Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") describes the principles and conditions under which HexxLock processes personal data on behalf of its customers. This DPA is provided for informational and transparency purposes and does not constitute a binding agreement unless expressly incorporated into a written contract.

Last updated: March 2025

1. Parties

This DPA relates to data processing activities conducted by:

Hexxlock Teknoloji Limited Şirketi

Bahçelievler, 319. Sk. No:35 E - E Blok/B24 06830 Gölbaşı / Ankara, Türkiye (Ankara University Technopark Campus)

In the context of applicable data protection laws:

  • The Customer acts as the Data Controller
  • HexxLock acts as the Data Processor

2. Scope and Purpose

This DPA applies solely to personal data processed by HexxLock on behalf of customers under a valid and executed written agreement.

This DPA does not apply to:

  • Website visitors
  • Marketing activities
  • Public website analytics
  • Non-contractual interactions

3. Nature of Processing

HexxLock may process personal data as part of:

  • Enterprise software platforms
  • ERP systems
  • AI-assisted decision support systems
  • Data analytics and operational infrastructure
  • Custom technical solutions

Processing activities are strictly limited to the scope defined in the relevant customer agreement.

4. Categories of Data and Data Subjects

Depending on the service context, processed data may include:

  • Business contact information
  • Operational and transactional data
  • System-generated logs
  • Technical identifiers
  • User-provided enterprise data

Data subjects may include:

  • Customer employees
  • Authorized users
  • Business partners
  • End users defined by the customer

5. Customer Instructions

HexxLock shall process personal data only:

  • In accordance with documented customer instructions
  • For the purposes defined in the governing agreement
  • In compliance with applicable data protection laws

HexxLock shall not process data for its own independent purposes.

6. Compliance With Data Protection Laws

HexxLock commits to processing personal data in accordance with:

  • Turkish Law on the Protection of Personal Data (KVKK)
  • General Data Protection Regulation (GDPR), where applicable
  • Other relevant international data protection frameworks

7. Confidentiality

HexxLock ensures that personnel authorized to process personal data:

  • Are bound by confidentiality obligations
  • Receive appropriate data protection training
  • Access data strictly on a need-to-know basis

8. Security Measures

HexxLock implements technical and organizational measures designed to ensure:

  • Data confidentiality
  • Data integrity
  • System availability
  • Resilience against unauthorized access

Specific security controls, audits, or certifications are disclosed through contractual engagements.

9. Sub-Processors

HexxLock may engage sub-processors only:

  • Where necessary for service delivery
  • Under contractual data protection obligations
  • With appropriate safeguards

Customers are informed of relevant sub-processing arrangements as part of contractual documentation.

10. International Data Transfers

HexxLock does not transfer personal data internationally unless:

  • Explicitly authorized by the customer
  • Required for service delivery
  • Appropriate legal safeguards are in place

11. Data Subject Rights

HexxLock assists customers in fulfilling data subject rights requests, including:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Objection

HexxLock does not respond directly to data subject requests unless authorized.

12. Data Breach Management

HexxLock maintains internal procedures to detect and respond to personal data breaches.

In the event of a confirmed breach affecting customer data, HexxLock will:

  • Notify the customer without undue delay
  • Provide relevant information for compliance obligations
  • Cooperate in mitigation efforts

13. Data Retention and Deletion

Upon termination of the service agreement, HexxLock shall:

  • Delete or return personal data as instructed by the customer
  • Retain data only where legally required

14. Audits and Information Requests

HexxLock may provide customers with reasonable information necessary to demonstrate compliance, subject to confidentiality and security considerations.

Audit rights, if any, are governed by the underlying agreement.

15. Limitation and Non-Binding Nature

This DPA:

  • Does not create independent contractual obligations
  • Does not override executed agreements
  • Serves as a general reference framework

Binding data processing obligations are established exclusively through signed contracts.

16. Governing Law

This DPA is governed by the laws of Türkiye, unless otherwise agreed in writing.

17. Contact

For data protection or DPA-related inquiries:

  • data@hexxlock.com
  • privacy@hexxlock.com
  • legal@hexxlock.com
  • compliance@hexxlock.com