Extrais — Data Processing Agreement
[square brackets] is a placeholder to be completed for the specific engagement. This template is drafted to satisfy Article 28 of the EU General Data Protection Regulation (GDPR) and equivalent obligations under the UK GDPR, the Swiss Federal Act on Data Protection (revised FADP / nLPD) and the Turkish Personal Data Protection Law No. 6698 (KVKK). It must be reviewed, adapted and finalised by qualified legal counsel before execution in any given engagement. Read it together with our Privacy Policy and our Sub-processors page.Parties
This Data Processing Agreement is entered into between:
- (1) TABA Tasarım İnşaat Anonim Şirketi ("TABA", the "Controller"), a company incorporated in the Republic of Türkiye, operator of the Extrais platform, contactable at info@vitamedas.com (the "Controller"); and
- (2)
[Processor: full legal name, company number, registered address, jurisdiction of incorporation](the "Processor"),[contact: name / email of Processor's data-protection contact or representative].
each a "Party" and together the "Parties". This DPA forms part of and supplements the underlying agreement between the Parties under which the Processor provides services to TABA (the "Principal Agreement", [reference / title / date]). It takes effect on the date of the last signature below (the "Effective Date").
Background
In performing the services described in the Principal Agreement (the "Services"), the Processor will process personal data on behalf of and under the instructions of TABA. The Parties enter into this DPA to ensure that such processing is carried out in compliance with Applicable Data Protection Law and, in particular, Article 28 GDPR.
1. Definitions & interpretation
1.1 Capitalised terms used in this DPA have the meaning given to them in the GDPR. In particular, "personal data", "special categories of personal data", "processing", "controller", "processor", "sub-processor", "data subject", "personal data breach", "supervisory authority" and "international organisation" each bear the meaning given in Article 4 GDPR.
1.2 "GDPR" means Regulation (EU) 2016/679. "UK GDPR" means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, read with the UK Data Protection Act 2018. "Swiss FADP" means the Swiss Federal Act on Data Protection of 25 September 2020 (revised FADP / nLPD) and its implementing ordinance. "KVKK" means the Turkish Personal Data Protection Law No. 6698 and its secondary legislation.
1.3 "Applicable Data Protection Law" means all data-protection and privacy laws applicable to the processing under this DPA, including, as applicable, the GDPR, the UK GDPR and DPA 2018, the Swiss FADP, the KVKK, and any other equivalent national or sub-national law (including, in the United States, the California Consumer Privacy Act as amended by the CPRA and the comparable laws of Virginia, Colorado, Connecticut and Utah, and in Canada, PIPEDA and Québec's Law 25).
1.4 "EU SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A DPA 2018. "Restricted Transfer" means a transfer of personal data to a country or recipient not benefitting from an adequacy decision under the relevant Applicable Data Protection Law.
1.5 Equivalent meaning across regimes. Where this DPA refers to a GDPR concept, term or Article, that reference is to be read as a reference to the materially equivalent concept, term or provision under the UK GDPR and DPA 2018, the Swiss FADP and the KVKK, as applicable to the relevant processing, so that the protections in this DPA apply with equivalent effect under each of those regimes. Accordingly: references to a "supervisory authority" include the UK Information Commissioner's Office (ICO), the Swiss Federal Data Protection and Information Commissioner (FDPIC) and the Turkish Personal Data Protection Authority (KVKK Authority / Kurum); references to the "GDPR" include the UK GDPR, the Swiss FADP and the KVKK to the extent applicable; and references to a "Member State" include the United Kingdom, Switzerland and the Republic of Türkiye as the context requires.
2. Roles & scope
2.1 For the purposes of this DPA and the processing of personal data under the Services, the Parties acknowledge and agree that TABA is the Controller (or, where TABA itself acts as processor for another controller, the relevant controller's processor) and the Processor is the processor acting on TABA's behalf.
2.2 The Processor shall process personal data only on the documented instructions of TABA, including with regard to Restricted Transfers, unless required to do so by Union, Member State or other applicable law to which the Processor is subject; in such a case, the Processor shall inform TABA of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2.3 The subject-matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1. The Processor shall not process personal data for any purpose other than as set out in Annex 1 or as otherwise instructed in writing by TABA.
2.4 The Principal Agreement, this DPA and TABA's written configuration of, and use of, the Services together constitute TABA's complete and final documented instructions to the Processor. Additional or different instructions require written agreement of the Parties.
2.5 The Processor shall immediately inform TABA if, in its opinion, an instruction infringes Applicable Data Protection Law. The Processor is not obliged to carry out an independent legal review of the lawfulness of TABA's instructions.
3. Processor obligations (Article 28(3))
The Processor shall, and shall procure that its personnel and sub-processors shall, comply with the following obligations.
