Data Processing Agreement

1.1. "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws including GDPR and KVKK.

1.2. "Processing" means any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

1.3. "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

1.4. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

2.1. The Processor processes personal data solely for the purpose of providing the Service as described in the Terms of Service and as further instructed by the Controller.

2.2. The categories of personal data processed include: account information, usage data, task inputs, generated outputs, technical data, and payment data as detailed in our Privacy Policy.

2.3. The categories of data subjects include: the Controller's employees, contractors, and authorized users of the Service.

2.4. Processing shall continue for the duration of the service agreement and as required for post-termination obligations.

The Processor shall:

3.1. Process personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).

3.2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.

3.4. Assist the Controller in fulfilling its obligations to respond to data subject requests to exercise their rights under applicable data protection laws.

3.5. Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

3.6. At the Controller's choice, delete or return all personal data to the Controller after the end of the service relationship, unless applicable law requires storage of the personal data.

3.7. Make available to the Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

4.1. The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

4.2. Current sub-processors engaged by the Processor include:

4.3. The Processor shall impose data protection obligations on sub-processors that are no less protective than those set forth in this DPA through a written contract.

4.4. The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

The Processor implements the following technical and organizational measures to protect personal data:

5.1. Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.

5.2. Access Controls: Role-based access control (RBAC) with multi-factor authentication for all administrative access. Principle of least privilege is enforced.

5.3. Network Security: Firewalls, intrusion detection systems, and DDoS protection are deployed to secure the infrastructure.

5.4. Monitoring and Logging: Continuous security monitoring, audit logging, and alerting systems are in place.

5.5. Incident Response: A documented incident response plan is maintained and tested regularly.

5.6. Employee Training: All employees with access to personal data receive regular data protection and security awareness training.

5.7. Backup and Recovery: Regular encrypted backups with tested recovery procedures.

5.8. Vulnerability Management: Regular security assessments, penetration testing, and vulnerability scanning of systems and applications.

6.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting the Controller's personal data.

6.2. The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of data subjects and records affected.
• The name and contact details of the point of contact for further information.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its adverse effects.

6.3. The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.

7.1. The Processor may transfer personal data to countries outside of Turkey and the European Economic Area where sub-processors are located.

7.2. For transfers outside the EEA, the Processor relies on Standard Contractual Clauses (SCCs) adopted by the European Commission (Module 3: Processor to Processor; Module 2: Controller to Processor, as applicable).

7.3. For transfers outside Turkey, the Processor complies with KVKK Article 9 requirements and maintains the necessary agreements and undertakings.

7.4. The Processor shall conduct transfer impact assessments where required and implement supplementary measures as necessary to ensure adequate protection of personal data.

8.1. The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR (Articles 15-22) and KVKK (Article 11).

8.2. If the Processor receives a request from a data subject directly, it shall promptly redirect the request to the Controller and shall not respond to the request without the Controller's instructions, unless legally required to do so.

9.1. The Controller has the right to audit the Processor's compliance with this DPA, subject to reasonable advance notice (minimum 30 days) and during normal business hours.

9.2. The Processor may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2), or by facilitating an audit by a mutually agreed-upon independent third-party auditor.

9.3. Audit costs shall be borne by the Controller, unless the audit reveals material non-compliance by the Processor.

10.1. This DPA shall remain in effect for the duration of the service agreement between the Controller and the Processor.

10.2. Upon termination of the service agreement, the Processor shall, at the Controller's election, delete or return all personal data and delete existing copies within 90 days, unless applicable law requires retention.

10.3. The Processor shall provide written certification of deletion upon request.

11.1. Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

11.2. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent such limitation is not permitted by applicable law.

This DPA is governed by the laws of the Republic of Turkey. For Controller data subjects located in the EEA, the provisions of the GDPR shall also apply. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

For questions about this Data Processing Agreement, contact us at: