Data Processing Agreement
Last updated: March 9, 2026
1. Scope & Definitions
This Data Processing Agreement ("DPA") forms part of the agreement between Devotel Telekomunikasyon A.S. ("Processor") and the customer ("Controller") for the provision of the Orbit communications platform. Terms not defined herein have the meaning given in the GDPR (Regulation (EU) 2016/679) or the main service agreement.
2. Data Processing Details
Subject matter: Processing of personal data as necessary to provide SMS, Voice, WhatsApp, RCS, Email, and AI Agent services through the Orbit platform.
Duration: The term of the main service agreement plus the period required for deletion of all personal data in accordance with this DPA.
Categories of data subjects: End users and recipients of communications sent through the Orbit platform by the Controller.
Types of personal data: Phone numbers, email addresses, message content, IP addresses, device identifiers, and communication metadata (timestamps, delivery status, channel).
3. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller.
- Ensure persons authorized to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures per Article 32 GDPR.
- Not engage sub-processors without prior written authorization of the Controller.
- Assist the Controller in responding to data subject requests.
- Delete or return all personal data upon termination, at the Controller's choice.
- Make available all information necessary to demonstrate compliance and allow audits.
4. Sub-Processors
Current sub-processors: Google Cloud Platform (EU infrastructure), Stripe (payment processing), PostHog (analytics), Resend (transactional email delivery). The Processor maintains an up-to-date list of sub-processors and will notify the Controller at least 30 days before adding a new sub-processor.
5. International Transfers
Personal data is primarily stored in the EU (GCP europe-west1 region). Where transfers to third countries are necessary, the Processor ensures appropriate safeguards including Standard Contractual Clauses (SCCs) as approved by the European Commission.
6. Security Measures
Security measures include but are not limited to:
- Encryption at rest (AES-256) and in transit (TLS 1.3).
- Network segmentation and VPC isolation.
- Role-based access control with least privilege principle.
- Regular penetration testing and vulnerability scanning.
- Incident response plan with 72-hour breach notification.
- Automated log monitoring and anomaly detection.
7. Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. Notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to mitigate.
8. Contact
For DPA-related inquiries, contact dpa@devotel.io.