(a) Documented instructions
Process the personal data only on TABA's documented instructions (including as to Restricted Transfers), as described in clause 2 above and as set out in Annex 1, save where required by applicable law as described in clause 2.2.
(b) Confidentiality of personnel
Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to the personal data is limited to those personnel who need it to perform the Services.
(c) Security of processing (Article 32)
Take all measures required pursuant to Article 32 GDPR, implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of data subjects. The minimum measures are set out in Annex 2 (Technical and Organisational Measures). The Processor shall not materially reduce the overall level of protection during the term.
(d) Sub-processors
3.1 The Processor shall not engage another processor (a "sub-processor") without the prior specific or general written authorisation of TABA. Where general written authorisation is given, the Processor shall inform TABA of any intended addition or replacement of a sub-processor with reasonable prior notice (at least [30] days), thereby giving TABA the opportunity to object on reasonable data-protection grounds. If TABA objects, the Parties shall work in good faith to resolve the concern; failing resolution, TABA may suspend or terminate the affected Services without penalty.
3.2 Where the Processor engages a sub-processor, it shall do so by way of a written contract that imposes on the sub-processor the same data-protection obligations as are set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR (a "flow-down").
3.3 The Processor remains fully liable to TABA for the performance of each sub-processor's obligations. Where a sub-processor fails to fulfil its data-protection obligations, the Processor remains fully liable to TABA for the performance of that sub-processor's obligations.
3.4 A current list of authorised sub-processors is maintained in Annex 3; TABA's published Sub-processors page describes the sub-processors used to operate the Extrais platform.
(e) Assistance with data-subject rights (Articles 12–23)
Taking into account the nature of the processing, assist TABA by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of TABA's obligation to respond to requests for exercising data-subject rights under Chapter III GDPR (Articles 12–23), including rights of access, rectification, erasure, restriction, data portability and objection. The Processor shall promptly notify TABA if it receives a request directly from a data subject and shall not respond to that request itself except on TABA's documented instructions or as required by law.
(f) Assistance with Articles 32–36
Assist TABA in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor, including assistance with: security of processing (Art. 32); notification of a personal data breach to the supervisory authority (Art. 33) and to affected data subjects (Art. 34); data protection impact assessments (Art. 35); and prior consultation with the supervisory authority (Art. 36).
(g) Deletion or return of data
At TABA's choice, delete or return all the personal data to TABA after the end of the provision of the Services relating to processing, and delete existing copies unless Union, Member State or other applicable law requires storage of the personal data. Deletion or return shall be completed within [30] days of the end of the Services unless otherwise agreed, and the Processor shall certify deletion in writing on request.
(h) Information & audits
Make available to TABA all information necessary to demonstrate compliance with the obligations laid down in Article 28 and this DPA, and allow for and contribute to audits, including inspections, conducted by TABA or another auditor mandated by TABA. Audits shall take place on reasonable prior notice (at least [30] days, save in the case of a personal data breach or a regulator requirement), no more than once per year unless required by a supervisory authority or following a personal data breach, during business hours, subject to confidentiality and without unreasonable disruption to the Processor's operations. The Processor may satisfy reasonable audit requests by providing up-to-date certifications (e.g. ISO/IEC 27001) or independent third-party audit reports (e.g. SOC 2 Type II), supplemented as needed. The Processor shall immediately inform TABA if, in its opinion, an instruction infringes the GDPR or other Applicable Data Protection Law.
4. Personal-data breach notification
4.1 The Processor shall notify TABA without undue delay, and in any event within [48] hours, after becoming aware of a personal data breach affecting personal data processed under this DPA.
4.2 The notification shall describe, to the extent known and as it becomes available: the nature of the breach including, where possible, the categories and approximate number of data subjects and personal-data records concerned; the likely consequences of the breach; the measures taken or proposed to address it and to mitigate its possible adverse effects; and a contact point for further information.
4.3 The Processor shall cooperate with and assist TABA in investigating, mitigating and remediating the breach, and shall not make any public statement or notify any supervisory authority or data subject about a breach affecting TABA's data without TABA's prior written authorisation, unless required by law.
5. International transfers
5.1 The Processor shall not transfer personal data to a country outside the EEA, the United Kingdom or Switzerland, or to an international organisation, and shall not process it outside those territories, except on TABA's documented instructions and subject to an appropriate transfer mechanism under Applicable Data Protection Law. The core Extrais data is hosted in the EU.
