IyziTraceIyziTrace

Data Processing Agreement (DPA)

Last updated: 2025-01-01

1. Scope

This Data Processing Agreement ("DPA") forms part of the main agreement between the Customer ("Controller") and iyzitrace ("Processor"). It governs the processing of personal data in connection with the Services.

2. Roles and Responsibilities

The Customer acts as Data Controller and determines the purposes and means of processing personal data. iyzitrace acts as Data Processor and processes personal data only on documented instructions from the Controller.

3. Processor Obligations

iyzitrace agrees to:

  • Process personal data only for the purpose of providing and improving the Services.
  • Implement appropriate technical and organizational security measures.
  • Ensure that persons authorized to process personal data are under confidentiality obligations.
  • Assist the Controller in fulfilling data subject rights requests, where feasible.
  • Notify the Controller without undue delay after becoming aware of a personal data breach.
  • Delete or return personal data at the end of the provision of the Services, unless retention is required by law.

4. Sub-Processors

The Controller authorizes iyzitrace to engage sub-processors for hosting, storage, communication and related services. iyzitrace will ensure sub-processors are bound by data protection obligations no less protective than those in this DPA.

5. International Data Transfers

Where personal data is transferred outside the European Economic Area, iyzitrace will use appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms required by applicable law.

6. Security Measures

iyzitrace maintains a security program that includes encryption, access control, network security, system monitoring and regular assessments designed to protect personal data from unauthorized access and loss.

7. Data Subject Requests

To the extent possible, iyzitrace will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws (e.g. GDPR, KVKK).

8. Audit Rights

Upon reasonable request and notice, the Controller may review documentation or conduct audits, directly or via an independent third party, to verify iyzitrace's compliance with this DPA.

9. Liability

The parties' respective liabilities under this DPA follow the limitations and exclusions of liability set out in the main Agreement between the parties.

10. Term

This DPA remains in effect for as long as iyzitrace processes personal data on behalf of the Controller under the main Agreement.