Home
Akitle Legal

Reference translation

Data Processor Agreement

Last updated:

This English version is provided as a reference for English-speaking readers. For Turkish-domiciled parties, the binding text is the Turkish version. Where this translation conflicts with the Turkish original, the Turkish original prevails.

View the binding Turkish version

1. Parties

This Data Processor Agreement ("DPA") is between Akitle (the "Processor") and the account-holder company (the "Controller") using Akitle's service. It governs the processing of renter personal data that the Controller collects through Akitle's share-link flow. The terms reflect KVKK Law No. 6698 art. 12, KVKK Authority Decision 2020/71, and GDPR Art. 28.

2. Scope of processing

  • Subject matter: storage and serving of rental contracts on behalf of the Controller.
  • Duration: for the term of the Controller's Akitle account, plus statutory retention periods.
  • Nature and purpose: hosting contracts, serving the signing flow, generating PDFs, retaining audit trails.
  • Categories of data subjects: the Controller's renters and counterparties.
  • Categories of personal data: identity, signature image, audit-trail technical signals (IP, user-agent, timestamp).

3. Security obligations

The Processor applies technical and organizational measures appropriate to the risk, equivalent across the following frameworks:

FrameworkRecognitionEvidentiary effect
Türkiye — KVKK art. 12Obligation to take 'every kind of technical and administrative measure' to ensure an appropriate level of securityKVKK Authority Decision 2018/10 prescribes a minimum set of measures; Akitle conforms to this baseline
EU — GDPR Art. 28(3)(c) + Art. 32Processor must implement appropriate technical and organizational measures including pseudonymization, encryption, integrity, availability, resilience, and regular testingAkitle satisfies these through TLS-in-transit, encryption-at-rest, tenant isolation, immutable audit trail, and the principle of least privilege for sub-processor access
ISO 27001 Annex A (where applicable)Reference baseline of 93 controls across access control, cryptography, operations security, and incident managementAkitle's underlying providers (Convex, iyzico, hosting) maintain SOC 2 / ISO 27001 certifications

4. Sub-processors

The Processor uses the following sub-processors:

  • Convex — database, server functions, file storage.
  • iyzico — payment processing.
  • Cloud infrastructure providers underpinning Convex.

The Controller is notified before any new sub-processor is engaged and may object on data-protection grounds within 30 days.

5. Data-breach notification

The Processor notifies the Controller of a personal-data breach without undue delay, and in any case within 72 hours of becoming aware (matching GDPR Art. 33 and KVKK Authority Decision 2019/271). Notification includes the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

6. Data subject requests

On receipt of a data-subject request directed at the Controller (KVKK art. 11; GDPR Arts. 15–22; CCPA), the Processor assists the Controller in fulfilling the request, taking into account the nature of the processing and the information available.

7. End of contract — return or deletion

On termination of the Controller's Akitle account, the Processor returns or deletes processed personal data as the Controller directs, subject to statutory retention obligations (e.g., Turkish Commercial Code art. 82 contract-retention requirements).

8. Liability

The Processor's liability under this DPA is limited as set out in the Terms of Service § 10. Each party indemnifies the other against losses arising from its own breach of this DPA, subject to standard exclusions for indirect, special, or consequential damages.

9. Audit rights

On reasonable written notice (at least 30 days), and no more than once per calendar year unless mandated by a regulator, the Controller may audit the Processor's compliance with this DPA. The Processor may satisfy this obligation by providing third-party audit reports from its sub-processors (SOC 2 / ISO 27001 reports from Convex, iyzico, hosting providers).

10. Governing law

This DPA is governed by the laws of the Republic of Türkiye. For Controllers domiciled in the EEA / UK, the parties may additionally agree on Standard Contractual Clauses for any transfer that falls within their scope.