Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") is entered into between Taiga Teknoloji Anonim Şirketi ("LUNAAR", "Processor") and the organization or person purchasing enterprise services ("Customer", "Data Controller", "You"), and forms an integral part under the Master Service Agreement or Terms of Service ("Agreement") between the parties.
1DEFINITIONS
1.1 Key Definitions
"Personal Data": Means any information relating to an identified or identifiable natural person.
"Processing": Means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
"Data Subject": Means the natural person to whom the personal data relates.
"Data Controller": Means the entity that determines the purposes and means of processing personal data.
"Data Processor": Means the entity that processes personal data on behalf of the Data Controller.
1.2 Data Protection Laws
Means all applicable laws relating to data protection and privacy:
- EU General Data Protection Regulation (GDPR)
- Turkey Law on the Protection of Personal Data (KVKK)
- California Consumer Privacy Act (CCPA)
- Other applicable data protection regulations
2SCOPE AND ROLES
2.1 Relationship of the Parties
- The Customer acts as the Data Controller for the Personal Data
- LUNAAR acts as the Data Processor for the Personal Data processed under this DPA
- This DPA applies to all Processing activities carried out by LUNAAR on behalf of the Customer
2.2 Customer Instructions
- The Processor shall process Personal Data only on the documented instructions of the Data Controller
- The Agreement and this DPA constitute the complete instructions of the Data Controller
- Additional instructions require a written agreement and may incur additional fees
3DATA PROCESSING DETAILS
3.1 Categories of Data Subjects
- The Customer's employees and personnel
- The Customer's customers
- The Customer's suppliers and partners
- The Customer's service users
- Other persons provided by the Customer
3.2 Types of Personal Data
- Identity data (name, identification numbers)
- Contact information (email, phone, address)
- Account credentials and authentication data
- Payment and billing information
- Usage data and analytics
- Images and visual content
- AI-generated content and outputs
- Other data uploaded or processed by the Customer
3.3 Processing Activities
- Data storage and hosting
- AI model processing and generation
- Data backup and recovery
- Technical support services
- Analytics and reporting
- Security monitoring
- Service improvement
4PROCESSOR OBLIGATIONS
4.1 Compliance
The Processor shall:
- Process Personal Data in accordance with Data Protection Laws
- Maintain records of processing activities
- Cooperate with supervisory authorities
- Implement privacy by design principles
4.2 Data Security
Security Measures
The Processor shall implement and maintain appropriate technical and organizational measures:
- Encryption for data at rest (AES-256) and in transit (TLS 1.3)
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Incident response and disaster recovery procedures
- Physical security of data centers
4.3 Data Subject Rights
The Processor shall:
- Assist the Data Controller in responding to data subject requests
- Implement technical measures to support data subject rights
- Promptly notify the Data Controller of direct requests from data subjects
- Not respond directly to data subjects unless authorized
5SUB-PROCESSORS
5.1 Current Sub-processors
| Sub-processor | Service | Location | Purpose |
|---|---|---|---|
| Amazon Web Services | Cloud Infrastructure | EU/US | Data hosting and processing |
| Google Cloud Platform | Cloud Services | EU/US | Backup and redundancy |
| iyzico | Payment Processing | Turkey | Transaction processing |
| SendGrid | Email Services | US | Transactional emails |
| Cloudflare | CDN/Security | Global | Content delivery and DDoS protection |
5.2 Sub-processor Requirements
The Processor shall:
- Impose the same data protection obligations on Sub-processors
- Remain fully liable for the performance of Sub-processors
- Provide appropriate safeguards for international transfers
6INTERNATIONAL TRANSFERS
6.1 Transfer Mechanisms
For transfers outside the EEA/adequate countries, the Processor shall ensure:
- Standard Contractual Clauses are in place
- Supplementary measures where necessary
- Compliance with Schrems II requirements
6.2 Transfer Safeguards
