Data Processing Agreement.
DPA signed with d-reach and B2B service customers. In this agreement d-dat acts as the Customer's "data processor". Compliant with KVKK Art. 12, GDPR Art. 28 and the KVK Authority Standard Contract.
// contents
This Data Processing Agreement ("DPA") is an annex and integral part of the Terms of Service.
The DPA applies in particular to d-reach (customer list upload) and B2B service, because in these services the Customer acts as "data controller" and d-dat as "data processor".
The structure conforms to KVKK Art. 12, GDPR Art. 28, the KVK Authority Standard Contract template and EDPB guidelines.
// 01Parties
| Data Controller | [CUSTOMER NAME] — hereinafter "Customer" |
| Data Processor | DATA ANALYTICS TEKNOLOJİ REKLAM ANONİM ŞİRKETİ — Mersis: 0271-1964-6050-0001, Address: Maslak Mah. Eski Büyükdere Cad. No: 21 İç Kapı No: 1 Sarıyer / İstanbul, Türkiye — hereinafter "d-dat" |
Note: This DPA is a template. It is signed separately with each B2B customer; the "Customer Name" field is filled at signature. For self-serve service users, the DPA is deemed validly executed via electronic acceptance at account onboarding.
// 02Definitions
Terms used in KVKK and GDPR have the same meaning here:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on personal data |
| Data Controller | The party determining the purposes and means of processing — in this DPA the Customer |
| Data Processor | The party processing personal data on behalf of the controller — in this DPA d-dat |
| Data Subject | The natural person whose personal data is processed |
| Sub-processor | Third parties used by d-dat to provide the service |
| Data Breach | Security incidents including unauthorised access, loss, disclosure or alteration |
// 03Subject, Nature and Purpose of Processing
3.1 Subject
Processing of personal data on behalf of the Customer in connection with the services d-dat provides to the Customer (d-reach messaging, B2B ad management, etc.).
3.2 Nature
| Service | Type of processing | Duration |
|---|---|---|
| d-reach — customer list sending | Storage, segmentation, sending, results reporting | For service duration + 30 days |
| B2B ad management | Audience upload, ad optimisation | For contract duration |
| OAuth platform data reading | Read-only access, analysis, reporting | Until authorisation revoked + 30 days |
3.3 Purpose
To perform the contract solely under the Customer's written instructions.
3.4 Categories of personal data and data subject categories
| Data category | Data subject |
|---|---|
| Name, surname, phone, email | Customer's end customers |
| Order, address, purchase behaviour | Customer's end customers |
| Ad interaction data | Ad viewers |
| Custom audience hashes | Target audience |
Special-category data (health, biometric, criminal, etc.) is not processed. Even if the Customer accidentally provides such data, d-dat will not process it and will alert the Customer.
// 04Customer (Data Controller) Obligations
The Customer warrants that:
- It has obtained the necessary explicit consent / legal basis from data subjects
- Specific explicit consent for WhatsApp communication has been obtained
- It has fulfilled disclosure obligations under KVKK Art. 10
- Its instructions comply with the law
- It is responsible for the source, accuracy and currency of the data uploaded
- It has carried out VERBİS registration in its own name (if applicable)
- It will respond to data subject requests in the first instance
// 05d-dat (Data Processor) Obligations
d-dat warrants that it will:
- Process only on the Customer's documented instructions (except where required by law — in which case the Customer is informed in advance)
- Inform the Customer immediately if it considers an instruction to be unlawful
- Impose confidentiality obligations on its personnel
- Implement the technical and administrative security measures in Section 7
- Use sub-processors under the conditions of Section 6
- Assist the Customer with data subject requests
- Inform the Customer without delay (within 24 hours) of any data breach
- Upon termination, return or delete data per the Customer's choice (subject to legal retention requirements)
- Provide the necessary information and allow audits to demonstrate compliance with this DPA
// 06Sub-processors
6.1 General authorisation
The Customer gives general authorisation for d-dat to use sub-processors to provide the service.
6.2 Current sub-processor list
| Sub-processor | Location | Service | Data type | Protection mechanism |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL | Frankfurt, Germany (eu-central-1) | Cloud infrastructure, data storage | All processed data (encrypted) | KVKK Std. Contract + EU SCC + DPF |
| AWS RDS | Frankfurt, Germany (eu-central-1) | Managed database | Structured data | KVKK Std. Contract + EU SCC + DPF |
| Mailchimp (Intuit Inc.) | USA | Marketing email blasts | Email address, content | KVKK Std. Contract + EU SCC + DPF |
| PayTR A.Ş. | Türkiye (domestic) | Payment processing | Billing, payment confirmation | BDDK-licensed; separate processor agreement under KVKK |
| Gupshup Inc. + Meta Platforms Ireland | USA / India / Ireland | WhatsApp Business infra | d-reach messages/comms | KVKK Std. Contract + EU SCC + DPF (Meta) |
| Google LLC | USA / Ireland | GA4, Google Ads, OAuth | Ad data, analytics | KVKK Std. Contract + EU SCC + DPF |
| Meta Platforms Ireland | Ireland / USA | Meta Pixel, Marketing API | Ad data | KVKK Std. Contract + EU SCC + DPF |
| LinkedIn Ireland | Ireland / USA | Insight Tag, Marketing API | Ad data | KVKK Std. Contract + EU SCC + DPF |
| TikTok | EU / Singapore | Marketing API | Ad data | KVKK Std. Contract + EU SCC |
| In-house support tooling | Frankfurt (own AWS infra) | Customer support | Contact, content | Same cloud infrastructure |
6.3 Adding new sub-processors
- When d-dat adds a new sub-processor, the Customer is informed by email 30 days in advance
- The Customer has the right to object on reasonable grounds
- In case of objection, the parties seek a reasonable solution — failing agreement, the Customer may terminate
6.4 Sub-processor liability
d-dat ensures that sub-processors are bound by equivalent obligations and is liable to the Customer for their actions as if they were its own.
