İçeriğe atla
Start free
GDPR ARTICLE 28, DPA

Data Processing Agreement (DPA)

We publicly disclose the data processing relationship between us and our B2B customers as a standard contract compliant with GDPR Article 28 and SCC.

Last Update 31 Mayıs 2026
Effective Date 1 Haziran 2026
Version 2.0
This translation is for informational purposes only. The Turkish version of this document is the legally binding one.
Information This page is a summary of cerez.io's standard DPA. For a signed PDF version, you can apply via the form at the bottom of the page. Signing a DPA is free of charge for our Pro and Enterprise customers.
Table of contents

1. Definitions · 2. Subject Matter of the Agreement · 3. Nature and Purpose of Processing · 4. Data Categories and Data Subjects · 5. Processor Obligations · 6. Sub-processors · 7. Security Measures · 8. Data Subject Requests · 9. Data Breach Notification · 10. Right to Audit · 11. Data Return and Erasure · 12. SCC Annex · 13. Signing the DPA

1. Definitions

Within the scope of this DPA, the following terms shall have the meanings set out opposite them:

Controller (Data Controller / Customer): The party that uses cerez.io services and determines the purposes and means of the processing of personal data. The customer itself or the legal entity it represents.
Processor (Data Processor / cerez.io): cerez.io, the party that processes personal data on behalf of the Controller in accordance with the Controller's instructions.
Corporate Details: cerez.io
Address: Altıeylül, Balıkesir / Turkey
Tax Office / VKN: Kurtdereli V.D. / 1400185229
Contact: destek@cerez.io · +90 540 059 40 40
Sub-processor: A third-party data processor engaged by the Processor for service provision (e.g. domestic hosting provider, CDN, e-mail service provider).
Data Subject: The natural person whose personal data is processed. In the cerez.io context: the Controller's customers, employees, visitors.
Personal Data: Any information relating to an identified or identifiable natural person (GDPR Art. 4/1, KVKK Article 3/1-d).
Data Breach: The unauthorized disclosure, alteration, loss or destruction of personal data (GDPR Art. 4/12).
SCC (Standard Contractual Clauses): The Standard Contractual Clauses approved by the European Commission (Decision 2021/914), for cross-border data transfers.

2. Subject Matter and Term of the Agreement

This DPA constitutes an annex to the Main Service Agreement (Terms of Use + Pro/Enterprise subscription) concluded between the Controller and the Processor. The DPA is valid for as long as the Main Agreement is in force. Upon termination of the agreement, the data return/erasure provisions in Article 11 apply.

This DPA has been prepared so as to meet the requirements of GDPR (Regulation EU 2016/679) Article 28 and Article 12 of KVKK No. 6698.

3. Nature and Purpose of Processing

Nature of Processing Automated (cloud-based SaaS); partly automated (Controller panel entries)
Purpose of Processing B2B SaaS service provision: cookie consent management, accessibility widget service, reporting, sub-processor integration
Type of Processing Collection, recording, storage, organization, structuring, use, disclosure, transfer, erasure
Duration of Processing For the duration of the Main Agreement + the return/erasure period specified in Article 11 (30 days)

4. Data Categories and Data Subjects

4.1. Data Subjects

  • Controller's employees: Account users (admin, editor, viewer)
  • Controller's B2B customers: Company representatives who make contact (in Enterprise scenarios)
  • Controller's website visitors: End users (anonymous/pseudo-anonymous consent data)

4.2. Data Categories

Data Type Source Sensitivity
Account credentials (name, e-mail)Controller user registrationLow
IP address (truncated / hashed)SDK runtime, visitor browserModerate
Browser type, language, OSSDK runtime, User-AgentLow
Consent preference records (accept/reject, category)SDK runtime, banner interactionLow
Page URLsSDK runtimeLow
API usage logsServerModerate

Special Category Data: cerez.io does not process special category data within the scope of GDPR Art. 9 / KVKK Article 6.

5. Processor Obligations

The Processor (cerez.io) undertakes to comply with the following obligations:

  1. Instruction: Processes personal data only in accordance with the Controller's written instructions. Does not process data on its own initiative unless required by a legal obligation.
  2. Confidentiality: Signs written confidentiality agreements with its personnel; data processing authorization is granted only to identified and necessary persons.
  3. Security: Implements and maintains the technical and administrative measures detailed in Article 7.
  4. Sub-processor condition: Informs the Controller in advance of the engagement of a new sub-processor (Article 6).
  5. Assistance: Assists the Controller in responding to data subject requests, in breach notifications, and in carrying out a DPIA (Data Protection Impact Assessment).
  6. Accountability: Keeps processing activities in an Article 30 record and presents it to the Controller during an audit.
  7. Return/Erasure: Returns or erases the data upon termination of the agreement (Article 11).

6. Sub-processor List

The Controller grants its general prior authorization to the following sub-processors. In the event of changes to the list, the Controller is informed at least 30 days in advance; the right to object is reserved.

