Data Processing Agreement
Framework agreement under KVKK Art.12 and GDPR Art.28
Notice: This document is a framework template governing the data processing relationship between audit firms and the denetci.ai platform. It is provided for informational purposes during the MVP stage and does not constitute a binding agreement. Organizations wishing to sign a formal DPA may contact info@denetci.ai.
1. Parties and Definitions
| Data Controller | Audit firm / independent auditor (the organization using the platform) |
| Data Processor | denetci.ai platform |
| Data Subjects | Employees of audited companies, executives, financial statement preparers, and other data subjects |
2. Processing Scope
The Data Processor processes the following data types solely according to the Data Controller's instructions:
- Audit engagement data and workflow information
- Uploaded financial statements and audit documents
- Risk assessment data and audit findings
- AI query and analysis results
- User account information (audit team members)
3. Data Processor Obligations
- Process personal data only according to the Data Controller's written instructions
- Ensure the confidentiality of processed data
- Implement necessary technical and organizational measures under KVKK Art.12
- Not engage sub-processors without prior approval of the Data Controller
- Grant the Data Controller the right to audit
- Return or delete data upon contract termination
4. Technical and Organizational Measures
The Data Processor implements the following security measures:
Technical Measures
- HTTPS/TLS encrypted communication
- Scrypt password hashing
- Industry-standard API key encryption
- HttpOnly/Secure session cookies
- Role-based access control (RBAC)
- Automatic session timeout
Organizational Measures
- Document access logs (audit trail)
- User authorization policies
- Data classification procedures
- Regular security reviews
- Data breach response plan
- Staff confidentiality obligations
5. Sub-Processors
The Data Processor uses the following sub-processors. The Data Controller will be notified in advance of any new sub-processor additions:
| Sub-Processor | Service | Location |
|---|---|---|
| Stripe, Inc. | Payment infrastructure | USA |
| AI Analysis Service Provider | AI language model | USA |
| Embedding Service Provider | Text embedding service | USA |
| Vector Database Service Provider | Vector database | EU |
6. Data Breach Notification
The Data Processor will notify the Data Controller within 72 hours upon detecting a personal data breach (KVKK Art.12/5 and GDPR Art.33). The notification will include the scope of the breach, affected individuals, measures taken, and recommended corrective actions.
7. Data Return or Deletion
Upon termination of the service agreement, the Data Processor will:
- Return or securely delete all personal data at the Data Controller's preference
- Complete the deletion within 30 days, subject to legal retention obligations
- Confirm the deletion in writing
8. Right to Audit
The Data Controller has the right to audit compliance with the obligations under this agreement. Audit requests shall be communicated in writing with reasonable advance notice.
9. Contact
For questions about the data processing agreement and formal DPA signing requests: info@denetci.ai