Data Processing Agreement (DPA)

This document defines the obligations between the data controller (customer/user) and the data processor (XtroEngine), and the sub-processors (third parties) used when processing personal data, based on Turkish KVKK art. 12 and related regulation.

1. Parties and definitions

• Data controller: determines the purpose and means of processing.
• Data processor: processes data on the controller's instructions.
• Sub-processor: a third party engaged by the processor (hosting, email, etc.).

2. Subject and duration

Processing is limited to what is necessary to provide the service and for its duration; upon termination, data is returned or destroyed.

3. Processor obligations

• Process only on documented instructions.
• Appropriate technical and organizational measures (encryption, access control, logging).
• Confidentiality and limited staff access.
• Breach notification without undue delay (aligned with the 72-hour process).
• Assist with data-subject requests (access/erasure/portability).

4. Sub-processors (third parties)

The following sub-processors are used solely for the stated purpose and under data-processing terms. For the current list, see the sub-processor inventory in our privacy policy.

• Hosting (Turkey): server infrastructure and data storage.
• Cloudflare: CDN, WAF and DDoS mitigation (traffic metadata).
• AWS SES (eu-north-1): transactional email delivery (recipient address and message content).

5. New sub-processors and objection

Reasonable notice is given before adding a sub-processor; the controller may object on reasonable grounds.

6. Audit

The controller may request a compliance audit with reasonable notice, without disrupting operations.

This text is a general framework; for specific needs please contact us.