Data Processing Addendum (DPA)

• “Personal Data” has the meaning under applicable Data Protection Laws and is limited to data we process on your behalf in providing the Services.
• “Data Protection Laws” means all data protection and privacy laws applicable to the processing under this DPA, including EU/EEA GDPR, UK GDPR, and KVKK (as applicable).
• “Standard Contractual Clauses” or “SCCs” means the European Commission’s 2021/914 clauses (Module 2 and/or 3 as applicable). “UK Addendum/IDTA” refers to the UK International Data Transfer Addendum/Agreement.
• Controller determines the purposes and means of processing, and Processor processes Personal Data on Controller’s documented instructions, as set out in this DPA, the Order, and Controller’s in-product configurations.

• Processor will process Personal Data solely (a) to provide, secure, support, and improve the Services (including monitoring, logging, backup/restore, and fraud/abuse prevention), (b) to comply with law, and (c) on Controller’s documented instructions. Processor will promptly notify Controller if an instruction infringes Data Protection Laws (to the extent legally permitted).
• The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are specified in Annex I.

• Processor will ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
• Employee/contractor NDAs: all personnel with access to Personal Data are bound by written confidentiality agreements and receive security and privacy training appropriate to their roles.

• Processor implements appropriate technical and organizational measures to protect Personal Data as described in Annex II (TOMs). Controller is responsible for securing its accounts, endpoints, and in-product settings.
• Processor will maintain policies for access control, encryption in transit, vulnerability management, change control, backup/recovery, and incident response in line with a risk-based approach.

• Controller authorizes Processor to engage subprocessors listed in Annex III and any others notified via our website or in-product notice. Processor will impose data protection terms on subprocessors no less protective than this DPA.
• Processor will provide advance notice of material subprocessor changes and allow Controller to object on reasonable, documented grounds relating to data protection; if unresolved, Controller may terminate only the affected Services without penalty.

• Where Processor or its subprocessors transfer Personal Data across borders under Data Protection Laws requiring safeguards, the SCCs (Module 2 and/or 3) and, for the UK, the UK Addendum/IDTA, will apply and are incorporated by reference. The parties will complete Annexes as needed and execute any required cross-signatures.
• Upon request, Processor will provide reasonable assistance with transfer impact assessments (TIA) limited to Processor’s systems and subprocessors’ publicly available or contractually shareable information.

• Taking into account the nature of processing, Processor will assist Controller by appropriate technical and organizational measures, to the extent possible, in fulfilling Controller’s obligations to respond to requests to exercise data subject rights (access, rectification, erasure, restriction, portability, objection).
• If Processor receives a request directly from a data subject, it will, where feasible, notify Controller and direct the data subject to submit the request to Controller.

Processor will provide reasonable cooperation (taking into account the nature of processing and available information) to support Controller’s obligations regarding security, breach notifications, DPIAs, and prior consultations with data protection authorities.

• Processor will notify Controller without undue delay and in any event within 72 hours after confirming a Personal Data Breach affecting Controller’s Personal Data, providing details then known (nature of breach, likely consequences, and measures taken or proposed).
• Processor will promptly take steps to mitigate and remediate and will cooperate with Controller in compliance efforts. Controller is responsible for any required notifications to authorities or data subjects unless otherwise agreed or required by law.

• Upon termination/expiry of the Services or upon Controller’s written request, Processor will (at Controller’s choice) return or delete Personal Data, unless retention is required by law.
• Backups: production backups are overwritten on a rolling schedule; on the current (free) Supabase tier this is approximately 7 days. Personal Data deleted from live systems will fall out of backups on that rolling cadence.

• Processor will make available information necessary to demonstrate compliance with this DPA (e.g., policy summaries, architecture and TOMs overview, penetration test summaries under NDA).
• Controller may conduct an audit no more than once in any 12-month period (and additionally following a confirmed breach) with 30 days’ advance notice. Audits will be limited to Processor’s controls relevant to the Services, conducted during normal business hours in a manner that does not unreasonably interfere with operations. Controller bears its own audit costs.

• The limitations and exclusions of liability in the Terms apply to this DPA. In case of conflict, this DPA prevails to the extent of the conflict regarding the processing of Personal Data.

• If any provision of this DPA is held invalid, the remainder will remain in full force. This DPA will be governed by the same law and jurisdiction as the Terms unless otherwise required by Data Protection Laws.
• Changes to this DPA may be made as described in the Terms; material changes affecting data protection obligations will be notified to Controller where required.

A. Parties

• Controller: The customer identified in the Order.
• Processor: Sigmatop Bilgi Teknolojileri LTD, registered address: Maslak Mahallesi AOS 55.Sokak 42 Maslak A Blok No:2 İç Kapı No :25,
  Sarıyer, Istanbul, Türkiye 34485, contact: contact@workgini.com.

B. Subject Matter & Duration

Processing of Personal Data to provide the Services, from initial activation until termination of the Services and completion of data return/deletion in accordance with the DPA.

C. Nature & Purpose

Hosting, storage, transmission, display, transformation as necessary to deliver core product features (HR, CRM, Calendar, etc.), customer support, security/abuse prevention, analytics and product improvement (in aggregated/anonymized form where feasible).

D. Types of Personal Data

• Identification data (name, email, phone); account metadata.
• Employment data (role, department, manager, status) where used.
• Optional: payroll/benefits details you enter; scheduling and event data; communications metadata (e.g., notification logs).
• Technical data (IP addresses, device/browser, logs).
• No special category data is required by the Services. If Controller introduces such data, Controller is responsible for lawful basis and additional safeguards.

E. Categories of Data Subjects

• Controller’s employees and contractors.
• Candidates/applicants (if using recruiting features).
• Customers/prospects and business contacts (if using CRM).
• Users of Controller’s Workgini workspace.

F. Processing Operations

Collection (via UI/APIs), storage, organization, structuring, retrieval, consultation, use, transmission, restriction, erasure, and destruction, as necessary to provide the Services and support.

• Access Control: role-based access; least privilege; MFA enforced for privileged accounts; session management; periodic access reviews.
• Encryption: TLS for data in transit; disk-level encryption at rest provided by the hosting platform; key management per platform best practices.
• Application Security: secure SDLC; dependency scanning; code review; environment separation; secrets management.
• Vulnerability & Patch Management: regular scanning; remediation based on severity SLAs; change management.
• Logging & Monitoring: centralized logs; anomaly detection; audit trails for admin actions where supported.
• Backup & DR: automated rolling backups; routine restore testing; RPO/RTO on a commercially reasonable-efforts basis for your plan tier. Current free tier backups ~7 days.
• Business Continuity: cloud-native infrastructure, multi-AZ where supported by underlying provider.
• Personnel Security: background checks as legally permitted; security/privacy training; NDAs for staff with access.
• Vendor Management: subprocessor risk assessment, contractual DP terms, periodic reviews.
• Physical Security: provided by cloud providers (datacenter controls, surveillance, visitor management).
• Data Minimization & Retention: controller-driven retention settings where available; deletion on request and upon termination; backups expire on rolling schedule.

The following subprocessors support delivery of the Services. We will update this list for material changes (you may subscribe to updates if available in-product).

Note: Exact vendors/regions depend on your deployment choices and plan.