Data Processing Addendum (DPA)

1. Parties and Roles

This DPA is an integral part of the SentinelDB360 subscription agreement. The Customer is the Data Controller (KVKK Art. 3 / GDPR Art. 4(7)), and DMC BİLGİ TEKNOLOJİLERİ YAZILIM DANIŞMANLIK SANAYİ VE TİCARET LİMİTED ŞİRKETİ (trading as "DMC Bilgi Teknolojileri") is the Data Processor (KVKK Art. 3 / GDPR Art. 4(8)).

Veri İşleyen kayıtlı adresi: Düzce Üniversitesi Teknoloji Geliştirme Bölgesi (Düzce TGB), Türkiye · İletişim: [email protected]

2. Subject, Duration, and Purpose of Processing

• Subject: Provision of SentinelDB360 database monitoring service
• Duration: Subscription term + 30-day post-contract data deletion process
• Purpose: Monitoring data collection, analysis, reporting, alerting, AI insight generation
• Data Types: Database server metrics, query statistics, user session information (identity/contact)
• Data Subjects: Customer's DBAs, system administrators, and end users

3. DMC's Obligations

• Process data only in accordance with the Customer's written instructions
• Bind authorized processing personnel under confidentiality undertakings
• Implement appropriate technical and organizational security measures (Section 6)
• Notify the Customer within 24 hours of a data breach
• Reasonably assist the Customer with data subject requests
• Delete or return the data at the end of processing

4. Customer's Obligations

• Collect data lawfully (consent, contract, etc.)
• Inform data subjects under KVKK Art. 10 / GDPR Art. 13
• Provide processing instructions in writing
• Respond to data subject requests as the primary controller

5. Sub-Processors

DMC uses the following sub-processors for service delivery:

When a new sub-processor is to be added, the Customer is notified via email at least 30 days in advance; the Customer may object on reasonable grounds.

6. Technical and Organizational Security Measures

• Encryption: TLS 1.2+ in transit, AES-256 at rest
• Access control: Role-based (RBAC), least-privilege principle, MFA
• Audit log: All authorized access is recorded
• Backup: Encrypted, in a separate region, RPO ≤ 24 hours
• Pen-test: Annual independent penetration testing
• Incident response: Incident response plan, 24-hour notification commitment

7. International Transfer

Data is processed in the EU/Türkiye region by default. Cross-border transfers (if any) are protected with Standard Contractual Clauses (SCCs) under GDPR or equivalent safeguards under KVKK.

8. Data Subject Rights

DMC reasonably assists the Customer with the data subject rights set out in KVKK Art. 11 / GDPR Art. 15-22 (access, rectification, erasure, restriction, portability, objection).

9. Audit

The Customer may audit DMC's compliance with this DPA once a year. The audit may be conducted in writing (questionnaire); on-site audit requires reasonable advance notice and DMC's written approval.

10. Liability and Term

Liability is limited within the scope of the main subscription agreement. This DPA terminates automatically with the end of the main agreement and is then subject to the data deletion/return procedure.

11. Governing Law and Jurisdiction

This DPA is governed by the laws of the Republic of Türkiye. In case of conflict, the mandatory provisions of KVKK and GDPR take precedence. Competent court: Istanbul (Çağlayan) Courts.

12. Contact and Signature

To request a signed copy of the DPA and Data Protection Officer (DPO) information: [email protected].