Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) supplements the Hizmet Şartları (“Agreement”) between Nex Habit LLC (“Comturk,” “we,” “us”) and you (“Customer,” “Controller”). This DPA applies where and to the extent we process Personal Data on your behalf as a Processor in the course of providing the Services.

1. Definitions

“Personal Data”: any information relating to an identified or identifiable natural person that is processed by Comturk on behalf of Customer.
“Processing”: any operation performed on Personal Data (collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, etc.).
“Controller”: the Customer, who determines the purposes and means of Processing.
“Processor”: Comturk, which processes Personal Data on behalf of the Controller.
“Sub‑Processor”: a third party engaged by Comturk to assist in Processing.
“Data Protection Laws”: GDPR, UK GDPR, KVKK, CCPA/CPRA, and other applicable data protection legislation.
“SCCs”: the EU Standard Contractual Clauses for international data transfers.

2. Scope of Processing

Subject Matter	Provision of AI‑assisted customer support, messaging, and inbox services
Duration	Duration of the Agreement plus 90 days for data deletion
Nitelik ve Amaç	Routing, storing, and processing messages and conversations; AI‑generated responses; analytics and reporting
Veri Sahipleri Kategorileri	Customer’s end users, employees, and agents
Kişisel Veri Türleri	Name, email, phone number, message content, IP address, device identifiers, channel identifiers

3. Customer Obligations

Customer is responsible for the lawfulness of Personal Data Processing, including obtaining all necessary consents and providing notices to data subjects.
Customer will not submit Sensitive Personal Data (e.g., health, biometric, financial account data) unless explicitly agreed in writing.
Customer’s instructions for Processing must comply with applicable Data Protection Laws.

4. Processor Obligations

Process Personal Data only on documented instructions from Customer, unless required by applicable law.
Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
Implement and maintain appropriate technical and organizational security measures (see Section 6).
Assist Customer in responding to data subject requests (access, rectification, erasure, portability, objection) within reasonable timeframes.
Notify Customer without undue delay (and within 72 hours) upon becoming aware of a Personal Data breach.
Make available to Customer all information necessary to demonstrate compliance and allow for audits (see Section 8).
Delete or return all Personal Data upon termination of the Agreement, at Customer’s choice, within 90 days unless retention is required by law.

5. Sub‑Processors

Customer grants general authorization for Comturk to engage Sub‑Processors listed in our Privacy Policy (Section 16).
We will notify Customer of changes to Sub‑Processors at least 30 days in advance.
Customer may object to a new Sub‑Processor within 14 days of notification. If the objection is not resolved, Customer may terminate the affected Services.
Sub‑Processors are bound by data protection obligations no less protective than this DPA.

6. Security Measures

We implement and maintain the following technical and organizational measures:

Encryption: TLS 1.2+ in transit; AES‑256 encryption at rest for stored data.
Access Control: Role‑based access, multi‑factor authentication for internal systems, least‑privilege principle.
Network Security: Firewalls, intrusion detection, DDoS protection, network segmentation.
Monitoring: Continuous logging and alerting, regular vulnerability scanning.
Personnel: Background checks, security awareness training, NDA obligations.
Business Continuity: Regular backups, disaster recovery procedures, redundant infrastructure.
Vendor Management: Due diligence on Sub‑Processors, contractual safeguards.

7. International Transfers

Where Personal Data is transferred outside the EEA/UK to countries not covered by an adequacy decision, we rely on the EU Standard Contractual Clauses (SCCs), which are hereby incorporated by reference.
For UK transfers, we apply the UK International Data Transfer Addendum to the SCCs.
For Türkiye (KVKK), we apply contractual safeguards equivalent to SCCs.
Supplementary measures (encryption, access controls, pseudonymization) are applied as appropriate.

8. Audit Rights

Upon reasonable written request (no more than once per year), Customer may audit or appoint a qualified third‑party auditor to verify Comturk’s compliance with this DPA.
Audits will be conducted during business hours, with reasonable advance notice (minimum 30 days), and subject to confidentiality obligations.
Comturk will provide relevant documentation, certifications, and audit reports (e.g., SOC 2 Type II when available) as alternatives to on‑site audits where appropriate.

9. Data Breach Response

We will notify Customer of a confirmed Personal Data breach without undue delay, and in any event within 72 hours of becoming aware.
Notification will include: nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed.
We will cooperate with Customer in investigating and mitigating the breach and in meeting Customer’s obligations to notify supervisory authorities and data subjects.

10. Term and Termination

This DPA takes effect when Customer first starts using the Services and terminates when the Agreement terminates. Sections 4 (deletion obligations), 6 (security), and 8 (audit) survive termination for 12 months.

11. Governing Law

This DPA is governed by the same law as the Agreement (Delaware law), except that data protection obligations are interpreted in accordance with the applicable Data Protection Laws.

12. Contact

For DPA‑related inquiries:
Nex Habit LLC
2093 Philadelphia Pike 8077, CLAYMONT DE 19703, United States
Email: privacy@comturk.com

— End of Data Processing Addendum —

Veri İşleme Eki (DPA)