Data Processing Agreement
Last updated: 2025-01-01
1. Introduction & Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Aligntr Teknoloji A.S. ("Processor", "we", "us") and the customer entity ("Controller", "you") that has executed a subscription agreement for the Align.tr platform.
This DPA applies to all processing of personal data carried out by us on your behalf through the Align.tr platform, in accordance with:
- GDPR — Regulation (EU) 2016/679 (General Data Protection Regulation)
- KVKK — 6698 Sayili Kisisel Verilerin Korunmasi Kanunu (Turkish Personal Data Protection Law)
Turkce: Bu Veri Isleme Sozlesmesi, Align.tr platformu uzerinden gerceklestirilen tum kisisel veri isleme faaliyetlerini kapsamaktadir.
2. Definitions
- "Personal Data" (Kisisel Veri)
- Any information relating to an identified or identifiable natural person, as defined by Article 4(1) GDPR and Article 3 KVKK.
- "Processing" (Veri Isleme)
- Any operation performed on personal data, including collection, recording, storage, adaptation, retrieval, use, disclosure, or erasure.
- "Data Subject" (Ilgili Kisi)
- The identified or identifiable natural person to whom the personal data relates.
- "Sub-processor" (Alt Veri Isleyen)
- A third party engaged by the Processor to process personal data on behalf of the Controller.
- "Standard Contractual Clauses" (SCCs)
- EU Commission-approved contractual terms for international data transfers as per Commission Implementing Decision (EU) 2021/914.
3. Data Processing Details
3.1 Categories of Data Subjects
- Customer employees and authorized users
- End users interacting with customer's digital workers
- Customer contacts and business partners (as uploaded by Controller)
3.2 Categories of Personal Data
- Identity data: name, email address, profile information
- Authentication data: hashed passwords, session tokens
- Usage data: platform interactions, feature usage, timestamps
- Payment data: billing address, payment method identifiers (no raw card numbers)
- Content data: prompts, responses, and files uploaded to digital workers
- Technical data: IP addresses, browser type, device identifiers
3.3 Purposes of Processing
- Providing and maintaining the Align.tr platform services
- Authenticating users and managing access control
- Processing payments and managing subscriptions
- Executing digital worker tasks (LLM interactions)
- Platform analytics and service improvement
- Security monitoring and fraud prevention
- Compliance with legal obligations
3.4 Retention Periods
| Data Category | Retention Period |
|---|---|
| Account data | Duration of contract + 30 days |
| LLM interaction logs | 90 days (configurable by Controller) |
| Payment records | As required by tax law (minimum 5 years) |
| Security logs | 12 months |
| Uploaded files | Duration of contract + 30 days |
4. Technical and Organizational Measures
We implement the following measures in accordance with Article 32 GDPR and Article 12 KVKK to ensure the security of personal data:
4.1 Encryption
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest (Azure Storage Service Encryption)
- Database connections encrypted via SSL/TLS
4.2 Access Control
- Role-based access control (RBAC) at application and infrastructure levels
- Multi-tenant data isolation with company-scoped queries
- Multi-factor authentication for administrative access
- Principle of least privilege for all system access
4.3 Monitoring & Incident Response
- Azure Application Insights for real-time monitoring
- Automated security alerts and anomaly detection
- Audit logging for all data access operations
- Documented incident response procedures
4.4 Business Continuity
- Automated database backups with point-in-time recovery
- Geo-redundant storage for critical data
- Disaster recovery plan with defined RTO and RPO
5. Sub-processor List
The Controller authorizes the engagement of the following sub-processors. The full sub-processor list is also available at /subprocessors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud hosting, database, AI services, blob storage, email | EU (West Europe - Netherlands) |
| Stripe | Payment processing | US (with EU SCCs) |
| Vercel | Edge deployment and CDN | Global (EU primary) |
| Anthropic | LLM provider (Claude models via Azure AI Foundry) | US (processed via Azure EU) |
We will notify the Controller at least 30 days before adding or replacing a sub-processor, providing the Controller with an opportunity to object.
6. Data Subject Rights
We will assist the Controller in fulfilling data subject requests under GDPR (Articles 15-22) and KVKK (Article 11), including:
- Right of access (Erisim hakki) — Confirmation of processing and access to personal data
- Right to rectification (Duzeltme hakki) — Correction of inaccurate personal data
- Right to erasure (Silme hakki) — Deletion of personal data where applicable
- Right to data portability (Veri tasinabilirligi hakki) — Export of personal data in a structured format
- Right to restrict processing (Islemenin kisitlanmasi hakki) — Limiting the processing of personal data
- Right to object (Itiraz hakki) — Objecting to processing based on legitimate interests
We will respond to Controller's requests to assist with data subject rights within 10 business days.
7. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Controller without undue delay and in any case within 36 hours of becoming aware of the breach (exceeding the 72-hour GDPR requirement).
- Provide all information required under Article 33(3) GDPR, including:
- Nature and scope of the breach
- Categories and approximate number of affected data subjects
- Likely consequences of the breach
- Measures taken or proposed to mitigate the breach
- Cooperate with the Controller and supervisory authorities in investigating and resolving the breach.
- Document all breaches in an internal register, regardless of severity.
Turkce (KVKK): Veri ihlali durumunda, Kisisel Verileri Koruma Kurulu'na ve ilgili kisilere en kisa surede bildirim yapilacaktir (KVKK Madde 12/5).
8. International Data Transfers & Standard Contractual Clauses
Where personal data is transferred outside the European Economic Area (EEA) or Turkey, we ensure that appropriate safeguards are in place:
- EU Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914 are incorporated into agreements with all sub-processors located outside the EEA.
- Adequacy decisions are relied upon where available.
- Transfer Impact Assessments are conducted for each sub-processor to evaluate the level of data protection in the recipient country.
- KVKK Cross-border transfers comply with Article 9 of KVKK and decisions of the Kisisel Verileri Koruma Kurulu (Personal Data Protection Board).
Our primary data processing occurs within the EU (Azure West Europe — Netherlands), minimizing the need for international transfers.
9. Contact Information
For questions regarding this DPA or to exercise data protection rights, contact:
Aligntr Teknoloji A.S.
Data Protection Officer
Email: dpo@align.tr
You may also lodge a complaint with the relevant supervisory authority: the KVKK (Kisisel Verileri Koruma Kurumu) in Turkey or the relevant Data Protection Authority in the EU.