Data Processing Agreement
Last updated: June 3, 2026
Overview
This page describes who processes personal data on our behalf, why, and where. It stands in for a formal DPA for most customers; enterprise customers may request a signed version.
Sub-processors
We use the following third parties to deliver the Service. All are contractually bound by confidentiality and data-protection obligations at least as strict as those in this policy.
| Provider | Purpose | Location |
|---|---|---|
| AWS (RDS, S3) | Application hosting + database | eu-west-1 (Dublin) |
| Cloudflare | CDN, DDoS protection | Global edge |
| Postmark | Transactional email delivery | USA |
| PayTR | Card payment processing | Türkiye |
Security measures
- TLS 1.2+ for data in transit
- Daily database backups, 30-day retention, optional off-site encryption
- Principle-of-least-privilege access on admin panel (owner / admin / editor / viewer roles)
- Full audit trail of every admin write, with before/after diff
Your rights
Customers can request a copy of their data, deletion, or a signed DPA. We respond within 30 days.