Limited Time Offer! Get 50% off on all packages. See Packages →

Privacy and Data Protection

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into between Taiga Teknoloji Anonim Şirketi ("LUNAAR", "Processor") and the organization or person purchasing enterprise services ("Customer", "Data Controller", "You"), and forms an integral part under the Master Service Agreement or Terms of Service ("Agreement") between the parties.

Effective: July 1, 2025Last Updated: January 10, 2025

1DEFINITIONS

1.1 Key Definitions

"Personal Data": Means any information relating to an identified or identifiable natural person.

"Processing": Means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Data Subject": Means the natural person to whom the personal data relates.

"Data Controller": Means the entity that determines the purposes and means of processing personal data.

"Data Processor": Means the entity that processes personal data on behalf of the Data Controller.

1.2 Data Protection Laws

Means all applicable laws relating to data protection and privacy:

  • EU General Data Protection Regulation (GDPR)
  • Turkey Law on the Protection of Personal Data (KVKK)
  • California Consumer Privacy Act (CCPA)
  • Other applicable data protection regulations

2SCOPE AND ROLES

2.1 Relationship of the Parties

  • The Customer acts as the Data Controller for the Personal Data
  • LUNAAR acts as the Data Processor for the Personal Data processed under this DPA
  • This DPA applies to all Processing activities carried out by LUNAAR on behalf of the Customer

2.2 Customer Instructions

  • The Processor shall process Personal Data only on the documented instructions of the Data Controller
  • The Agreement and this DPA constitute the complete instructions of the Data Controller
  • Additional instructions require a written agreement and may incur additional fees

3DATA PROCESSING DETAILS

3.1 Categories of Data Subjects

  • The Customer's employees and personnel
  • The Customer's customers
  • The Customer's suppliers and partners
  • The Customer's service users
  • Other persons provided by the Customer

3.2 Types of Personal Data

  • Identity data (name, identification numbers)
  • Contact information (email, phone, address)
  • Account credentials and authentication data
  • Payment and billing information
  • Usage data and analytics
  • Images and visual content
  • AI-generated content and outputs
  • Other data uploaded or processed by the Customer

3.3 Processing Activities

  • Data storage and hosting
  • AI model processing and generation
  • Data backup and recovery
  • Technical support services
  • Analytics and reporting
  • Security monitoring
  • Service improvement

4PROCESSOR OBLIGATIONS

4.1 Compliance

The Processor shall:

  • Process Personal Data in accordance with Data Protection Laws
  • Maintain records of processing activities
  • Cooperate with supervisory authorities
  • Implement privacy by design principles

4.2 Data Security

Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures:

  • Encryption for data at rest (AES-256) and in transit (TLS 1.3)
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident response and disaster recovery procedures
  • Physical security of data centers

4.3 Data Subject Rights

The Processor shall:

  • Assist the Data Controller in responding to data subject requests
  • Implement technical measures to support data subject rights
  • Promptly notify the Data Controller of direct requests from data subjects
  • Not respond directly to data subjects unless authorized

5SUB-PROCESSORS

5.1 Current Sub-processors

Sub-processorServiceLocationPurpose
Amazon Web ServicesCloud InfrastructureEU/USData hosting and processing
Google Cloud PlatformCloud ServicesEU/USBackup and redundancy
iyzicoPayment ProcessingTurkeyTransaction processing
SendGridEmail ServicesUSTransactional emails
CloudflareCDN/SecurityGlobalContent delivery and DDoS protection

5.2 Sub-processor Requirements

The Processor shall:

  • Impose the same data protection obligations on Sub-processors
  • Remain fully liable for the performance of Sub-processors
  • Provide appropriate safeguards for international transfers

6INTERNATIONAL TRANSFERS

6.1 Transfer Mechanisms

For transfers outside the EEA/adequate countries, the Processor shall ensure:

  • Standard Contractual Clauses are in place
  • Supplementary measures where necessary
  • Compliance with Schrems II requirements

6.2 Transfer Safeguards

  • Data localization options available upon request
  • Encryption of all international transfers
  • Access restrictions based on geographic location
  • Regular assessment of third-country laws

7SECURITY INCIDENTS

7.1 Incident Response

After becoming aware of a Security Incident, the Processor shall:

