Digitable Legal Documents

DATA PROCESSING AGREEMENT

Last Updated: 2026-04-01 Version: 2026.04

1. PARTIES

This Data Processing Agreement ("DPA") is entered into between:

Data Controller ("Controller"): The natural or legal person who has accepted the SaaS Service Agreement and uses the Digitable platform to manage digital menus and process end-user data.

Data Processor ("Processor"): MERS YAZILIM VE TEKNOLOJİ HİZMETLERİ LİMİTED ŞİRKETİ

Address: Karaman Mah. Ceylan(170) Sk. No: 1 İç Kapı No: 1 Nilüfer/Bursa Turkey

MERSIS No: 0618090558600001

Email: privacy@digitable.ai

This DPA forms an integral part of the SaaS Service Agreement ("Principal Agreement") between the Parties.

2. DEFINITIONS

  • Personal Data: Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
  • Processing: Any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • Data Subject: An identified or identifiable natural person whose Personal Data is processed.
  • Sub-Processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • KVKK: Turkish Law No. 6698 on the Protection of Personal Data.
  • SCCs: Standard Contractual Clauses adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR.

3. SUBJECT MATTER AND DURATION OF PROCESSING

3.1 Subject Matter

The Processor processes Personal Data on behalf of the Controller in connection with the provision of the Digitable digital menu platform, including:

  • Hosting and serving digital menus accessible via QR codes
  • Collecting and processing customer feedback
  • Generating analytics on menu views and QR code scans
  • AI-powered content generation (menu descriptions, translations, images)
  • Payment processing facilitation
  • Email communications on behalf of the Controller

3.2 Duration

Processing shall continue for the duration of the Principal Agreement and until all Personal Data has been deleted or returned in accordance with Section 11 of this DPA.

4. NATURE AND PURPOSE OF PROCESSING

The Processor processes Personal Data solely for the purpose of providing the services described in the Principal Agreement, including:

  • Storage and hosting: Storing menu data, product information, and uploaded media
  • Analytics: Aggregating and reporting on QR code scans and menu views
  • Feedback collection: Processing customer reviews and ratings submitted through the platform
  • AI services: Generating content using third-party AI providers on behalf of the Controller
  • Communications: Sending transactional and marketing emails as configured by the Controller

5. CATEGORIES OF DATA SUBJECTS AND PERSONAL DATA

5.1 Categories of Data Subjects

Category Description
Controller's employees Staff members who access and manage the platform
End users (menu visitors) Individuals who scan QR codes and view digital menus
Feedback respondents Individuals who submit feedback through the platform

5.2 Categories of Personal Data

Category Examples
Account data Name, email address, phone number, company name
Device and access data IP address, browser type, device type, operating system
Analytics data QR scan timestamps, menu view duration, page interactions
Feedback data Ratings, comments, session identifiers
Payment data Invoice information, billing address (processed via payment sub-processors)

No special categories of Personal Data (Article 9 GDPR) are intentionally collected or processed.

6. OBLIGATIONS OF THE CONTROLLER

The Controller shall:

  1. Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process such data.
  2. Provide documented instructions to the Processor regarding the processing of Personal Data.
  3. Ensure compliance with applicable data protection laws, including providing appropriate privacy notices to Data Subjects.
  4. Notify the Processor without undue delay of any changes to applicable data protection laws that may affect the Processor's obligations.
  5. Respond to Data Subject requests in accordance with Section 9.

7. OBLIGATIONS OF THE PROCESSOR

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited by law).
  2. Ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement and maintain appropriate technical and organisational measures as set out in Annex A.
  4. Comply with the conditions for engaging Sub-Processors as set out in Section 8.
  5. Assist the Controller, taking into account the nature of processing, in responding to Data Subject requests (Section 9).
  6. Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation (Articles 32–36 GDPR).
  7. At the Controller's choice, delete or return all Personal Data upon termination of the Principal Agreement (Section 11).
  8. Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits (Section 12).

8. SUB-PROCESSORS

8.1 General Authorisation

The Controller provides general written authorisation for the Processor to engage Sub-Processors listed in Annex B. The Processor shall inform the Controller of any intended changes to the list of Sub-Processors by email at least 30 days before the engagement of a new Sub-Processor.

8.2 Objection Right

The Controller may object to a new Sub-Processor within 14 days of receiving notice. If the Controller objects on reasonable grounds related to data protection, the Parties shall discuss a commercially reasonable alternative. If no alternative can be found, either Party may terminate the affected services without penalty.

8.3 Sub-Processor Obligations

The Processor shall:

  1. Impose the same data protection obligations as set out in this DPA on each Sub-Processor by way of a contract.
  2. Remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

9. DATA SUBJECT RIGHTS

9.1 Assistance

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests exercising their rights under Chapter III of the GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

9.2 Direct Requests

If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request.

10. DATA BREACH NOTIFICATION

10.1 Notification to Controller

The Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of a Data Breach affecting Personal Data processed under this DPA.

