Yasal

Veri İşleme Sözleşmesi (DPA)

Son güncelleme: Mart 2026

Bu belge İngilizce sunulmaktadır. Aşağıdaki hukuken bağlayıcı metin İngilizcedir. Çevrilmiş sürümler için lütfen bizimle iletişime geçin.

1. Giriş

This Data Processing Agreement (“DPA”) forms part of the agreement between Vomenta Technologies Inc. (“Processor” or “Vomenta”) and the customer (“Controller” or “Customer”) for the provision of the Vomenta cloud Contact Center as a Service (CCaaS) platform (the “Service”).

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applies to the processing of personal data by Vomenta on behalf of the Customer. This DPA supplements the Hizmet Şartları, Gizlilik Politikası, and KVKK Uyumluluğu commitments.

2. Tanımlar

  • “Personal Data” means any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1).
  • “Processing” means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
  • “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
  • “Sub-processor” means any third party engaged by Vomenta to process Personal Data on behalf of the Customer.
  • “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to GDPR Article 51.

3. İşlemenin kapsamı ve amacı

3.1 Konu

Vomenta processes Personal Data solely to provide the CCaaS platform services described in the agreement between the parties, including:

  • Routing and delivering voice calls, chat messages, SMS, WhatsApp, and email communications
  • Recording, transcribing, and analyzing customer interactions
  • AI-powered agent assistance (copilot, voice agents, chat agents)
  • Real-time and historical analytics and reporting
  • Workforce management and quality management
  • Campaign management and predictive dialing

3.2 Süre

Processing commences on the date the Customer activates the Service and continues for the duration of the agreement. Upon termination, Vomenta shall delete or return all Personal Data within 30 days, unless retention is required by applicable law.

3.3 Veri sahibi kategorileri

  • Customer's end users and customers (callers, chat participants, email senders)
  • Customer's agents, supervisors, and administrators
  • Third parties whose data is incidentally processed during communications

3.4 Kişisel veri türleri

  • Contact information (names, phone numbers, email addresses)
  • Communication content (call recordings, chat transcripts, email content, voicemail)
  • Interaction metadata (timestamps, duration, channel, queue, disposition codes)
  • Agent performance data (handle time, quality scores, schedule adherence)
  • Customer-defined CRM data and custom fields
  • Technical identifiers (IP addresses, device information, session data)

4. İşleyicinin yükümlülükleri

Vomenta shall:

  • Process Personal Data only on documented instructions from the Customer, unless required by EU or Member State law.
  • Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 7).
  • Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller (see Section 6).
  • Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
  • Assist the Controller in ensuring compliance with obligations under GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).
  • At the choice of the Controller, delete or return all Personal Data upon termination and delete existing copies unless retention is required by law.
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for and contribute to audits.
  • Immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.

5. Uluslararası veri aktarımları

Vomenta operates data centers in multiple regions. When Personal Data is transferred outside the European Economic Area (EEA), the following safeguards apply:

  • Standard Contractual Clauses (SCCs): The EU Commission-approved Standard Contractual Clauses (Module 2: Controller to Processor; Module 3: Processor to Processor) are incorporated by reference into this DPA and apply to all transfers to countries without an adequacy decision.
  • Adequacy Decisions: Transfers to countries recognized by the European Commission as providing adequate data protection are permitted without additional safeguards.
  • EU-U.S. Data Privacy Framework: Where applicable, Vomenta relies on the EU-U.S. Data Privacy Framework certification.
  • Transfer Impact Assessments: Vomenta conducts Transfer Impact Assessments (TIAs) and implements supplementary measures where the legal framework of the recipient country does not provide equivalent protection.
  • Data Residency Options: Enterprise customers may configure data residency to restrict processing to specific regions (EU, US, or other supported regions).

6. Alt işlemciler

6.1 Yetkilendirme

The Customer provides general written authorization for Vomenta to engage Sub-processors to perform specific processing activities. Vomenta maintains an up-to-date list of Sub-processors, available upon request.

6.2 Değişiklik bildirimi

Vomenta shall notify the Customer at least 30 days before adding or replacing a Sub-processor, providing the Customer an opportunity to object. If the Customer objects on reasonable grounds related to data protection, the parties shall discuss the concern in good faith. If no resolution is reached, the Customer may terminate the affected Service component.

6.3 Alt işlemci yükümlülükleri

Vomenta imposes contractual obligations on each Sub-processor that are no less protective than those in this DPA. Vomenta remains fully liable for the performance of its Sub-processors.

6.4 Mevcut alt işlemci kategorileri

  • Cloud Infrastructure: Hosting, compute, and storage services (data centers in EU, US, and other regions)
  • Telecommunications: SIP trunking, PSTN connectivity, SMS delivery, and phone number provisioning
  • AI and Machine Learning: Speech-to-text, text-to-speech, natural language processing, sentiment analysis (BYOK option available for customer-managed AI keys)
  • Payment Processing: Subscription billing and payment gateway services
  • Email Delivery: Transactional email notifications and system alerts
  • Monitoring and Observability: Application performance monitoring and error tracking

To request the full Sub-processor list with entity names and locations, contact [email protected].