  • Notify the Data Controller without undue delay (within 72 hours)
  • Investigate and document the incident
  • Implement measures to mitigate the effects
  • Cooperate with the Data Controller's investigation

7.2 Notification Content

Incident notifications shall include:

  • The nature and scope of the incident
  • Categories and number of affected data subjects
  • Categories and volume of relevant Personal Data
  • Likely consequences and risks
  • Measures taken or recommended
  • Contact point for further information

8DATA RETENTION AND DELETION

8.1 Retention Period

  • Personal Data is retained only for as long as necessary
  • Retention periods are defined by Data Controller instructions
  • Legal retention requirements override deletion requests

8.2 Data Return and Deletion

Upon termination or Data Controller request:

  • Return all Personal Data in the agreed format
  • Delete all copies unless legally required to retain them
  • Provide a deletion certificate
  • Complete deletion within 30 days

9DATA CONTROLLER OBLIGATIONS

9.1 Lawful Instructions

The Data Controller shall:

  • Ensure that instructions comply with Data Protection Laws
  • Have a legal basis for Processing
  • Obtain the necessary consents
  • Comply with data minimization principles

9.2 Rights and Authorizations

The Data Controller warrants that it has the right to:

  • All necessary rights to provide the Personal Data
  • Obtaining the required consents
  • Making the necessary notifications to data subjects
  • Authority to enter into this DPA

10LIABILITY AND INDEMNIFICATION

10.1 Allocation of Liability

  • Each party is liable for its own non-compliance
  • The Processor is liable for Processing outside the Data Controller's instructions
  • The Data Controller is liable for unlawful instructions

10.2 Limitation of Liability

  • Subject to the mandatory provisions of Data Protection Laws
  • Total liability is limited as set out in the main Agreement
  • Excludes regulatory fines and penalties

11JURISDICTION-SPECIFIC TERMS

11.1 European Union (GDPR)

  • The Processor acts pursuant to GDPR Article 28
  • Standard Contractual Clauses are incorporated by reference
  • Data Protection Officer: spark@lunaarvision.com

11.2 Turkey (KVKK)

  • Compliance with KVKK requirements
  • Maintenance of VERBİS registration
  • Local data residency options available

11.3 California (CCPA/CPRA)

  • Service Provider under CCPA
  • No sale of Personal Information
  • Specific Purpose Limitation applies

12APPENDICES

APPENDIX A: Technical and Organizational Measures

Technical Measures:

  • Encryption: AES-256 (at rest), TLS 1.3 (in transit)
  • Access Control: Multi-factor authentication, role-based access
  • Network Security: Firewalls, IDS/IPS, DDoS protection
  • Application Security: OWASP compliance, regular security testing
  • Data Separation: Logical separation of customer data

Organizational Measures:

  • Security Policies: ISO 27001 compliant
  • Personnel: Background checks, security training
  • Physical Security: 24/7 monitoring, access controls
  • Business Continuity: Disaster recovery, backup procedures
  • Vendor Management: Due diligence, contractual controls

SIGNATURES

By accepting the Agreement or using the Services, the Customer agrees to this Data Processing Agreement.

PROCESSOR:

Taiga Teknoloji Anonim Şirketi

Name: [Authorized Representative]

Title: [Title]

Date: _____________

Signature: _____________

DATA CONTROLLER:

[Customer Name]

Name: _____________

Title: _____________

Date: _____________

Signature: _____________

Contact Information

For DPA matters, contact:

Email: spark@lunaarvision.com

Data Protection Officer: spark@lunaarvision.com

Address:
Çifte Havuzlar Mah. Eski Londra Asfaltı Cad.
Kuluçka Merkezi A1 Blok No 151
Yıldız Teknik Üniversitesi - Teknopark
Esenler / İstanbul, Turkey

Contact

Data Protection Inquiries

spark@lunaarvision.com

Data Protection Officer

spark@lunaarvision.com

General Contact

Taiga Teknoloji Anonim Şirketi
Çifte Havuzlar Mah. Eski Londra Asfaltı Cad.
Kuluçka Merkezi A1 Blok No 151
Yıldız Teknik Üniversitesi - Teknopark
Esenler / İstanbul, Turkey

Response Time

We aim to respond to all privacy inquiries within 30 days.