Last updated: April 10, 2026
This Data Processing Agreement (DPA) sets forth the conditions for the protection of personal data processed by flowiqa on behalf of our clients. This agreement is prepared in compliance with the European Union General Data Protection Regulation (GDPR), Turkish Personal Data Protection Law No. 6698 (KVKK), and international data protection standards.
"Data Controller" refers to our client, "Data Processor" refers to flowiqa, "Personal Data" means any information relating to an identified or identifiable natural person, "Processing" means any operation performed on personal data.
flowiqa processes personal data only in accordance with the client's instructions and for the purpose of fulfilling the services specified in the agreement. Data processed includes: customer name, email address, phone number, order information, and other business process-related data.
flowiqa implements appropriate technical and organizational measures to protect personal data: encryption of data (in transit and at rest), access control and authorization, regular security audits, staff training and confidentiality commitments.
flowiqa may use sub-processors for service delivery. A list of sub-processors is available upon request. Each sub-processor is subject to data protection obligations equivalent to those set forth in this DPA.
When personal data needs to be transferred outside of Turkey, appropriate safeguards are ensured under KVKK Article 9 and GDPR Chapter V. Standard Contractual Clauses (SCCs) or additional protective measures are applied for transfers to countries without adequacy decisions.
In the event of a data breach, flowiqa will notify the client in writing within 72 hours. The notification will include the nature of the breach, categories of data affected, potential consequences, and measures taken or proposed.
flowiqa assists the client in fulfilling data subject rights under KVKK Article 11 and GDPR Articles 15-22: access, rectification, erasure, restriction of processing, data portability, and objection rights.
This DPA remains in effect for the duration of the main service agreement. Within 30 days of termination of the service agreement, personal data will be returned or securely deleted at the client's request.
The client or an authorized independent auditor may audit flowiqa's compliance with this DPA, subject to reasonable prior notice and confidentiality commitments.