Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kuzy — operated by [Company name TBD](Istanbul, Türkiye) — ("Processor") and the customer ("Controller") using the Kuzy hosted services. It applies whenever Kuzy processes Personal Data on behalf of the Controller, including in the EU and the UK.

By using the hosted Kuzy gateway, you accept this DPA. A signed countersigned copy is available on request — email [email protected].

• Personal Data — has the meaning given in Article 4 of the GDPR.
• Processing — has the meaning given in Article 4 of the GDPR.
• Controller — the customer using the Kuzy services.
• Processor — Kuzy.
• Sub-processor — any third party engaged by Kuzy to process Personal Data on the Controller's behalf.
• Standard Contractual Clauses (SCCs) — the EU SCCs adopted by the European Commission in Decision 2021/914.

Controller: determines the purpose and means of Processing. Responsible for the lawful basis for collecting Personal Data and for instructing Kuzy to process it.

Processor (Kuzy): processes Personal Data only on documented instructions from the Controller, ensures personnel are bound by confidentiality, and assists the Controller in fulfilling data-subject rights requests, breach notifications, and impact assessments.

Kuzy engages the following sub-processors to deliver the service. We'll give 30 days' notice (via email and a banner in the dashboard) before adding or replacing any sub-processor. You may object on reasonable data-protection grounds, in which case we'll work with you on an alternative or, if no resolution is possible, you may terminate the affected services with a pro-rated refund.

Where Personal Data is transferred outside the EEA or the UK, we rely on the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK Addendum, together with supplementary measures (encryption in transit and at rest, key control, transfer-impact assessments).

• Encryption — TLS 1.3 in transit; AES-256 at rest for primary stores; encrypted backups.
• Access control — least-privilege, role-based access. Engineering access to production requires SSO + hardware key.
• Audit logging — all production access is logged and retained for 1 year.
• Network isolation — production is segregated from staging; outbound egress on production hosts is restricted to allow-listed endpoints.
• Vulnerability management — dependency scanning on every build; quarterly penetration tests; published responsible-disclosure policy.
• Backups — encrypted, geographically redundant, 35-day rolling window, periodic restore tests.
• Personnel — background checks where legally permitted; annual security training; confidentiality obligations.

Kuzy will notify the Controller without undue delay and within 72 hoursof becoming aware of a Personal Data breach affecting the Controller's data. The notification will include, to the extent known: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and remediation steps taken or proposed.

On reasonable notice (at least 30 days, except in case of a regulator-driven audit), the Controller may audit Kuzy's compliance with this DPA — directly or via a mutually agreed independent auditor. Routine audits are conducted no more than once per calendar year and at the Controller's expense, except where the audit reveals material non-compliance.

On termination of the underlying agreement, Kuzy will, at the Controller's choice, delete or return all Personal Data within 30 days. Backups will be purged within 35 days as part of the rolling backup window.

[Company name TBD] · Istanbul, Türkiye
DPO and legal: [email protected]
For an executed DPA on your paper, request via [email protected]with your DPA and we'll respond within 5 business days.