Data Processing Agreement (DPA)
Last Updated: May 2026
Parties:
(1) Data Controller (“Customer”): [CUSTOMER LEGAL NAME], [MERSIS/TAX ID], [ADDRESS]
(2) Data Processor (“Provider”): Ragıp Aziz Şentürk, info@zimmettakip.com, Istanbul, Türkiye
1. Purpose and Scope
1.1. This Data Processing Agreement (“DPA”) sets out the obligations of the parties regarding personal data processed by the Provider as a data processor on behalf of the Customer acting as the data controller within the scope of the Service.
1.2. The determination of roles is based on who decides the purposes and means of processing personal data.
2. Subject Matter, Term, Nature, and Purpose
2.1. The subject matter, nature, and purpose of the processing are set out in Annex A.
2.2. Term: For as long as the Service Agreement remains in force; upon termination, Clause 9 shall apply.
3. Customer’s (Data Controller’s) Obligations
3.1. The Customer undertakes to transfer personal data to the Service lawfully and to provide the necessary notices and legal bases for processing.
3.2. The Customer shall provide the Provider only with written and/or documented instructions.
4. Provider’s (Data Processor’s) Obligations
4.1. The Provider shall process personal data only in accordance with the Customer’s instructions and solely for the purpose of providing the Service.
4.2. The Provider shall not disclose personal data to unauthorized third parties and shall not use it for purposes other than the intended processing purpose. This obligation shall survive the termination of the relationship/duties.
4.3. The Provider shall implement the technical and administrative measures set out in Annex B and shall take measures required to ensure an appropriate level of security in accordance with Article 12 of the Turkish Personal Data Protection Law (KVKK).
5. Subprocessors
5.1. The Provider may use subprocessors to deliver the Service.
5.2. Subprocessor list: Hosting service provider (Natro – Çizgi Telekomünikasyon A.Ş.), email service provider (Brevo – EU-based).
5.3. The Provider shall enter into contractual arrangements with subprocessors that include confidentiality and security obligations at least equivalent to those set out in this DPA.
5.4. If the Provider intends to engage a new subprocessor, the Provider shall notify the Customer by email at least 7 days in advance. The Customer may object within this period on reasonable grounds.
6. International Transfers
6.1. Assumption: The Provider will not transfer personal data abroad.
6.2. If an international transfer becomes necessary, an appropriate transfer mechanism compliant with the applicable regime under Article 9 of the KVKK shall be implemented. The Authority has indicated that standard agreements must be notified to the Authority within 5 business days after signing.
7. Support for Data Subject Requests
7.1. The Customer is the primary addressee of requests under Article 11 of the KVKK.
7.2. Upon reasonable requests from the Customer, the Provider shall provide technical assistance for access, rectification, and deletion/destruction processes. Timeframe: within 30 days.
8. Personal Data Breach Notification
8.1. If personal data held by the Provider is obtained unlawfully, the Provider shall notify the Customer without undue delay.
8.2. Notification timeframe (operational target): 24 hours.
8.3. In accordance with Decision No. 2019/10 of the Turkish Data Protection Board, a 72-hour approach applies for notifications by the data controller (Customer) to the Authority.
9. Termination: Return/Deletion
9.1. Upon termination of the Service, according to the Customer’s instructions:
(a) Customer Data shall be returned and then deleted, or
(b) Customer Data shall be deleted / anonymized directly.
9.2. Records regarding deletion, destruction, or anonymization operations shall be retained taking into account the minimum periods required under applicable legislation.
10. Audit and Verification
10.1. The Customer may request an audit at reasonable intervals and with reasonable prior notice (e.g., 30 days).
10.2. Audits shall be carried out remotely (through sharing documents/evidence).
11. Liability
11.1. Each party’s liability is subject to the limitations set forth in the main agreement and this DPA.
11.2. Risk allocation for indirect damages and third-party claims: The parties shall not be liable for indirect damages such as loss of profit and loss of data. The Provider’s liability is subject to the limitation of liability set forth in the main service agreement.
Annex A: Processing Details
A1. Data subject groups: Customer employees/representatives, individuals assigned assets, Customer’s customers (if any), suppliers (if any).
A2. Categories of personal data: identity/contact details, transaction security logs, asset/assignment records, support messages, file attachments.
A3. Purpose of processing: provision of the Service, user management, asset tracking processes, support, security.
A4. Retention: service term + Customer’s instructions upon termination; logs: 90 days (Law No. 5651 to be assessed separately).
Annex B: Technical and Administrative Measures
B1. Access control: role/permission-based authorization, strong password policies.
B2. Encryption: TLS for transmission security; encryption and key management for databases.
B3. Logging/monitoring: security event records; anomaly monitoring; log retention of 90 days.
B4. Backup and recovery: regular backups and tested restore procedures.
B5. Vulnerability management: updates/patching and secure development processes.
B6. Employee/contractor confidentiality: confidentiality undertakings.
(Note: The Turkish Data Protection Authority’s guidance emphasizes administrative measures such as defining policies/procedures, training, and the approach that “everything is prohibited unless permitted.”)
Start now and speed up assignment processes
Make assignment management faster, easier, and error-free.
No credit card required
Free to use