Teknik Danışman Teknik Danışman
Pricing Developers Integrations Changelog Status
TR Log in Start free

Data Processing Agreement (DPA)

Standard agreement between Data Controller (Customer) and Data Processor (Teknik Danışman) under KVKK Art. 12/5 and GDPR Art. 28.

Son güncelleme: 2026-06-21
What is this agreement for? Customer companies using the Teknik Danışman platform (e.g. those using the panel to track employees/hardware/licenses) are Data Controllers under KVKK and GDPR. We are the Data Processor processing data on the customer's instructions. This DPA formalises the relationship in writing and is an inseparable part of the Service Agreement. It is valid when enterprise customers request a DPA during due diligence; for custom terms please contact legal@teknikdanisman.net.

1. Parties and Definitions

  • Data Controller / "Customer": The legal entity (tenant) using the Teknik Danışman panel.
  • Data Processor / "Service Provider": Ali Enis Tekin (operator of the Teknik Danışman platform).
  • Data Subject: The natural person whose data is processed (typically the Customer's employee or business partner).
  • Personal Data: As defined in KVKK Art. 3 and GDPR Art. 4(1).
  • Processing: As defined in KVKK Art. 3 and GDPR Art. 4(2).
  • Sub-processor: Third parties engaged by the Service Provider to process data within the scope of the service (hosting, email, payment, etc.).

2. Subject Matter, Duration, Nature and Purpose of Processing

Subject matterProcessing of Data Subjects' personal data within HR / IT / hardware management operations that the Customer conducts through the Teknik Danışman platform
DurationFor the term the Service Agreement is in force + a 60-day data return/deletion window after termination
NatureCollection, recording, storage, sorting, retrieval, use, disclosure (only on Customer's instructions), transfer, deletion
PurposeEnabling the Customer to run HR and IT operations, notifications, reporting, billing

Categories of Personal Data Processed

  • Employee identity information (name, Turkish ID no. — only if uploaded by the Customer)
  • Contact details (email, phone)
  • Employment details (position, department, start/end dates, leave/warning records)
  • Hardware/assignment records (device serial, assigned employee)
  • Software license information
  • System access and audit log data

Categories of Data Subjects

  • Employees of the Customer
  • Business partners / service recipients of the Customer
  • Supplier representatives of the Customer

3. Obligations of the Data Processor

The Service Provider commits to:

  • Process data only under the Customer's written instructions. This DPA and the Service Agreement count as written instructions.
  • Ensure confidentiality of the data and assign only personnel under confidentiality obligations.
  • Apply appropriate technical and organisational measures under KVKK Art. 12 and GDPR Art. 32 (details in the Trust Center).
  • Assist the Customer in fulfilling Data Subjects' rights requests.
  • Reasonably assist the Customer's audit rights (a free self-assessment audit report once a year).
  • Noteify the Customer of any data breach within 72 hours.
  • Upon termination, return or permanently delete the data at the Customer's choice.

4. Obligations of the Customer

The Customer commits to:

  • Obtain the necessary explicit consents / privacy notices from Data Subjects under KVKK Art. 10.
  • Only upload data that has been lawfully obtained and is appropriate for the processing purpose.
  • Protect account access credentials and notify the Service Provider of unauthorised access.
  • State in the privacy notice provided to Data Subjects that the Service Provider will process data as a Data Processor.

5. Sub-processors

The Customer generally approves the use of the following sub-processors. When a new sub-processor is added, the Customer is notified at least 30 days in advance and reserves a reasonable right to object.

Sub-processorServiceLocation
Hetzner Online GmbHServer hostingGermany (EU)
iyzico Payment Hizmetleri A.Ş.Payment processingTürkiye
Groq, Inc.AI response generation (user chat messages only)US — contractually commits not to store data
Microsoft Corp. / Google LLCEmail delivery (via Customer's own tenant connected with OAuth)EU / US — under SCC

6. International Data Transfers

The following safeguards apply for transfers under KVKK Art. 9 and GDPR Chapter V:

  • EU member countries (Hetzner — Germany): Nameequate protection under GDPR
  • US transfers (Groq, Microsoft, Google): Signed EU Standard Contractual Clauses (SCC 2021/914)
  • Sensitive (special-category) data is not transferred abroad

7. Data Security — Minimum Standards

The Service Provider applies at minimum the following measures:

  • Encryption: TLS 1.2+ for data in transit; AES-256-CBC for sensitive fields at rest.
  • Access control: Rolee-based access (RBAC), mandatory 2FA on admin accounts, detailed audit log.
  • Isolation: Multi-tenant database isolation — each Customer has its own database.
  • Backups: Daily full + hourly incremental backups, encrypted EU-based storage.
  • Incident response: 24/7 monitoring, reporting channel via security@teknikdanisman.net.
  • Personnel: All personnel with access have signed confidentiality agreements.

8. Data Breach Noteification

Upon detecting a breach affecting personal data security, the Service Provider will:

  • Noteify the Customer within 72 hours via email and panel notification.
  • Include: nature of the breach, affected data categories, estimated number of Data Subjects affected, measures taken and planned.
  • Share contact information for follow-up.

9. Audit and Transparency

The Customer's audit rights:

  • May request a self-assessment audit report free of charge once a year.
  • Enterprise customers may additionally conduct one on-site audit per year with 5 business days' prior notice (auditor must sign an NDA).
  • SOC 2 Type 1 report (in preparation) will be provided free of charge once completed.

10. Termination

Upon termination, at the Customer's choice:

  • Return: Data delivered within 30 days in machine-readable format (JSON, CSV).
  • Deletion: All active data permanently deleted after 60 days; deleted from backups within 90 days.

If the Customer does not indicate a preference within 60 days, the data is automatically deleted.

11. Liability

Party liability is subject to the limits set forth in the Service Agreement. Liability under KVKK Art. 12/5 and GDPR Art. 82 is reserved.

12. Governing Law and Jurisdiction

This DPA is governed by Turkish law. Istanbul Çağlayan Courts and Enforcement Offices have jurisdiction over disputes. The Customer's right to sue in its country of residence under GDPR is reserved.

13. Acceptance and Effect

By accepting the Service Agreement, the Customer is deemed to have accepted this DPA. Customers wishing to receive a signed copy can contact legal@teknikdanisman.net.

Notee: This document is a legally binding template, but for specific needs (e.g. enterprise SSO integration, industry-specific compliance) a bespoke DPA can be signed between the parties.

Teknik Danışman Teknik Danışman

SMB operations across 5 corridors. Built in Türkiye, hosted in Türkiye.

teknikdanisman.com.tr · teknikdanisman.net
admin@teknikdanisman.com.tr
admin@teknikdanisman.net

Product

  • Pricing
  • Integrations
  • Self-host
  • Changelog
  • Roadmap

Developers

  • API
  • Authentication
  • Examples
  • Webhooks
  • Postman

Company

  • About
  • Contact
  • Status
  • Incident History

Trust

  • Trust Center
  • Privacy
  • DPA
  • security.txt
© 2026 Teknik Danışman — Ali Enis Tekin. All rights reserved.
All systems operational