7. Güvenlik önlemleri

Vomenta implements the following technical and organizational measures in accordance with GDPR Article 32:

7.1 Şifreleme

  • AES-256 encryption for data at rest
  • TLS 1.2+ (TLS 1.3 preferred) for data in transit
  • SRTP encryption for voice communications
  • End-to-end encryption for sensitive data fields

7.2 Erişim kontrolleri

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication (MFA) for administrative access
  • SSO integration via SAML 2.0 and OAuth 2.0
  • IP whitelisting for API and administrative access
  • Automatic session timeout and re-authentication

7.3 Altyapı güvenliği

  • SOC 2 Type II certified infrastructure
  • Network segmentation and firewall protection
  • Intrusion detection and prevention systems (IDS/IPS)
  • DDoS protection and mitigation
  • Regular vulnerability scanning and penetration testing
  • Automated patch management

7.4 Operasyonel güvenlik

  • Comprehensive audit logging of all data access and modifications
  • 24/7 security monitoring and incident response
  • Background checks for all personnel with data access
  • Mandatory security awareness training
  • Business continuity and disaster recovery plans
  • Geographic redundancy with automatic failover

8. Denetim hakları

The Customer has the right to audit Vomenta's compliance with this DPA, subject to the following conditions:

  • Self-service audits: Vomenta provides SOC 2 Type II reports, penetration test summaries, and other compliance documentation upon request at no additional charge.
  • On-site audits: The Customer may conduct or commission an on-site audit with 30 days' written notice, at the Customer's expense. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Vomenta's operations.
  • Third-party audits: The Customer may appoint a mutually agreed independent third-party auditor bound by confidentiality obligations.
  • Frequency: No more than one audit per 12-month period unless a data breach or regulatory requirement necessitates an additional audit.
  • Remediation: Vomenta shall address any non-compliance findings within a mutually agreed timeframe and provide evidence of remediation.

9. Veri ihlali bildirimi

In the event of a Personal Data breach, Vomenta shall:

  • Notify the Customer without undue delay and in any case within 48 hours after becoming aware of the breach.
  • Provide the following information (to the extent available):
    • Nature of the breach, including categories and approximate number of Data Subjects and records affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach and mitigate its effects
    • Contact details of the Vomenta point of contact for further information
  • Cooperate with the Customer in investigating, mitigating, and remediating the breach.
  • Assist the Customer in meeting its notification obligations to supervisory authorities (within 72 hours per GDPR Article 33) and to affected Data Subjects (per GDPR Article 34).
  • Maintain a complete record of all breaches, including facts, effects, and remedial actions, available for audit.

10. Veri sahibi hakları

Vomenta provides technical and organizational measures to assist the Customer in fulfilling Data Subject requests under GDPR Articles 15–22:

  • Access and Portability: Data export tools in the platform allow extraction of all Personal Data in machine-readable formats (JSON, CSV).
  • Rectification: Administrative interfaces for correcting Personal Data across all processing systems.
  • Erasure: Automated data deletion workflows with verification and audit trail.
  • Restriction: Ability to flag and restrict processing of specific data records.
  • Objection: Configuration options to cease specific processing activities (e.g., AI analysis, recording).

Vomenta shall respond to Customer requests for assistance with Data Subject rights within 5 business days.

11. Veri koruma etki değerlendirmesi

Where required under GDPR Article 35, Vomenta shall provide the Customer with reasonable assistance in conducting Data Protection Impact Assessments (DPIAs) and, where necessary, prior consultation with supervisory authorities under Article 36. This assistance includes providing information about Vomenta's processing activities, security measures, and Sub-processor arrangements.

12. Verinin iadesi ve silinmesi

Upon termination or expiration of the agreement:

  • The Customer may request a complete export of all Personal Data in machine-readable format within 30 days of termination.
  • After the 30-day export period, Vomenta shall securely delete all Personal Data and confirm deletion in writing, unless retention is required by applicable law.
  • Deletion includes all copies across primary storage, backups, and disaster recovery systems, completed within 90 days of the deletion request.
  • Vomenta shall provide a certificate of deletion upon request.

13. Sorumluluk

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the underlying agreement between the parties. This DPA does not increase or decrease either party's total aggregate liability.

14. Geçerli hukuk ve yargı yetkisi

This DPA is governed by the laws of the jurisdiction specified in the underlying agreement. For matters related to GDPR, the provisions of the GDPR and applicable EU Member State law shall take precedence where they conflict with the governing law of the agreement.

15. Bu DPA'nın nasıl yürürlüğe konacağı

Enterprise customers can request a signed copy of this DPA. To execute the DPA or request modifications:

For additional information about our data protection practices, see our Gizlilik Politikası, KVKK Uyumluluğu, and Security pages.