Buaze home
DPA

Data Processing Agreement (DPA)

SUMMARY

Written data processing agreement under KVKK Art. 12 between Buaze and the business regarding processing of customer data.

1. Parties#

Data Controller ("Business"): The restaurant / business operator registered on the platform that collects feedback from its customers.

Data Processor ("Buaze"): Buaze

  • Address: Türkiye
  • E-mail: legal@buaze.com
  • Tax / registration number: [VKN veya MERSIS]

2. Definitions#

  • Personal data: As defined in KVKK Art. 3 — information relating to an identified or identifiable natural person.
  • Processing: Any operation as defined in KVKK Art. 3.
  • Data breach: Unauthorised access, transfer, disclosure or loss.

3. Purpose, scope and duration#

  • Purpose: Collect, report and surface customer feedback for the Business.
  • Scope: Customer identity, contact, comment and technical data uploaded to the platform by the Business.
  • Duration: During the active subscription and in line with the retention periods set out in Section 6 of the KVKK Privacy Notice.

4. Business obligations (data controller)#

  • Provide a lawful basis for processing under KVKK Art. 5/6 (contract, explicit consent, legitimate interest).
  • Inform customers as required by KVKK Art. 10.
  • Enable customers to exercise their rights under KVKK Art. 11 (Buaze provides reasonable technical assistance).
  • Register with VERBIS where applicable.
  • Provide Buaze only with data needed for the agreed purposes.

5. Buaze obligations (data processor)#

Under KVKK Art. 12/3 Buaze is jointly responsible with the controller for data security:

  • Process data only on the controller's instructions.
  • Maintain administrative and technical measures under KVKK Art. 12:

- Password hashing (bcrypt), session and JWT management with revocation - TLS 1.2+ in transit - RBAC, access controls, audit logs - Regular security scans and patching

  • Bind staff to confidentiality and provide training.
  • Inform the Business before engaging sub-processors; impose equivalent obligations (Art. 8).
  • On termination, delete or return data (Art. 9).

6. Sub-processors#

Buaze relies on the following categories of sub-processors:

  • Cloud infrastructure (hosting and database)
  • E-mail provider
  • Error tracking / observability (e.g. Sentry)
  • Payment processor

The current list is available on request from legal@buaze.com. Buaze gives 30 days' notice before adding a new sub-processor; the Business may object on reasonable grounds.

7. Cross-border transfers#

No transfers outside Türkiye are made unless KVKK Art. 9 requirements (adequacy decision or undertaking) are met. Provider regions are available on request.

8. Data breach notification#

  • Buaze notifies the Business in writing within 24 hours of becoming aware of a breach.
  • The notice covers: nature of the breach, affected data categories, estimated number of affected data subjects, measures taken / planned.
  • The Business completes its KVKK Authority notification (within 72 hours); Buaze provides the requested information and documentation support.

9. Audit right#

The Business may audit Buaze's compliance with this agreement and KVKK Art. 12 once per year, with reasonable prior notice. Audits may be conducted remotely or via accepted third-party reports (e.g. ISO 27001).

10. Term and termination#

  • This agreement runs concurrently with the main service agreement (Platform User Agreement).
  • On termination, Buaze must delete or return the data within 30 days of the Business's request. Data subject to mandatory legal retention is kept for the relevant period and deleted at the end.

11. Liability and recourse#

Buaze's total liability under this agreement is capped at the subscription fees paid in the 12 months preceding the relevant event; the cap does not apply in cases of gross negligence or wilful misconduct (Code of Obligations Art. 115/2).

Where any administrative fine imposed by the KVKK Authority on the Business (controller), or any compensation claim, stems wholly or partly from Buaze's fault, the Business may recover that portion from Buaze. Buaze remains liable only to the extent of its own fault.

Conversely, Buaze is not liable for breaches caused by the Business's own fault; in that case the Business agrees to reimburse Buaze for costs incurred (legal counsel, third-party audit, customer notification expenses).

12. Governing law and jurisdiction#

This agreement is governed by Turkish law. The courts and execution offices of İstanbul have exclusive jurisdiction.

Questions? legal@buaze.com