (data collection, processing, enrichment, storage, and delivery).
Manage customer access, accounts, and subscriptions.
Protect customer data, investigation outputs, and internal intellectual property, including source code, models, and operational procedures.
Operate cloud infrastructure, networks, endpoints, identity services, and monitoring.
Manage suppliers and service providers that support the delivery of Golden Owl® services.
In-scope assets include customer data and reports; personally identifiable information (PII), where applicable; source code; AI models and related configuration assets; cloud infrastructure; application programming interfaces (APIs); continuous integration and deployment pipelines; logs; documentation; and employee endpoints.
Golden Owl® does not operate its own data centres. Cloud infrastructure is hosted by reputable cloud providers, and shared-responsibility obligations are managed through supplier controls that are documented and periodically reviewed.
Golden Owl®'s mission is to provide high-quality, timely, and actionable open-source intelligence (OSINT) to its customers through a secure, available, and trustworthy Intelligence-as-a-Service platform.
The security objectives that Golden Owl® commits to uphold through this Policy are:
Guarantee the confidentiality, integrity, authenticity, and continuity in the delivery of information and services.
Implement security measures proportionate to identified risks.
Promote security awareness across the organisation and ensure that access controls respect the principle of least privilege, reinforcing the duty of confidentiality regarding information accessed in the performance of duties.
Protect communications and information transfers through appropriate procedures and technical measures.
Integrate security throughout the acquisition, development, and maintenance of information systems, ensuring security by design and by default.
Ensure compliance with security measures in the delivery of services and maintain oversight of the incorporation of new system components.
Manage security incidents to ensure proper detection, containment, mitigation, and resolution, and to adopt the measures necessary to prevent recurrence.
Protect personal information by adopting technical and organisational measures commensurate with the risks arising from processing, in accordance with applicable data protection legislation.
Continuously supervise the security management system, improving and correcting detected inefficiencies.
Ensure lawful and ethical OSINT collection and processing.
Security objectives, metrics, and key performance indicators are documented internally and reviewed at least annually, or upon significant organisational, technical, or regulatory changes.
In all security decision-making, Golden Owl® applies the following principles, aligned with the basic principles of the ENS:
Strategic scope. Information security has the commitment and support of all organisational levels and is coordinated and integrated with other strategic initiatives in a coherent manner.
Integral security. Security is understood as an integral process comprising all technical, human, material, and organisational elements related to information systems, avoiding ad hoc or isolated actions, and applied from the initial design of ICT systems.
Risk-based security management. Security management is based on identified risks, allowing for the maintenance of a controlled environment and the minimisation of risks to acceptable levels. Security measures are established in proportion to the risks to which information and its systems are exposed, and personal data risks are taken into account.
Prevention, detection, response, and preservation. Preventive actions are implemented to minimise vulnerabilities and avoid the materialisation of threats. When threats do materialise, Golden Owl® responds with agility to restore information or services, guaranteeing the secure conservation of information.
Defence in depth. Golden Owl®'s security strategy is designed and implemented in multiple layers of security.
Continuous monitoring and periodic reassessment. Golden Owl® implements mechanisms to detect and respond to anomalous activities, continuously assess the security state of assets, and periodically review and update security measures based on their effectiveness and the evolution of risks.
Security by default and by design. Systems are designed and configured to guarantee security by default and provide the minimum functionality necessary to deliver the service for which they were designed.
Differentiation of responsibilities. The functions relating to the security of information and those relating to the operation of systems are differentiated in accordance with the requirements of the ENS.
Golden Owl®'s information security activities are governed by the following principal norms and frameworks, which are reviewed and updated as regulatory changes occur:
Real Decreto 311/2022, of 3 May, which introduced the Esquema Nacional de Seguridad (ENS).
Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — GDPR).
ISO/IEC 27001:2022 and related Annex A controls on information security management.
Ley Orgánica 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
Contractual obligations with customers, business partners, and cloud providers, as documented in the applicable Data Processing Agreements (DPAs), Service Level Agreements (SLAs), and Non-Disclosure Agreements (NDAs).
