Home/legal
⚠️ This document is a template for staging/preview. Have a qualified lawyer review it before commercial launch.

Data Processing Agreement (DPA)

Last updated: 17 May 2026

1. Parties & scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between izvera.com ("Processor") and the business customer ("Controller"). It applies where the Processor processes personal data on behalf of the Controller in connection with the Service, in accordance with GDPR Article 28 and KVKK Article 12.

2. Nature, purpose & duration of processing

  • Subject matter: provision of the Digital Product Passport SaaS.
  • Categories of data subjects: Controller's authorised users; individuals identifiable in product or supplier data uploaded by Controller.
  • Categories of personal data: contact data, organisational role, authentication metadata, content uploaded by Controller.
  • Duration: while the Controller's account is active and for up to 30 days after termination.

3. Processor obligations

  • Process personal data only on documented instructions of the Controller (unless required by law).
  • Ensure persons authorised to process the personal data are under a duty of confidentiality.
  • Implement appropriate technical and organisational measures (Art. 32 GDPR).
  • Assist Controller in fulfilling data-subject rights and notification obligations (Arts. 32–36 GDPR).
  • At Controller's choice, delete or return personal data after the end of the provision of services and delete copies (subject to legal retention).
  • Make available all information necessary to demonstrate compliance, and allow for audits in accordance with Section 7.

4. Sub-processors

Controller provides general authorisation for the Processor to engage sub-processors. A current list is available on request. The Processor will give at least 14 days' advance notice of new sub-processors and will give Controller the right to object on reasonable data-protection grounds. The Processor remains liable for the acts and omissions of sub-processors.

5. Security measures

  • Encryption of personal data in transit (TLS 1.2+) and at rest where applicable.
  • Role-based access controls and least-privilege principles.
  • Audit logging and monitoring.
  • Regular vulnerability management and dependency patching.
  • Documented incident response and breach notification procedures.
  • Personnel training on data protection.

6. International transfers

Where the Processor transfers personal data outside the EEA or Türkiye, the Processor will rely on adequacy decisions, EU Standard Contractual Clauses (with appropriate supplementary measures where required), or other lawful transfer mechanisms.

7. Audits

Once per calendar year (or more frequently in case of a substantiated incident), Controller may audit the Processor's compliance with this DPA. The Processor may satisfy this obligation by providing a recent SOC 2 / ISO 27001 report or equivalent. Audits are at Controller's expense and must not unreasonably disrupt operations.

8. Breach notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller's data. Notification will include the nature of the breach, affected categories and approximate numbers, likely consequences, and measures taken or proposed.

9. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service. Nothing in this DPA limits any party's liability for matters that cannot be excluded or limited under applicable data protection law.

10. Term & termination

This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller. Upon termination, Sections 3 (deletion/return), 5 (security), 8 (breach notification of incidents already discovered), and 9 (liability) survive as required.

11. Order of precedence

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to the processing of personal data. Mandatory provisions of applicable law take precedence over both.

12. Signature

This DPA is incorporated by reference into the Terms of Service. By using the Service, the Controller agrees to be bound by this DPA. A counter-signed version is available on request to privacy@izvera.com.

    IZVERA