5.2 EU Standard Contractual Clauses. Where the Processor (or an authorised sub-processor) processes personal data subject to the GDPR in a country that does not benefit from a European Commission adequacy decision, the EU SCCs (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor), are hereby incorporated into this DPA by reference and apply to that transfer, with TABA as data exporter and the Processor (or sub-processor) as data importer. For the purposes of those Clauses:
- the optional docking clause (Clause 7) applies;
- under Clause 9, Option 2 (general written authorisation) applies, with the notice period set out in clause 3.1 of this DPA;
- under Clause 11, the optional independent dispute-resolution body language does not apply;
- under Clause 17, the Clauses are governed by the law of
[an EU Member State that allows third-party-beneficiary rights — e.g. Ireland]; - under Clause 18, disputes shall be resolved before the courts of
[the same EU Member State]; - Annexes I, II and III to the EU SCCs are populated by Annexes 1, 2 and 3 of this DPA, respectively.
5.3 UK transfers. For Restricted Transfers subject to the UK GDPR, the UK International Data Transfer Addendum (issued by the ICO under s.119A DPA 2018) is incorporated into this DPA and applies to the EU SCCs as varied by that Addendum; Table 1 (parties), Table 2 (the version of the EU SCCs and selected modules/options above) and Table 3 (Annexes) are completed by reference to the Parties and the Annexes of this DPA, and Table 4 provides that the importer and the exporter may end the Addendum as set out in its Section 19.
5.4 Swiss transfers. For Restricted Transfers subject to the Swiss FADP, the EU SCCs apply with the following adaptations, in line with the guidance of the Swiss FDPIC: (i) references to the GDPR are to be understood as references to the FADP insofar as the data transfer is governed by the FADP; (ii) the competent supervisory authority is the FDPIC; (iii) references to "Member State" must not be interpreted to exclude data subjects in Switzerland from suing for their rights in their place of habitual residence; and (iv) until the entry into full effect of the revised FADP for all purposes, the Clauses also protect the personal data of legal entities to the extent the FADP so requires.
5.5 If a transfer mechanism is invalidated or insufficient, the Parties shall cooperate in good faith to put in place an alternative lawful mechanism and any supplementary measures required, failing which TABA may suspend the affected transfer or terminate the affected Services without penalty.
6. Liability
6.1 Each Party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Principal Agreement, save that nothing limits either Party's liability to data subjects under, or any right of a data subject to compensation it may have under, Article 82 GDPR (or its equivalent under other Applicable Data Protection Law).
6.2 Consistent with Article 82 GDPR, the Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of TABA. Where both Parties are responsible for damage caused by processing, each Party may be held liable for the entire damage in respect of the data subject in order to ensure effective compensation, with a right of recovery between the Parties corresponding to their respective responsibility for the damage.
7. Term, governing law & order of precedence
7.1 Term. This DPA takes effect on the Effective Date and continues for as long as the Processor processes personal data on behalf of TABA under the Principal Agreement. The clauses that by their nature should survive (including those on deletion/return of data, confidentiality, liability and audit) survive termination.
7.2 Governing law. Except as otherwise required by the incorporated transfer mechanisms (clause 5) or by mandatory provisions of Applicable Data Protection Law, this DPA is governed by the law of the Republic of Türkiye, without prejudice to any mandatory data-protection rights of data subjects under the law applicable to them. The EU SCCs, the UK Addendum and the Swiss adaptations are governed by the law stated in or required by those instruments, which prevails over this clause to the extent of any conflict for the transfers they govern.
7.3 Order of precedence. In the event of any conflict or inconsistency between this DPA and the Principal Agreement on matters of data protection, this DPA prevails. In the event of any conflict between this DPA and the incorporated EU SCCs (or the UK Addendum or Swiss adaptations) in respect of a transfer they govern, those Clauses prevail to the extent of the conflict.
7.4 Variation & severance. Any variation of this DPA must be in writing and signed by both Parties. If any provision is held invalid or unenforceable, the remaining provisions continue in full force, and the Parties shall replace the affected provision with a valid one that achieves, as far as possible, the original intent.
Signatures
| Controller — TABA Tasarım İnşaat A.Ş. | Processor — [name] | |
|---|---|---|
| Signature | [ ] | [ ] |
| Name | [ ] | [ ] |
| Title | [ ] | [ ] |
| Date | [ ] | [ ] |
Annex 1 — Details of the processing
This Annex sets out the particulars required by Article 28(3) GDPR and populates Annex I of the EU SCCs. Complete each field for the specific engagement.