Golden Owl® has established an ISMS governance structure that assumes collective responsibility for the governance, implementation, and continuous improvement of information security. The structure is proportionate to the size of the organisation and ensures the differentiation of responsibilities required by the ENS.
Executive management holds ultimate accountability for information security and ensures that appropriate resources are allocated to implement, maintain, and continually improve the ISMS.
A designated information security function is responsible for maintaining the ISMS, coordinating incident management and internal reviews, overseeing security awareness and training, supervising the implementation of technical controls, and acting as the primary liaison with supervisory authorities, certification bodies, and customers on security matters.
A designated technology function is responsible for the implementation and operation of technical security controls, ensuring that security requirements are integrated into the design, development, and operation of Golden Owl®'s services.
All personnel (employees and contractors) are required to follow Golden Owl®'s security policies and procedures, to report security incidents, suspected compromises, or policy violations without undue delay, and to participate in mandatory security awareness training.
Point of Contact
In accordance with the requirements of the ENS applicable to entities acting as service providers, Golden Owl® designates a single Point of Contact (POC) for all matters relating to information security, ENS compliance, and incident coordination with external bodies, including customers, regulators, supervisory authorities, and certification bodies.
Golden Owl® processes personal data in accordance with the GDPR, the LOPDGDD, and its Privacy Policy. The risks associated with personal data processing are assessed and addressed through an action plan aligned with the ISMS risk management process.
Where required, Data Protection Impact Assessments (DPIAs) are carried out for high-risk processing activities. Security procedures and standards are aligned with the obligations arising from applicable data protection legislation, particularly regarding the supervision of service providers and the response to personal data breaches.
Golden Owl® has designated a Data Protection Officer function responsible for advising on and monitoring compliance with applicable data protection legislation, cooperating with the competent supervisory authority (in Spain, the Agencia Española de Protección de Datos — AEPD), and acting as a point of contact for data subjects and regulators on matters relating to personal data processing.
Golden Owl® operates a structured, risk-based ISMS aligned with ISO/IEC 27001:2022 and the ENS. Risk management is the foundation for determining the security measures to be adopted, in addition to the minimum requirements established by applicable frameworks.
All systems within the scope of this Policy undergo a risk analysis evaluating the threats and risks to which they are exposed. This analysis is repeated:
Regularly, at least once a year.
When material changes occur in the information managed or the services provided.
Following a serious security incident.
When serious vulnerabilities are reported.
When modifications occur in personal data risk analyses or impact assessments.
The risk management framework includes the identification and classification of information assets; periodic risk assessment; evaluation of risk likelihood and impact; risk treatment through the implementation of appropriate controls; formal approval of residual risks; and continuous monitoring and review.
Security controls are selected proportionally to identified risks and business needs. Personal data protection risks are integrated into the overall risk management process.
This Information Security Policy establishes the overarching framework for information security at Golden Owl®. It is supported by a hierarchy of internal documented information comprising specific policies, procedures, and registers that address individual aspects of the ISMS, including (but not limited to) acceptable use, identity and access management, secure development, change management, supplier and cloud security, logging and monitoring, incident management, business continuity, cryptography, data masking and personal data processing, and secure remote working.
All ISMS documented information is subject to document control and is accessible to personnel who require it to perform their duties. Access to sensitive documentation is restricted on a need-to-know basis. Updates are subject to review and approval by authorised personnel prior to publication or use.
All members of Golden Owl® (employees and contractors) are obliged to be aware of and comply with this Information Security Policy and the norms, procedures, and guides that develop it.
Prior to commencing employment or engagement, all personnel are required to sign a Non-Disclosure Agreement (NDA) setting out binding obligations regarding the confidentiality of company and customer information, the secure handling and use of devices, and the continuation of confidentiality duties beyond the termination of employment or engagement.
All members of Golden Owl® attend a security awareness session at least once a year. A continuous awareness programme is maintained for all personnel, particularly new joiners. Personnel involved in product design and development, or with additional security responsibilities, receive role-tailored training. Training is mandatory before assuming a new responsibility, whether for a first assignment or a change of role.
Persons with responsibility for the use, operation, or administration of ICT systems receive the training necessary to perform their duties securely.
