Data Processing Agreement

DPA for SaaS ERP Services

GDPR Compliant KVKK Compliant

This Data Processing Agreement ("DPA") is an integral part of the main contract entered into between the parties within the scope of ERP services provided by Maliyo under the SaaS (Software as a Service) model.

                    Legal Framework: This DPA ensures compliance with the EU General Data Protection Regulation (GDPR) and the Turkish Law on the Protection of Personal Data No. 6698 (KVKK).
                

1 Parties and Roles

👤

Data Controller

Customer

Determines purposes and means of processing personal data

⚙️

Data Processor

Maliyo

Processes data on behalf of the Customer

Important: Maliyo processes personal data only in accordance with the Customer's instructions while providing ERP software under the SaaS model.

2 Data Processing within SaaS Scope

Maliyo performs the following activities through the SaaS infrastructure:

Hosting of ERP Software System Access & User Management Backup & System Security Technical Support & Maintenance

                    Data Scope: The data processed is limited to the data entered into the system by the Customer. Maliyo does not collect or process additional personal data beyond what is provided by the Customer.
                

3 Maliyo's Obligations

As a Data Processor, Maliyo commits to the following:

Process personal data only within the scope of the contract and Customer instructions
Not use data for its own purposes or any purposes outside the agreed scope
Implement technical and administrative measures to prevent unauthorized access
Ensure confidentiality obligations are binding on all personnel with access to data
Assist the Customer in responding to data subject requests
Make available all information necessary to demonstrate compliance

4 Sub-Processors

Within the scope of SaaS infrastructure, Maliyo may use the following sub-processors:

Cloud service providers (hosting and infrastructure)
Server and data center services
Backup and disaster recovery services

                    Sub-Processor Requirements: All sub-processors are bound by contracts compliant with KVKK (Turkish Personal Data Protection Law) and GDPR. Maliyo remains fully liable for the acts and omissions of any sub-processor.
                

5 Data Security

Maliyo implements comprehensive security measures to protect personal data:

🔐 Role-based access control

🔒 Encryption & secure connections

📊 Logging & monitoring systems

💾 Regular backups

🛡️ Firewall protection

🔍 Security audits

6 Data Breach Notification

In the event of any personal data breach, Maliyo will:

Notify the Customer without undue delay and, where feasible, within 24 hours of becoming aware of the breach
Provide detailed information about the nature of the breach, affected data categories, and approximate number of records
Take immediate measures to mitigate the effects of the breach and prevent further incidents
Cooperate with the Customer in investigating and resolving the breach
Document all data breaches and remedial actions taken

7 Data Retention and Deletion

Upon termination of the SaaS subscription:

Customer data will be returned in a commonly used, machine-readable format upon request
All personal data will be securely deleted within 30 days of termination, unless otherwise agreed
No data will be retained except as required by legal obligations or regulatory requirements
Maliyo will provide written confirmation of data deletion upon request

Customer Responsibility: Customers should export and backup their data before contract termination to ensure business continuity.

8 Right to Audit

The Customer has the right to audit Maliyo's compliance with data protection obligations under the following terms:

Reasonable advance notice (minimum 30 days) must be provided
Audits may be conducted directly or through an independent third-party auditor
Audits will be conducted during normal business hours
Frequency limited to once per year unless required by regulatory authority or following a data breach
Confidentiality obligations apply to all audit findings

9 Governing Law

This Data Processing Agreement is subject to the laws of the Republic of Türkiye.

                    Dispute Resolution: Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution mechanisms specified in the main service contract, subject to the exclusive jurisdiction of Turkish courts.
                