← Back to home

Data Processing Agreement (DPA)

Last updated: [DATE] · Version: [v1.0 — draft]

This text is a draft

The text below is a draft and is under legal review; it does not constitute a binding commitment until approved and put into effect. Fields in square brackets [...] will be completed with company information. The final, binding text is pending legal counsel approval.

This Data Processing Agreement ("DPA") is an integral annex to the Terms of Use and governs the conditions for the processing by [Company Legal Name] (processor) of personal data belonging to the end customers of tenant businesses (controllers).

1. Parties and Roles

Under this annex, the tenant is the data controller and the Company is the data processor. The Company processes personal data solely on the controller's instructions and for the purpose of providing the service.

2. Subject Matter and Nature of Processing

The subject matter, duration, nature and purpose of processing, the categories of data and groups of data subjects are determined by the main service agreement and the tenant's use of the Platform. Processing continues for the duration of the service relationship.

3. Obligations of the Processor

As data processor, the Company undertakes the following obligations:

  • To process personal data only on the controller's written instructions.
  • To ensure that personnel accessing the data are under a confidentiality obligation.
  • To take appropriate technical and administrative measures pursuant to KVKK art. 12.
  • To notify the controller of data breaches without undue delay.
  • To assist the controller in fulfilling data subject requests.
  • To return or destroy the data to the controller when processing ends.

4. Sub-processors

The Company uses approved sub-processors to provide the service: Supabase, OpenAI, Vercel, Resend, Meta/WhatsApp, Google, Sentry, Slack, Upstash. Changes to the sub-processor list are notified to the controller.

5. Cross-Border Transfers

Cross-border transfers made through sub-processors are carried out based on appropriate safeguards such as standard contracts within the framework of KVKK art. 9.

6. Audit and Liability

The controller has the right to audit compliance upon reasonable notice and in a manner that does not disrupt business continuity. The liability of the parties is subject to the limits in the main service agreement.