PrismUpPrismUp

Data Processing Agreement

Effective: April 2, 2026

1. Scope

This Data Processing Agreement ("DPA") forms part of the agreement between PrismUp, operated by İlk Adım Elektronik Tic. ve Aksesuar San. Ltd. Şti. ("Processor", "we", "us"), and the customer entity ("Controller", "you") that has entered into a subscription agreement for PrismUp services (the "Main Agreement").

This DPA applies whenever PrismUp processes Personal Data on behalf of the Controller in the course of providing the PrismUp platform and related services. It sets out the parties' obligations with respect to the protection of Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Turkish Personal Data Protection Law No. 6698 ("KVKK").

2. Definitions

For the purposes of this DPA, the following definitions apply:

  • Controller— The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the customer.
  • Processor— The natural or legal person which processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is PrismUp (İlk Adım Elektronik Tic. ve Aksesuar San. Ltd. Şti.).
  • Personal Data— Any information relating to an identified or identifiable natural person ("data subject"), as defined in Article 4(1) GDPR.
  • Processing— Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction.
  • Sub-processor— Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

3. Processing Details

The details of the data processing carried out under this DPA are as follows:

  • Subject matter— The provision of AI-powered product image generation, editing, and management services through the PrismUp platform.
  • Duration— Processing will continue for the duration of the Main Agreement between the parties, unless otherwise specified in this DPA.
  • Nature of processing— Automated processing of data, including AI model inference, image generation, image storage, and transmission via APIs.
  • Purpose of processing— To provide the services described in the Main Agreement, including generating, editing, and delivering product images and related content.
  • Categories of Personal Data— Product images (which may incidentally contain personal data such as visible persons or identifying marks), account data (name, email address, organization details), authentication data, and usage metadata.
  • Categories of data subjects— Controller's employees, authorized users of the platform, and any individuals whose personal data is incidentally present in uploaded content.

4. Processor Obligations

In accordance with Article 28(3) GDPR, the Processor shall:

  • Process only on documented instructions— Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by European Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure.
  • Confidentiality— Ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security measures— Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA.
  • Sub-processor restrictions— Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, as described in Section 5.
  • Data subject rights— Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III GDPR.
  • Assistance with compliance— Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and the information available to the Processor.
  • Deletion or return— At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless European Union or Member State law requires storage of the Personal Data. Deletion will be completed within 30 days of termination.
  • Audit cooperation— Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, as described in Section 9.

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The following sub-processors are authorized as of the effective date of this DPA:

  • Google LLC (Gemini AI)— AI model inference for image generation and content analysis. Location: United States.
  • OpenAI, Inc.— AI model inference for text processing and image analysis. Location: United States.
  • Cloudflare, Inc.— Content delivery, image storage (R2), and DDoS protection. Location: Global (edge network).
  • Vercel, Inc.— Application hosting and serverless compute. Location: United States.
  • Upstash, Inc.— Managed Redis for job queue processing. Location: United States.

The Processor shall notify the Controller of any intended changes to the list of sub-processors at least 30 daysbefore the addition or replacement takes effect, providing the Controller with the opportunity to object. Notification will be sent to the email address associated with the Controller's account.

If the Controller objects to a new sub-processor on reasonable data protection grounds within the 30-day notice period, the parties shall discuss the objection in good faith. If no resolution can be reached, the Controller may terminate the affected services without penalty by providing written notice within 30 days of the Processor's notification.

The Processor shall impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA. The Processor remains fully liable for the acts and omissions of its sub-processors.

6. International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area ("EEA") and Turkey where our sub-processors operate, including the United States.

For transfers of Personal Data from the EEA to countries that have not been deemed to provide an adequate level of data protection by the European Commission, the Processor shall ensure that one or more of the following safeguards are in place:

  • Standard Contractual Clauses (SCCs)— The Processor shall enter into the European Commission's Standard Contractual Clauses (as adopted by Commission Implementing Decision (EU) 2021/914) with each sub-processor that processes Personal Data outside the EEA.
  • Adequacy decisions— Where the European Commission has issued an adequacy decision for the recipient country, transfers may rely on that decision.
  • Supplementary measures— Where required based on a transfer impact assessment, the Processor shall implement additional technical, contractual, or organizational measures to ensure that the level of protection of Personal Data is not undermined.

For transfers subject to KVKK, the Processor shall comply with the cross-border transfer requirements of Article 9 of KVKK, including obtaining any necessary approvals from the Turkish Personal Data Protection Board where applicable.

7. Security Measures

The Processor shall implement and maintain the following technical and organizational security measures, appropriate to the risk:

  • Encryption— All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent industry-standard encryption at the storage layer.
  • Access controls— Access to Personal Data is restricted on a need-to-know basis using role-based access controls. Multi-factor authentication is enforced for all administrative access to production systems.
  • Infrastructure security— Production infrastructure is hosted on managed platforms with SOC 2 Type II and/or ISO 27001 certifications. Network isolation, firewalls, and intrusion detection systems are in place.
  • Incident response— A documented incident response procedure is maintained, including defined roles, escalation paths, and communication protocols, as described in Section 8.
  • Regular testing— Security measures are reviewed and tested on a regular basis to ensure their continued effectiveness. This includes vulnerability assessments and dependency audits.
  • Data minimization— Personal Data is retained only for as long as necessary for the purposes of processing. Temporary processing data (such as AI model inputs and outputs) is deleted promptly after processing is complete.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay and in any event within 48 hoursof becoming aware of the breach. Notification shall be sent to the email address associated with the Controller's account and to any additional contact designated for this purpose.

The breach notification shall include, at a minimum:

  • A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned.
  • The name and contact details of the Processor's data protection point of contact from whom further information can be obtained.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Audit Rights

The Controller has the right to conduct audits to verify the Processor's compliance with the obligations set out in this DPA, subject to the following conditions:

  • Audits may be conducted no more than once per calendar year, unless a data breach or regulatory investigation necessitates an additional audit.
  • The Controller shall provide at least 30 days' written notice before conducting an audit, specifying the scope and expected duration.
  • Audits may be conducted remotely (through review of documentation, certifications, and questionnaire responses) or on-site at the Processor's premises during normal business hours.
  • The Controller shall ensure that audits are conducted in a manner that minimizes disruption to the Processor's operations and does not compromise the security or confidentiality of other customers' data.
  • The Controller may engage a qualified, independent third-party auditor to conduct the audit on its behalf, provided that such auditor is bound by appropriate confidentiality obligations.
  • The Processor may satisfy audit requests by providing relevant third-party audit reports, certifications (such as SOC 2 or ISO 27001), or attestations, provided they adequately address the Controller's concerns.

The costs of any audit shall be borne by the Controller, except where the audit reveals a material breach of this DPA by the Processor.

10. Term and Termination

This DPA is co-terminous with the Main Agreement. It shall take effect on the date the Main Agreement is executed and shall remain in force for as long as the Processor processes Personal Data on behalf of the Controller.

Upon termination or expiration of the Main Agreement:

  • The Processor shall, at the Controller's election, either return all Personal Data to the Controller in a commonly used, machine-readable format or securely delete all Personal Data within 30 days.
  • The Processor shall provide written certification of deletion upon the Controller's request.
  • Obligations relating to confidentiality, liability, and any provisions that by their nature are intended to survive, shall survive termination of this DPA.

Notwithstanding the foregoing, the Processor may retain Personal Data to the extent required by applicable law, in which case the Processor shall continue to ensure the confidentiality and security of such data and shall process it only for the purpose required by law.