// 07Technical and Administrative Security Measures
Per KVKK Art. 12 and GDPR Art. 32, d-dat implements:
7.1 Technical
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access control: Role-based (RBAC), least-privilege, mandatory MFA
- OAuth tokens: Stored in a separate keyvault; raw tokens are inaccessible
- Logging: Authentication, data access and system changes monitored 24/7
- Backup: Encrypted, 90-day rotation
- Vulnerability scanning: Continuous (static + dynamic), annual penetration test
- Patch management: Critical patches within 7 days
7.2 Administrative
- Personnel training: KVKK training at onboarding + annual refreshers
- Confidentiality undertaking: Signed by all personnel
- Access review: Quarterly
- Off-boarding: Immediate access revocation process
- Visitor management: Physical access logged
7.3 Operational
- Data breach response plan: Written, tested, owners assigned
- Business continuity: Disaster recovery plan with RTO/RPO defined
- Vendor due diligence: Annual review of sub-processor security
// 08Data Breach Notification
8.1 d-dat to Customer
Upon detecting a data breach, d-dat notifies the Customer within 24 hours. The notification includes:
- Nature of the breach
- Categories of data affected and approximate number of data subjects
- Likely consequences
- Measures taken and recommended
- Measures we recommend the Customer take
8.2 Customer obligations
The Customer, as data controller, is responsible for:
- Notification to the KVK Authority within 72 hours (KVKK Art. 12/5)
- Notification to the GDPR supervisory authority within 72 hours (GDPR Art. 33)
- Notification of data subjects in high-risk breaches
d-dat provides the necessary technical information and support during this process.
// 09Data Subject Requests
When a data subject makes a request:
- The Customer is responsible in the first instance (KVKK Art. 13, GDPR Art. 12)
- d-dat refers requests to the Customer or does not respond (unless instructed)
- d-dat provides the technical assistance needed to fulfil requests (free, within reasonable scope)
// 10International Data Transfer
10.1 General principle
For international transfers carried out by d-dat and its sub-processors, the following mechanisms apply:
- EU-US Data Privacy Framework (for eligible certified providers)
- EU Standard Contractual Clauses (SCC) — 2021 version
- KVK Authority Standard Contract — filed with the Authority within 5 working days
- Binding Corporate Rules (BCR) — where applicable
10.2 Customer consent
By signing this DPA, the Customer is deemed to consent to transfers using the above mechanisms.
10.3 Impact assessment
For transfers to high-risk jurisdictions, a Transfer Impact Assessment (TIA) is conducted and provided to the Customer.
// 11Audit Rights
11.1 Document submission
d-dat provides the Customer with the following documents, updated annually:
- This DPA and version history
- Sub-processor list (current)
- Security measures summary (Section 7)
- Independent audit reports (if any: SOC 2, ISO 27001, etc.)
- Data breach history (annual summary)
11.2 On-site audit
The Customer may request an audit annually or, with concrete justification, an extraordinary audit. The audit is conducted:
- With 30 days' written notice
- During business hours
- Without unreasonable disruption of operations
- Under a signed confidentiality agreement
Routine audits are at the Customer's expense; if a deficiency is found, at d-dat's expense.
// 12Retention and Deletion
12.1 During the contract
- Data is retained for the period required to deliver the service
- The Customer may request deletion at any time
12.2 Post-contract
Upon termination, at the Customer's choice:
- A — Return: Data is delivered to the Customer in a structured format within 30 days, then deleted
- B — Deletion: Data is irreversibly deleted or anonymised within 30 days
Data subject to legal retention obligations (tax, books, KVKK) is kept for the statutory period and then deleted.
Once deletion is complete, a Deletion Record is provided to the Customer.
// 13Liability
- d-dat is liable for damages arising from breach of this DPA, within the liability cap in the Terms of Service
- Where administrative fines under KVKK / GDPR are imposed on the Customer due to d-dat's breach, d-dat assumes the indemnification obligation
- The Customer indemnifies d-dat for damages arising from breach of its own obligations
// 14General Provisions
- This DPA is an annex to the Terms of Service; in case of conflict, the DPA prevails (only on data protection matters)
- This DPA is updated alongside KVKK and GDPR developments; the Customer is given 30 days' prior notice
- Jurisdiction: İstanbul (Çağlayan) Courts
- Governing law: laws of the Republic of Türkiye (GDPR interpretation preserved for EU residents)
// 15Annexes
- ANNEX-A: Detailed processing activities (categories, headcount, duration)
- ANNEX-B: Technical and administrative security measures (detailed list)
- ANNEX-C: Approved sub-processor list (live list — Customer can track via panel)
- ANNEX-D: Data breach notification template
// 16Signature
| Data Controller (Customer) | Name: __________ · Authorised: __________ · Date: __________ · Signature: __________ |
| Data Processor (d-dat) | Name: DATA ANALYTICS TEKNOLOJİ REKLAM A.Ş. · Authorised: __________ · Date: __________ · Signature: __________ |