10.2 Content of Notification

The notification shall include:

  1. A description of the nature of the Data Breach, including where possible the categories and approximate number of Data Subjects and records concerned.
  2. The name and contact details of the Processor's data protection contact point.
  3. A description of the likely consequences of the Data Breach.
  4. A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

10.3 Controller's Obligations

The Controller is responsible for notifying the competent supervisory authority within 72 hours of becoming aware of the Data Breach (Article 33 GDPR) and for notifying affected Data Subjects where required (Article 34 GDPR).

11. DATA DELETION AND RETURN

11.1 Upon Termination

Upon termination of the Principal Agreement, the Processor shall, at the Controller's choice:

  1. Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format; or
  2. Delete all Personal Data and certify such deletion in writing.

11.2 Retention Period

The Controller shall communicate its choice within 30 days of termination. If no instruction is received, the Processor shall delete all Personal Data within 90 days of termination, except where retention is required by applicable law.

11.3 Legal Retention

Where applicable law requires the Processor to retain certain Personal Data (e.g., invoicing data under Turkish Commercial Code), the Processor shall isolate and protect such data and limit processing to the legally required purpose.

12. AUDIT RIGHTS

12.1 Information and Audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller or a mandated third-party auditor may conduct audits, including inspections, subject to the following conditions:

  1. The Controller shall provide at least 30 days written notice.
  2. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
  3. The auditor shall be bound by confidentiality obligations.
  4. Audits shall be limited to once per calendar year, unless a Data Breach or regulatory investigation necessitates an additional audit.

12.2 Costs

The Controller shall bear the costs of any audit. The Processor shall bear its own internal costs of facilitating the audit.

13. INTERNATIONAL DATA TRANSFERS

13.1 Transfer Mechanisms

Where Personal Data is transferred outside the European Economic Area (EEA) or Turkey, the Processor shall ensure that appropriate safeguards are in place, including:

  1. Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
  2. Adequacy decisions by the European Commission or the Turkish Personal Data Protection Authority.
  3. Any other legally recognised transfer mechanism under applicable data protection law.

13.2 Transfer Impact Assessment

The Processor shall, upon request, provide the Controller with information necessary to conduct a transfer impact assessment for any international data transfer.

14. LIABILITY

Liability under this DPA shall be subject to the limitations and exclusions set out in the Principal Agreement, except that neither Party's liability for breaches of data protection law shall be limited to the extent that such limitation is prohibited by applicable law.

15. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by the laws applicable to the Principal Agreement. Any disputes arising from this DPA shall be submitted to the courts specified in the Principal Agreement.

16. AMENDMENTS

This DPA may only be amended in writing. The Processor may update the Annexes to reflect changes in Sub-Processors (subject to Section 8) or technical measures, provided such changes do not reduce the overall level of data protection.

ANNEX A: TECHNICAL AND ORGANISATIONAL MEASURES

The Processor implements the following measures to ensure the security of Personal Data:

Access Control

  • Role-based access control (RBAC) for all platform users
  • Multi-factor authentication for administrative access
  • Principle of least privilege for internal staff

Encryption

  • Data in transit: TLS 1.2+ for all connections
  • Data at rest: AES-256 encryption for stored data
  • Database connections encrypted via SSL

Infrastructure Security

  • Hosted on Hetzner dedicated servers in Germany (EU)
  • Cloudflare CDN and DDoS protection
  • Automated security patches and updates
  • Network-level firewalls and intrusion detection

Application Security

  • Regular dependency vulnerability scanning
  • Static code analysis (DeepSource)
  • Container image scanning (Trivy) before deployment
  • Signed container images (Sigstore/cosign)

Data Segregation

  • Logical tenant isolation at the application layer
  • Database-level access controls per company

Backup and Recovery

  • Automated daily backups with point-in-time recovery
  • Backup encryption at rest
  • Tested disaster recovery procedures

Monitoring and Logging

  • Centralised logging with retention policies
  • Real-time monitoring and alerting
  • Audit trail for administrative actions

Personnel

  • Confidentiality agreements for all staff
  • Data protection training for employees handling Personal Data
  • Background checks for personnel with elevated access

ANNEX B: LIST OF SUB-PROCESSORS

Sub-Processor Country Purpose Categories of Data
OpenRouter, Inc. United States AI model routing for text generation, translation, and content moderation Menu texts, product descriptions
fal.ai, Inc. United States AI-powered image and video generation Product images, menu visuals
Paddle.com Market Ltd. United Kingdom International payment processing (Merchant of Record) Invoice information, email address, billing address
iyzico Ödeme Hizmetleri A.Ş. Turkey Domestic payment processing Tokenised card information, invoice information
Hetzner Online GmbH Germany Cloud hosting and object storage All platform data
Cloudflare, Inc. United States CDN, DNS, and DDoS protection IP addresses, request metadata

The Processor shall maintain an up-to-date list of Sub-Processors and notify the Controller of any changes in accordance with Section 8 of this DPA.

This Data Processing Agreement is effective as of the date the Controller accepts it through the Digitable platform.