- Data localization options available upon request
- Encryption of all international transfers
- Access restrictions based on geographic location
- Regular assessment of third-country laws
7SECURITY INCIDENTS
7.1 Incident Response
After becoming aware of a Security Incident, the Processor shall:
- Notify the Data Controller without undue delay (within 72 hours)
- Investigate and document the incident
- Implement measures to mitigate the effects
- Cooperate with the Data Controller's investigation
7.2 Notification Content
Incident notifications shall include:
- The nature and scope of the incident
- Categories and number of affected data subjects
- Categories and volume of relevant Personal Data
- Likely consequences and risks
- Measures taken or recommended
- Contact point for further information
8DATA RETENTION AND DELETION
8.1 Retention Period
- Personal Data is retained only for as long as necessary
- Retention periods are defined by Data Controller instructions
- Legal retention requirements override deletion requests
8.2 Data Return and Deletion
Upon termination or Data Controller request:
- Return all Personal Data in the agreed format
- Delete all copies unless legally required to retain them
- Provide a deletion certificate
- Complete deletion within 30 days
9DATA CONTROLLER OBLIGATIONS
9.1 Lawful Instructions
The Data Controller shall:
- Ensure that instructions comply with Data Protection Laws
- Have a legal basis for Processing
- Obtain the necessary consents
- Comply with data minimization principles
9.2 Rights and Authorizations
The Data Controller warrants that it has the right to:
- All necessary rights to provide the Personal Data
- Obtaining the required consents
- Making the necessary notifications to data subjects
- Authority to enter into this DPA
10LIABILITY AND INDEMNIFICATION
10.1 Allocation of Liability
- Each party is liable for its own non-compliance
- The Processor is liable for Processing outside the Data Controller's instructions
- The Data Controller is liable for unlawful instructions
10.2 Limitation of Liability
- Subject to the mandatory provisions of Data Protection Laws
- Total liability is limited as set out in the main Agreement
- Excludes regulatory fines and penalties
11JURISDICTION-SPECIFIC TERMS
11.1 European Union (GDPR)
- The Processor acts pursuant to GDPR Article 28
- Standard Contractual Clauses are incorporated by reference
- Data Protection Officer: spark@lunaarvision.com
11.2 Turkey (KVKK)
- Compliance with KVKK requirements
- Maintenance of VERBİS registration
- Local data residency options available
11.3 California (CCPA/CPRA)
- Service Provider under CCPA
- No sale of Personal Information
- Specific Purpose Limitation applies
12APPENDICES
APPENDIX A: Technical and Organizational Measures
Technical Measures:
- Encryption: AES-256 (at rest), TLS 1.3 (in transit)
- Access Control: Multi-factor authentication, role-based access
- Network Security: Firewalls, IDS/IPS, DDoS protection
- Application Security: OWASP compliance, regular security testing
- Data Separation: Logical separation of customer data
Organizational Measures:
- Security Policies: ISO 27001 compliant
- Personnel: Background checks, security training
- Physical Security: 24/7 monitoring, access controls
- Business Continuity: Disaster recovery, backup procedures
- Vendor Management: Due diligence, contractual controls
SIGNATURES
By accepting the Agreement or using the Services, the Customer agrees to this Data Processing Agreement.
PROCESSOR:
Taiga Teknoloji Anonim Şirketi
Name: [Authorized Representative]
Title: [Title]
Date: _____________
Signature: _____________
DATA CONTROLLER:
[Customer Name]
Name: _____________
Title: _____________
Date: _____________
Signature: _____________
Contact Information
For DPA matters, contact:
Email: spark@lunaarvision.com
Data Protection Officer: spark@lunaarvision.com
Address:
Çifte Havuzlar Mah. Eski Londra Asfaltı Cad.
Kuluçka Merkezi A1 Blok No 151
Yıldız Teknik Üniversitesi - Teknopark
Esenler / İstanbul, Turkey
Contact
Data Protection Inquiries
spark@lunaarvision.comData Protection Officer
spark@lunaarvision.comGeneral Contact
Taiga Teknoloji Anonim Şirketi
Çifte Havuzlar Mah. Eski Londra Asfaltı Cad.
Kuluçka Merkezi A1 Blok No 151
Yıldız Teknik Üniversitesi - Teknopark
Esenler / İstanbul, Turkey
Phone
+90 532 494 42 64Response Time
We aim to respond to all privacy inquiries within 30 days.