Golden Owl® ensures that all suppliers and cloud service providers supporting its systems, data, or business processes are selected, managed, and monitored in accordance with defined information security and compliance requirements.
When Golden Owl® provides services to third parties or handles third-party information, it makes those parties aware of this Information Security Policy and the applicable security requirements, without prejudice to the obligations arising under applicable data protection legislation when Golden Owl® acts as a data processor. In the procurement of service providers or the acquisition of products, the contractor's obligation to comply with applicable frameworks (including the ENS, where relevant) is taken into account.
All third-party relationships are subject to:
A security risk assessment prior to engagement.
Contractual security obligations, including Non-Disclosure Agreements (NDAs), Data Processing Agreements (DPAs), and Service Level Agreements (SLAs), as applicable.
Ongoing compliance monitoring to protect the confidentiality, integrity, availability, and privacy of organisational and customer information.
Golden Owl® adopts a shared responsibility model for cloud services, clearly defining and enforcing security responsibilities between the organisation and its providers. Cloud services are configured in accordance with defined security baselines.
Third parties are required to ensure that their personnel are adequately trained on security matters, at least to the level established in this Policy or as specifically required in the applicable contract.
When Golden Owl® acquires, develops, or deploys an Artificial Intelligence system, it complies with applicable AI legislation (including the EU AI Act) and applies internal review requirements prior to deployment.
Golden Owl® maintains a procedure for the timely management of security events and incidents that represent a threat to information and services.
All personnel report any observed or suspected information security event or weakness without undue delay through the designated internal communication channels. Personnel do not attempt to investigate, exploit, or remediate the issue independently unless explicitly authorised to do so.
All reported events are formally recorded and assessed. Golden Owl® promotes a no-blame reporting culture to encourage timely and transparent communication of security events.
The incident management procedure is integrated with related procedures, including those governing personal data breaches under the GDPR and, where applicable, obligations under NIS2 or other sector-specific regulations, to coordinate the response and communicate with the relevant oversight bodies without undue delay and, where necessary, with law enforcement.
Disciplinary Measures
Any breach of information security requirements, whether intentional or due to negligence, may be subject to appropriate corrective and disciplinary action, proportionate to the severity and impact of the violation. Being the victim of a cyber incident does not in itself constitute a disciplinary matter; however, negligence, non-compliance with the provisions of this Policy, or the delayed or omitted reporting of security events may result in corrective action. All disciplinary actions are handled in a fair, consistent, and legally compliant manner.
The state of the ISMS and this Policy are reviewed at planned intervals, and the effectiveness of the ISMS is assessed through regular Management Reviews. Where appropriate, Golden Owl® engages external support, including independent technical advice, external security testing, or third-party audits.
Golden Owl® establishes measurable information security objectives aligned with this Policy and the organisation's strategic direction. These objectives include specific targets, key performance indicators, assigned owners, and review timelines, and are designed to address identified risks, support legal and contractual compliance, and ensure the continual improvement of the ISMS.
Golden Owl® is committed to continually improving the ISMS. Improvement activities are driven by the results of risk assessments, internal reviews, monitoring and measurement activities, incident management outcomes, and Management Review decisions. When nonconformities are identified, corrective actions are defined, implemented, and tracked to completion, and their effectiveness is reviewed to ensure the continued suitability, adequacy, and effectiveness of the ISMS.
This Information Security Policy is subject to version control and is reviewed at least annually, or upon significant organisational, technical, or regulatory changes. The Policy is maintained by the information security function and approved by executive management.
Minor modifications (corrections, clarifications, non-substantive updates) may be made under the authority of the information security function with executive endorsement. Modifications that represent a substantial change to principles or responsibilities are subject to formal approval by executive management.
Updated versions are communicated internally through Golden Owl®'s official communication channels and made available to relevant external interested parties through the same channels used for the initial distribution of this Policy.
For any questions, requests, or communications related to this Information Security Policy, including the reporting of security concerns by external parties, please contact:
Email: info@golden-owl.eu
Postal Address: Datintel, S.L., Alicante Science Park, West Campus of the University of Alicante, 03005, Alicante, Spain
Date of Last Modification: March 2026