Legal

Data Processing Addendum (DPA)

Last updated: 10 Oct 2025

This DPA forms part of the agreement between Configgo (“Processor”) and the customer (“Controller”) for the use of https://configgo.com and related services (“Services”).

Capitalized terms not defined here have the meanings in the Main Agreement. To the extent of conflict, this DPA prevails over the Main Agreement with respect to processing of personal data, unless the Main Agreement explicitly states otherwise.

1) Definitions

“Applicable Data Protection Laws” means laws and regulations relating to privacy, data protection, and data security applicable to the processing under this DPA (including, where applicable, GDPR/UK GDPR). “Personal Data” means any information relating to an identified or identifiable natural person processed by Configgo on behalf of Controller. Other terms (e.g., “processing”, “controller”, “processor”) have the meanings given in Applicable Data Protection Laws.

2) Scope & Controller Instructions

Processor will process Personal Data solely to provide and improve the Services in accordance with Controller’s documented instructions, this DPA, and the Main Agreement. Processor will promptly inform Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws.

3) Details of Processing (Annex I)

The nature, purpose, duration, categories of data subjects, and categories of Personal Data are set out below.

Purpose	Nature	Categories of Personal Data	Data Subjects	Duration
Provide, maintain, and secure the Services	Hosting, storage, transmission, display, backup, and support	Account data (name, email), usage logs, device/network metadata, customer-provided content	Customer personnel, end users authorized by Customer	For the term of the Main Agreement, plus retention required for legal/defense obligations
Improve and analyze Service performance	Aggregated analytics, troubleshooting, quality and feature development	Pseudonymous identifiers, usage events, performance metrics	Customer personnel, end users authorized by Customer	Ongoing during the term; aggregated data may be retained in de-identified form

4) Security Measures (Annex II)

Processor will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as described in Annex II, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing.

Encryption in transit (TLS) and at rest; key management controls.
Access controls (least privilege, MFA/SSO), role-based permissions, periodic access reviews.
Secure development lifecycle, code review, dependency scanning, vulnerability management.
Logging, monitoring, and alerting; security incident response playbooks.
Backups, disaster recovery, and business continuity testing.
Personnel confidentiality and security training; background checks as permitted by law.

5) Personnel & Confidentiality

Processor ensures that personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate privacy and security training.

6) Sub-processors (Annex III)

Controller authorizes Processor to engage sub-processors to support the Services. Processor will impose data protection obligations no less protective than those in this DPA and remains responsible for their performance. Current sub-processors are listed in Annex III.

Sub-processor	Purpose	Location	Data Categories	Safeguards
Cloud Infrastructure Provider	Compute, storage, networking, and backup	EU and Türkiye (as configured); global redundancy where applicable	All categories necessary to host and operate the Services	SCCs/adequacy (if applicable), ISO 27001/27017/27018, encryption at rest/in transit
Email Delivery Provider	Transactional and operational emails	Global	Contact data (email), delivery events/metadata	SCCs/adequacy (if applicable), TLS in transit, DPA with security commitments
Analytics Provider	Usage analytics to improve reliability and features	EU/US (regional controls where applicable)	Pseudonymous identifiers, page/app events, device/browser metadata	IP truncation/pseudonymization, SCCs/adequacy (if applicable), DPA

7) International Transfers

Where processing involves transfers of Personal Data to a country without an adequate level of protection, the parties will rely on appropriate safeguards such as Standard Contractual Clauses (including any applicable UK or other addenda), or other mechanisms permitted by Applicable Data Protection Laws.

8) Assistance to Controller

Taking into account the nature of processing, Processor will assist Controller with reasonable technical and organizational measures in fulfilling Controller’s obligations to respond to requests to exercise data subject rights, conduct DPIAs, and consult supervisory authorities where required.

9) Personal Data Breach

Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller’s Personal Data, and will provide information reasonably required to support Controller’s obligations under Applicable Data Protection Laws.

10) Audits & Certifications

Upon reasonable prior notice and subject to confidentiality and safety controls, Processor will make available information necessary to demonstrate compliance with this DPA and allow for audits (including inspections) conducted by Controller or an independent auditor mandated by Controller, to the extent required by Applicable Data Protection Laws.

11) Return & Deletion of Data

Upon termination or expiry of the Services, Processor will, at Controller’s choice, delete or return Personal Data and will delete existing copies unless retention is required by law or for establishment, exercise, or defense of legal claims.

12) Records & Cooperation

Processor will maintain records of processing as required by Applicable Data Protection Laws and will cooperate with competent supervisory authorities upon lawful request.

13) Liability

The parties’ liability under this DPA is subject to the limitations and exclusions set out in the Main Agreement, unless otherwise mandated by Applicable Data Protection Laws.

14) Precedence, Governing Law & Venue

In the event of a conflict between this DPA and the Main Agreement, this DPA controls with respect to processing of Personal Data. Unless the Main Agreement specifies otherwise, this DPA is governed by the laws of the Republic of Türkiye, and the courts of Ankara shall have exclusive jurisdiction, subject to mandatory Applicable Data Protection Laws.

15) Contact

Questions about this DPA? Contact legal@configgo.com or write to: Çankaya, Ankara, Türkiye.

Note

This template is provided for general information only and isn’t legal advice. Adapt to the Main Agreement, your processing activities, and jurisdictional requirements.

Annex II — Technical & Organizational Measures

Organization & Policies: Security governance, policies, training, vendor management.
Access Control: MFA/SSO, least privilege, role separation, periodic reviews, immediate revocation.
Encryption: TLS for data in transit; encryption at rest; secrets management.
Hardening & Development: Secure coding, code review, dependency scanning, IaC baselines.
Monitoring & Logging: Centralized logs, retention, anomaly detection, alerting.
Vulnerability Management: Regular scanning, patch SLAs, penetration tests.
Resilience: Backups, replication, DR testing, RPO/RTO objectives.
Physical Security: Data centers with access control, surveillance, and environmental controls.
Incident Response: Documented runbooks, roles, communication plans, post-incident review.
Privacy by Design: Data minimization, purpose limitation, retention, pseudonymization where suitable.