Data Processing Agreement (DPA)
Last Updated: 01.06.2026
This Data Processing Agreement (the "Agreement" or the "DPA") is entered into between, on the one hand, pingyou Inc. ("pingyou" or the "Data Processor") and, on the other hand, the Customer using the pingyou Services (the "Data Controller"), as an integral part of the Master Service Agreement (the "Master Agreement").
1. DEFINITIONS
Capitalized terms used in this Agreement and not defined below shall have the meanings ascribed to them under Turkish Law No. 6698 on the Protection of Personal Data (the "PDPL") and, to the extent applicable, the European General Data Protection Regulation (the "GDPR"). For the purposes of this Agreement, the following terms shall have the meanings set out opposite them:
"Personal Data": means any information relating to an identified or identifiable natural person.
"Special Categories of Personal Data": means, within the meaning of Article 6 of the PDPL and Article 9 of the GDPR, data revealing an individual's racial or ethnic origin, political opinions, philosophical beliefs, religion, sect or other beliefs, dress and appearance, membership of associations, foundations or trade unions, health, sex life, criminal convictions and security measures, as well as biometric and genetic data.
"Data Subject": means the natural person whose Personal Data is processed.
"Data Controller": means the natural or legal person who determines the purposes and means of processing Personal Data and is responsible for the establishment and management of the data filing system. For the purposes of this Agreement, the Customer acts as the Data Controller.
"Data Processor": means the natural or legal person who processes Personal Data on behalf of the Data Controller based on the authority granted by the Data Controller. For the purposes of this Agreement, Pingyou acts as the Data Processor.
"Sub-processor": means a third-party natural or legal person engaged by the Data Processor for the purpose of processing Personal Data on behalf of the Data Controller.
"Processing": means any operation performed on Personal Data, whether by automated or non-automated means, such as collection, recording, storage, retention, modification, reorganization, disclosure, transfer, taking over, making accessible, classification or restriction of use.
"Personal Data Breach": means the unlawful acquisition, unauthorized access to, accidental or unlawful destruction, loss, alteration or disclosure of processed Personal Data.
"Cross-Border Transfer": means the transfer of Personal Data, within the meaning of Article 9 of the PDPL, to a natural or legal person, server or service provider located outside Türkiye.
"Adequacy Decision": means a decision by the Personal Data Protection Authority finding that the data protection in the relevant country, sector or international organization is adequate.
"Standard Contractual Clauses (SCC)": means the standard contractual text published by the Authority and executed between the data exporter and the data importer, serving as an appropriate safeguard for cross-border data transfers.
"Binding Corporate Rules (BCR)": means binding rules approved by the Authority for cross-border data transfers within the same group of companies.
"Services": means the AI-assisted message management services provided by pingyou Inc. to the Customer under the Master Agreement, the details of which are set out in Article 3 of this DPA.
"Platform": means the website, API, mobile application, dashboard and all digital interfaces through which pingyou Inc. provides the Services.
"Authority": means the Personal Data Protection Authority of the Republic of Türkiye.
2. SUBJECT MATTER AND SCOPE
This Agreement governs the rights and obligations of the Parties in relation to Personal Data that pingyou Inc. will process on behalf of the Customer in the course of providing the services under the Master Agreement (the "Services"). pingyou Inc. acts as a "Data Processor" on the instructions of the Customer and solely for the purpose of performing the Services.
3. DETAILS OF PROCESSING
Nature and Purpose of Processing: AI-assisted analysis of messages, comments and interactions received on the Customer's Meta accounts (Instagram, Facebook, etc.), generation of response drafts and customer experience management.
Categories of Data: communication data (DM content, comments), identity information (social media usernames), transaction security data (logs), customer transaction data.
Categories of Data Subjects: end-users interacting with the Customer's social media accounts (followers, prospective customers).
Duration: for as long as the Master Agreement remains in force.
4. OBLIGATIONS OF THE DATA PROCESSOR (PINGYOU INC.)
Pingyou Inc., in its capacity as Data Processor, hereby undertakes and agrees as follows:
4.1. Compliance with Instructions
pingyou Inc. shall process Personal Data solely in accordance with the Customer's written instructions (the Master Agreement, this DPA and the in-Platform usage settings constituting such instructions) and applicable law. pingyou Inc. shall not use the data for its own commercial purposes (other than anonymized statistical data).
4.2. Data Security and Technical Measures
pingyou Inc. has implemented and shall maintain industry-standard technical and organizational measures to ensure the security of the data. These measures include, but are not limited to:
Encryption: encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Access Control: restriction of access to data on a "need-to-know" basis.
Penetration Testing: regular security scans and penetration tests.
4.3. Confidentiality
pingyou Inc. undertakes that personnel authorized to access Personal Data shall maintain the confidentiality of such data, shall not disclose it to third parties save for legal obligations, and that this duty shall continue to apply even after termination of their employment.
4.4. Sub-processors
The Customer hereby grants pingyou Inc. general authorization to engage third-party sub-processors (e.g., AWS, OpenAI, Iyzico) for the purpose of providing the Services. pingyou Inc. shall:
enter into written contracts with sub-processors maintaining the standards set out in this DPA;
remain liable to the Customer for data security breaches of its sub-processors;
provide the up-to-date list of Sub-processors to the Customer upon request;
Notification of Changes: pingyou Inc. shall notify the Customer of any changes to its sub-processor list (addition of a new sub-processor or replacement of an existing one) at least fifteen (15) days in advance, by e-mail or in-platform notice. The Customer reserves the right to object to such change for legitimate reasons related to data security or legal compliance. If the Parties cannot reach a reasonable solution, the Customer shall have the right to terminate the agreement without compensation.
