Data Processing Agreement (DPA)
Standard agreement between Data Controller (Customer) and Data Processor (Teknik Danışman) under KVKK Art. 12/5 and GDPR Art. 28.
Son güncelleme: 2026-06-21
What is this agreement for?
Customer companies using the Teknik Danışman platform (e.g. those using the panel to track employees/hardware/licenses) are
Data Controllers under KVKK and GDPR. We are the
Data Processor processing data on the customer's instructions. This DPA formalises the relationship in writing and is
an inseparable part of the Service Agreement. It is valid when enterprise customers request a DPA during due diligence; for custom terms please contact
legal@teknikdanisman.net.
1. Parties and Definitions
- Data Controller / "Customer": The legal entity (tenant) using the Teknik Danışman panel.
- Data Processor / "Service Provider": Ali Enis Tekin (operator of the Teknik Danışman platform).
- Data Subject: The natural person whose data is processed (typically the Customer's employee or business partner).
- Personal Data: As defined in KVKK Art. 3 and GDPR Art. 4(1).
- Processing: As defined in KVKK Art. 3 and GDPR Art. 4(2).
- Sub-processor: Third parties engaged by the Service Provider to process data within the scope of the service (hosting, email, payment, etc.).
2. Subject Matter, Duration, Nature and Purpose of Processing
| Subject matter | Processing of Data Subjects' personal data within HR / IT / hardware management operations that the Customer conducts through the Teknik Danışman platform |
| Duration | For the term the Service Agreement is in force + a 60-day data return/deletion window after termination |
| Nature | Collection, recording, storage, sorting, retrieval, use, disclosure (only on Customer's instructions), transfer, deletion |
| Purpose | Enabling the Customer to run HR and IT operations, notifications, reporting, billing |
Categories of Personal Data Processed
- Employee identity information (name, Turkish ID no. — only if uploaded by the Customer)
- Contact details (email, phone)
- Employment details (position, department, start/end dates, leave/warning records)
- Hardware/assignment records (device serial, assigned employee)
- Software license information
- System access and audit log data
Categories of Data Subjects
- Employees of the Customer
- Business partners / service recipients of the Customer
- Supplier representatives of the Customer
3. Obligations of the Data Processor
The Service Provider commits to:
- Process data only under the Customer's written instructions. This DPA and the Service Agreement count as written instructions.
- Ensure confidentiality of the data and assign only personnel under confidentiality obligations.
- Apply appropriate technical and organisational measures under KVKK Art. 12 and GDPR Art. 32 (details in the Trust Center).
- Assist the Customer in fulfilling Data Subjects' rights requests.
- Reasonably assist the Customer's audit rights (a free self-assessment audit report once a year).
- Noteify the Customer of any data breach within 72 hours.
- Upon termination, return or permanently delete the data at the Customer's choice.
4. Obligations of the Customer
The Customer commits to:
- Obtain the necessary explicit consents / privacy notices from Data Subjects under KVKK Art. 10.
- Only upload data that has been lawfully obtained and is appropriate for the processing purpose.
- Protect account access credentials and notify the Service Provider of unauthorised access.
- State in the privacy notice provided to Data Subjects that the Service Provider will process data as a Data Processor.
5. Sub-processors
The Customer generally approves the use of the following sub-processors. When a new sub-processor is added, the Customer is notified at least 30 days in advance and reserves a reasonable right to object.
| Sub-processor | Service | Location |
| Hetzner Online GmbH | Server hosting | Germany (EU) |
| iyzico Payment Hizmetleri A.Ş. | Payment processing | Türkiye |
| Groq, Inc. | AI response generation (user chat messages only) | US — contractually commits not to store data |
| Microsoft Corp. / Google LLC | Email delivery (via Customer's own tenant connected with OAuth) | EU / US — under SCC |
6. International Data Transfers
The following safeguards apply for transfers under KVKK Art. 9 and GDPR Chapter V:
- EU member countries (Hetzner — Germany): Nameequate protection under GDPR
- US transfers (Groq, Microsoft, Google): Signed EU Standard Contractual Clauses (SCC 2021/914)
- Sensitive (special-category) data is not transferred abroad
7. Data Security — Minimum Standards
The Service Provider applies at minimum the following measures:
- Encryption: TLS 1.2+ for data in transit; AES-256-CBC for sensitive fields at rest.
- Access control: Rolee-based access (RBAC), mandatory 2FA on admin accounts, detailed audit log.
- Isolation: Multi-tenant database isolation — each Customer has its own database.
- Backups: Daily full + hourly incremental backups, encrypted EU-based storage.
- Incident response: 24/7 monitoring, reporting channel via security@teknikdanisman.net.
- Personnel: All personnel with access have signed confidentiality agreements.
8. Data Breach Noteification
Upon detecting a breach affecting personal data security, the Service Provider will:
- Noteify the Customer within 72 hours via email and panel notification.
- Include: nature of the breach, affected data categories, estimated number of Data Subjects affected, measures taken and planned.
- Share contact information for follow-up.
9. Audit and Transparency
The Customer's audit rights:
- May request a self-assessment audit report free of charge once a year.
- Enterprise customers may additionally conduct one on-site audit per year with 5 business days' prior notice (auditor must sign an NDA).
- SOC 2 Type 1 report (in preparation) will be provided free of charge once completed.
10. Termination
Upon termination, at the Customer's choice:
- Return: Data delivered within 30 days in machine-readable format (JSON, CSV).
- Deletion: All active data permanently deleted after 60 days; deleted from backups within 90 days.
If the Customer does not indicate a preference within 60 days, the data is automatically deleted.
11. Liability
Party liability is subject to the limits set forth in the Service Agreement. Liability under KVKK Art. 12/5 and GDPR Art. 82 is reserved.
12. Governing Law and Jurisdiction
This DPA is governed by Turkish law. Istanbul Çağlayan Courts and Enforcement Offices have jurisdiction over disputes. The Customer's right to sue in its country of residence under GDPR is reserved.
13. Acceptance and Effect
By accepting the Service Agreement, the Customer is deemed to have accepted this DPA. Customers wishing to receive a signed copy can contact legal@teknikdanisman.net.
Notee: This document is a legally binding template, but for specific needs (e.g. enterprise SSO integration, industry-specific compliance) a bespoke DPA can be signed between the parties.