Oris Invoiceby ORIS Intelligence
Start free
🇹🇷 Türkiye home
Türkiye · TR

Data Processing Agreement

The data-processing terms that apply when Oris Invoice processes personal data on your behalf as a data processor.

Aligned with: KVKK Law No. 6698·Effective: April 29, 2026

Not legal advice. This page is a templated baseline aligned with KVKK Law No. 6698. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.

1. Definitions

"Veri Sorumlusu" (Controller), "Veri İşleyen" (Processor), "Kişisel Veri" (Personal Data), "İlgili Kişi" (Data Subject) have the meanings in KVKK Art. 3. "Customer Personal Data" means Personal Data within Customer Data we process on your behalf.

2. Roles and instructions

You are the Veri Sorumlusu; we are the Veri İşleyen. We process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required by Turkish law.

3. Confidentiality and personnel

Personnel are bound by confidentiality (KVKK Art. 12) and trained on data protection. Access is need-to-know with role-based access controls.

4. Security measures (KVKK Art. 12)

Encryption at rest (AES-256-GCM) and in transit (TLS 1.3); regular vulnerability scanning; network segmentation; least-privilege access; incident detection and response; personnel background checks; KVKK Kurulu "Adequate Technical and Organizational Measures" guidance applied.

5. Sub-processors

You authorise sub-processor engagement. Current list available; 30 days' notice before changes (with reasonable objection right). We remain liable for sub-processor performance.

6. Data subject rights (KVKK Art. 11)

We assist you in responding to subject requests via self-service export tools and processor support.

7. Data breach notification

We notify you without undue delay (within 72 hours of becoming aware) of any Personal Data Breach, with information needed for your KVKK Art. 12 obligation to notify the data subject and the KVKK Kurulu (where applicable).

8. International transfers (KVKK Art. 9)

Transfers outside Türkiye where the destination country is not on the KVKK Kurulu's safe-list rely on a Kurul-approved Taahhütname (undertaking) or, where applicable, the Standart Sözleşme (Standard Contract) framework approved by the Kurul.

9. Audits

Audit on reasonable notice at your cost, max once per 12 months (or after a Personal Data Breach). SOC 2 Type II + ISO 27001 reports satisfy most audit requirements.

10. Return or deletion

On termination, return data in machine-readable format and/or delete it (subject to 35-day backup retention and the 5-year (or category-specific 10-year) Turkish statutory invoice retention under VUK).

11. Liability and conflicts

This DPA forms part of our Terms of Service. In conflict, this DPA prevails on data-protection matters. Liability subject to Terms limits except where KVKK mandates otherwise.

12. Effective date

Effective on Terms acceptance. Material changes notified 30 days in advance.