4.5. Data Breach Notification
In the event pingyou Inc. becomes aware of any security breach affecting the Personal Data it processes (unauthorized access, data loss, etc.), pingyou Inc. shall notify the Customer without undue delay and in any event within forty-eight (48) hours. The notification shall describe the nature of the breach, the categories of data affected and the measures taken.
4.6. Data Subject Rights
pingyou Inc. shall, to the extent technically feasible, assist the Customer in fulfilling its obligations under Article 11 of the PDPL (access, erasure, rectification, etc.). Requests received directly by pingyou Inc. shall be forwarded to the Customer without being responded to.
5. OBLIGATIONS OF THE DATA CONTROLLER (CUSTOMER)
The Customer, in its capacity as Data Controller, hereby represents and undertakes that:
the data it shares with pingyou Inc. has been lawfully obtained (the disclosure obligations and, where required, express consent processes have been completed);
the instructions given to pingyou Inc. comply with the PDPL and the related legislation;
in the event "Special Categories of Personal Data" (health, biometric data, etc.) are processed via the Platform, full legal liability arising therefrom shall rest with the Customer.
6. CROSS-BORDER DATA TRANSFERS
6.1. Legal Basis and Compliance
The Parties acknowledge that, due to the nature of the Service (use of global cloud infrastructure, AI models and Meta servers), the cross-border transfer of Personal Data is necessary. pingyou Inc. undertakes to carry out such transfers in full compliance with Article 9 of Law No. 6698, as amended on 12 March 2024, and with the relevant regulations of the Personal Data Protection Authority (the "Authority").
6.2. Transfer Mechanisms
When transferring Personal Data to sub-processors located abroad (e.g., AWS, OpenAI, Google Cloud), pingyou Inc. shall act in the following order of priority:
a) Adequacy Decision: where the Authority has issued an "Adequacy Decision" with respect to the relevant country, sector or international organization, the transfer is carried out on the basis of such decision.
b) Appropriate Safeguards (Standard Contracts): where no Adequacy Decision is in place (which is currently the case for the USA and EU countries), pingyou Inc. shall execute the "Standard Contractual Clauses (SCC)" published by the Authority with the foreign data importer (sub-processor) or shall implement Binding Corporate Rules (BCR).
Notification Obligation: pingyou Inc. undertakes to notify any executed Standard Contractual Clauses to the Authority within five (5) business days of execution.
6.3. Occasional Transfers and Express Consent (Exceptional Cases)
In the rare and occasional cases where no Adequacy Decision is available and appropriate safeguards (Standard Contractual Clauses, etc.) cannot be implemented, pingyou Inc. may request the procurement of "Express Consent" from the Customer (as Data Controller) or, through the Customer, from the Data Subjects, provided that they are duly informed of the potential risks. The Parties nevertheless agree that, for systematic and continuous data transfers, the safeguards set forth in Article 6.2 shall apply as a matter of priority.
6.4. Location of Sub-processors
The Customer hereby grants its general authorization and approval for data transfers to the following global sub-processors used by pingyou Inc. to provide the Service and whose servers are located abroad, subject to the safeguards set out above:
Hosting and Infrastructure: Amazon Web Services (AWS) / Google Cloud (Location: EU/USA).
AI Processing: OpenAI, Anthropic, Google (Location: USA).
Payment Infrastructure: Stripe / Iyzico (for global operations).
6.5. Customer's Responsibility
The Customer, in its capacity as Data Controller, is responsible for transparently stating, in the disclosure statement provided to its end-users (data subjects), that the data is transferred abroad and the legal basis of such transfer (appropriate safeguards or express consent under Article 9 of the Law).
7. AUDIT RIGHT
The Customer shall have the right, once per year and at its own cost, to audit (or have an independent auditor audit) pingyou Inc.’s compliance with its obligations under this DPA. Such audit shall be conducted in a manner that does not disrupt pingyou Inc. 's business operations and upon at least thirty (30) days' prior written notice. pingyou Inc. may discharge this audit obligation by providing its security certifications (e.g., ISO 27001, SOC 2).
8. TERMINATION AND DELETION OF DATA
Upon termination of the service relationship, and subject to legal retention obligations, pingyou Inc. shall, at the Customer's option, delete, destroy or return the Personal Data within thirty (30) days. Temporary data (cache) retrieved from the Meta platforms is automatically deleted from the system at the moment the connection is terminated.
9. LIABILITY
pingyou Inc.’s liability under this DPA is subject to the Limitation of Liability set out in the Master Agreement. pingyou Inc. shall be liable only for direct damages and only within the limits of the Master Agreement in case of loss of, or unauthorized access to, the data of the Customer or its end-users where such loss or unauthorized access is not attributable to its fault.
10. GOVERNING LAW AND JURISDICTION
This Agreement shall be governed by and construed in accordance with the laws of the Republic of Türkiye. Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the Istanbul (Çağlayan) Courts and Execution Offices of the Republic of Türkiye.
DATA PROCESSOR (PINGYOU INC.):
pingyou Inc.
DATA CONTROLLER (CUSTOMER):
The User who approves the Service Agreement