Sub-processor Service Location Transfer Mechanism
Domestic hosting provider Server, database, storage, backup Turkey Domestic, KVKK Article 8
CDN and security provider Content distribution, DDoS protection (optional use) Global, in the contractual annex list SCC / adequate protection commitment where necessary
E-mail service provider Transactional e-mail delivery (invitation, notification) In the contractual annex list SCC / adequate protection commitment where necessary
AI service providers (OpenAI Vision, MyLLM via Volpora) AI alt-text / aria-label generation (only for customers using the AI tag scanner) Per provider, in the contractual annex list Standard API usage; customer data is processed at a minimal level
Tawk.to Live chat (optional) EU + US SCC

The current sub-processor list is always published on this page. To receive notifications, you can subscribe by sending an e-mail to destek@cerez.io.

7. Technical and Administrative Security Measures

The Processor undertakes to implement the following security measures pursuant to GDPR Article 32 and KVKK Article 12:

7.1. Encryption

  • At rest (data at rest): Encryption with AES-256
  • In transit (data in motion): TLS 1.3 (TLS 1.2 minimum); HTTP is mandatorily redirected to HTTPS (HSTS)
  • Password management: Bcrypt cost 12 (user passwords); API keys hashed + masked

7.2. Access Control

  • Role-based access control (RBAC): admin / editor / viewer
  • 2FA mandatory for company personnel (TOTP + hardware token optional)
  • Principle of Least Privilege (PoLP), access policies

7.3. Audit and Logging

  • All admin operations are retained in the AuditLog table for 1 year (who, when, what they did)
  • API usage records (90-day retention)
  • Anomaly detection (WAF + custom rules)

7.4. Backup and Disaster Recovery

  • Regular (at least end-of-day) automated backup; 30-day retention
  • Documented disaster recovery plan

7.5. Personnel Security

  • An NDA is signed prior to commencement of employment
  • Annual KVKK/GDPR awareness training

8. Support for Data Subject Requests

So that the Controller can respond to access, rectification, erasure, portability, and objection requests coming from data subjects, the Processor:

  • Provides data export (XLSX/CSV/PDF) from the account panel
  • Provides an API to delete/anonymize the data of a single user
  • Upon request, the technical support team assists within 5 business days (Pro+); 2 business days for Enterprise

9. Data Breach Notification

In the event that the Processor detects a personal data breach:

  1. Provides written notification to the Controller within 72 hours from the moment it detects the breach (e-mail + notification from the DPA panel).
  2. The notification includes the following information:
    • The nature of the breach, the affected data categories, and the approximate number of data subjects
    • The likely consequences of the breach
    • The measures taken/recommended
    • Point of contact (DPO)
  3. Provides technical support for the Controller to notify the Data Protection Authority (KVKK Board / Lead Supervisory Authority).

10. Audit Right

The Controller has the right to audit the Processor's compliance with this DPA, to a reasonable extent and with prior notice (at least 30 days):

  • On-site audit: For Enterprise customers, may be carried out once a year, over 2 business days, at reasonable hours, at the Processor's head office. The costs are borne by the Controller.
  • Third-party auditor: May also be carried out by independent auditors, on condition that an NDA is signed.

11. Data Return and Erasure

In the event of termination of the Main Agreement, the Processor, in accordance with the Controller's choice:

  1. Data Return: Returns all personal data to the Controller in a structured, machine-readable format (JSON/CSV/XLSX) within 30 days from the end of the agreement.
  2. Data Erasure: After the return, or if no return is requested, permanently erases all personal data within 30 days from the end of the agreement (including from backups).
  3. Legal Retention Exception: Invoices and financial records that must be retained under tax/commercial laws are kept for 10 years.

Once the erasure is completed, a written certificate of destruction is provided to the Controller.

12. Cross-Border Data Transfer and SCC

As a rule, since data is stored within the borders of Türkiye, in a domestic data center, no cross-border data transfer takes place. In specific cases requiring EU data transfer, the Standard Contractual Clauses (SCC) approved by the European Commission's Decision 2021/914, Module 2 (Controller-to-Processor), are taken as reference.

For Controllers resident in Türkiye, in the event that a cross-border transfer is necessary, reliance is placed on the Letter of Undertaking format published in accordance with the relevant decisions of the Personal Data Protection Board, or on the written undertaking providing adequate protection concluded within the scope of KVKK Article 9/2-b.

Access to the full text of the SCC: eur-lex.europa.eu/eli/dec_impl/2021/914

13. Contact for Signing the DPA

If you would like to obtain a signed DPA or add special provisions, you can reach us through the following channels:

Standard DPA / Enterprise discussion / Legal questions: destek@cerez.io

Data Protection Officer (DPO): [To be appointed]

Telephone / WhatsApp: +90 540 059 40 40 (WhatsApp)

Contact Form: cerez.io/iletisim

The Standard DPA and SCC Module 2 (PDF) will be provided at the contract stage.

Related pages: Privacy Policy · KVKK Disclosure Notice · Terms of Use

For your questions: destek@cerez.io  ·  This page was last updated on 31 May 2026.


⚡ YASAL ZORUNLULUK 2025/10 Cumhurbaşkanlığı Genelgesi: Kamu, belediye, banka, üniversite, hastane, okullar için 21 Haziran 2026'ya WCAG 2.2 A zorunlu · Ceza: 5.000–25.000 TL/tespit
Detay →