| Field | Details |
|---|---|
| Data exporter / Controller | TABA Tasarım İnşaat Anonim Şirketi, Republic of Türkiye — info@vitamedas.com. Role: Controller. |
| Data importer / Processor | [Processor: name, address, contact, role: Processor] |
| Subject-matter of the processing | [e.g. provision of cloud hosting / messaging / email delivery / analytics / crash reporting in support of the Extrais platform] |
| Nature & purpose of the processing | [e.g. storage, hosting, transmission, backup, processing of platform data solely to deliver the Services to TABA] |
| Categories of data subjects | Clients (end users); Pros (independent tradespeople); prospective users; visitors; [other, e.g. TABA staff]. |
| Categories of personal data | Identity & account data (name, email, account identifiers); profile and listing content; messages/chat content and call metadata; approximate or on-demand location data; device, log and technical data (IP address, identifiers, diagnostics); purchase/credit-transaction metadata (no card data — handled by Apple/Google); support correspondence. [Adjust to the actual data the Processor receives.] |
| Special-category data (Art. 9) / criminal-offence data (Art. 10) | None intended. The Extrais platform is designed not to require special-category or criminal-offence data. [State "None" or specify any exception and the additional safeguards; if none, the Processor shall not process special-category data.] |
| Frequency of the processing | [continuous / on a one-off basis / periodic] |
| Duration / retention | For the term of the Principal Agreement; personal data deleted or returned per clause 3(g) at the end of the Services, subject to any legal retention requirement. [Specify retention periods.] |
| Sub-processors | As listed in Annex 3 / on TABA's Sub-processors page. |
| Competent supervisory authority (SCCs Annex I.C) | [lead supervisory authority of the EU Member State whose law governs the SCCs / the relevant EU exporter's establishment] |
Annex 2 — Technical and Organisational Measures (Article 32)
The Processor shall implement and maintain at least the following measures, appropriate to the risk, and shall describe in each row how it meets the measure for the specific engagement.
(a) Encryption
- Encryption in transit: TLS 1.2+ (or stronger) for all data in transit across public and internal networks; HSTS where applicable.
- Encryption at rest: strong, industry-standard encryption (e.g. AES-256) for stored personal data, databases, backups and file storage; documented key management with restricted key access and periodic rotation.
(b) Access control & least privilege
- Role-based access control (RBAC) and the principle of least privilege; access granted only on a need-to-know basis and reviewed periodically.
- Unique user accounts; strong-password and multi-factor authentication (MFA) for administrative and remote access; prompt revocation on personnel changes.
- Segregation of production, staging and development environments and of different controllers' data.
(c) Pseudonymisation & data minimisation
- Pseudonymisation and/or anonymisation applied where feasible; data minimisation so that only data necessary for the Services is processed; separation of identifiers from payload where practical.
(d) Network security
- Firewalls, network segmentation, and restricted ingress/egress; secure VPN or equivalent for remote administration; protection against DDoS and intrusion; hardened configurations and default-deny rules.
(e) Logging & monitoring
- Security-relevant event logging, tamper-resistant log retention, time synchronisation, and continuous monitoring/alerting for anomalous or unauthorised activity.
(f) Secure development
- Secure software development lifecycle (SDLC) with code review, dependency management, secrets management, separation of duties, and change-control processes; security testing prior to release.
(g) Vulnerability & patch management
- Regular vulnerability scanning, timely patching by severity, and periodic penetration testing; coordinated handling of disclosed vulnerabilities.
(h) Backup & resilience
- Regular, encrypted backups; tested restore procedures; redundancy and high-availability architecture to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems (Art. 32(1)(b)).
(i) Business continuity & disaster recovery
- Documented business-continuity and disaster-recovery plans with defined RPO/RTO; ability to restore availability and access to personal data in a timely manner after an incident (Art. 32(1)(c)).
(j) Physical security of data centres
- Personal data hosted in facilities (e.g. EU-region cloud data centres) with controlled physical access, surveillance, environmental controls, and recognised certifications (e.g. ISO/IEC 27001).
(k) Personnel confidentiality & training
- Binding confidentiality obligations for all personnel with access to personal data; regular data-protection and security-awareness training; documented onboarding/offboarding.
(l) Incident response & breach handling
- A documented incident-response plan with defined roles, escalation paths, and the breach-notification timelines in clause 4; post-incident review and remediation.
(m) Testing, assessment & review
- A process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures (Art. 32(1)(d)); periodic review and update of this Annex; certifications/audit reports made available on request.
[The Processor shall attach or describe its specific technical and organisational measures mapped to each item above, including any certifications (ISO/IEC 27001, SOC 2 Type II) and the data-centre locations / regions used.]Annex 3 — Authorised sub-processors
The following sub-processors are authorised as at the Effective Date. TABA's public Sub-processors page is the live reference for the sub-processors used to operate the Extrais platform; this Annex records those engaged by the Processor under this DPA.
| Sub-processor (name) | Service / purpose | Location / region of processing | Transfer mechanism (if outside EEA) |
|---|---|---|---|
[name] | [e.g. cloud hosting] | [e.g. EU] | [e.g. N/A — within EEA / EU SCCs + UK Addendum] |
[name] | [ ] | [ ] | [ ] |
[name] | [ ] | [ ] | [ ] |
