Data Processing Agreement

This Agreement is concluded between, on the one part, the business customer that subscribes to the Omnilegal service and determines the purposes and means of processing personal data (the “Controller”) and, on the other part, Topluyıldız Danışmanlık A.Ş. (the “Processor” or “Omnilegal”). The parties are referred to jointly as the “Parties” and individually as a “Party”.

The terms “personal data”, “special-category personal data”, “data subject”, “controller”, “processor”, “processing” and “explicit consent” carry the meaning given to them in article 3 of the KVKK. Where European Union law applies, the same terms shall be construed together with their counterparts in article 4 of the GDPR. “Sub-processor” means a third party engaged by the Processor to carry out all or part of the processing activities under this Agreement.

“Omnilegal” means the legal artificial-intelligence operating system designed for lawyers and law firms, which unifies the work of a firm in a single system from client intake to delivery; “Subscription Agreement” means the principal agreement concluded between the Parties for the use of the Omnilegal service. In the event of any conflict between this Agreement and the Subscription Agreement on matters concerning the protection of personal data, the provisions of this Agreement shall prevail.

The subject matter of this Agreement is the determination of the scope, nature and limits of the personal-data processing activities that the Processor carries out on behalf of the Controller in the course of providing the Omnilegal service. Processing takes place in the context of client intake, file and document management, legal research, drafting, correspondence and attorney-controlled, artificial-intelligence-assisted output generation.

The nature of the processing comprises the collection, recording, storage, regular backup, masking, classification, querying, per-matter segregation and, in accordance with the Controller’s instructions, deletion or return of the data. The purpose of the processing is solely to provide the Omnilegal service to the Controller in conformity with the agreement and to support the Controller’s professional activities.

The duration of the processing continues for as long as the Subscription Agreement remains in force. Upon termination of the Subscription Agreement for any reason, the processing shall cease, save for the provisions of this Agreement concerning the return or destruction of the data.

The categories of personal data that may be processed by the Processor on behalf of the Controller include identity data, contact data, content data relating to clients and matters, data concerning the facts of a legal dispute, the content of correspondence and documents, and any other data entered into the Omnilegal system by the Controller. The type and scope of the data processed are determined in substance by the Controller through the content it transfers into the system.

The groups of data subjects include the Controller’s clients, opposing parties and their representatives, witnesses, third parties, and the Controller’s employees and business partners. The Controller acknowledges that the data it transfers into the system may include special-category personal data (such as health data, criminal-conviction data and biometric data) and undertakes that such data have been obtained lawfully.

The Processor states that, by design, personal data are masked before any call is made to an artificial-intelligence model; the model only ever sees the masked text and the masking key or table does not leave the jurisdiction. Where the masking process fails, the relevant flow is stopped in order to prevent any data leakage.

The Controller is the party that determines the purposes and means of processing in respect of the personal data processed under this Agreement and is responsible for all obligations falling upon a controller under the KVKK and, to the extent applicable, the GDPR. The Controller undertakes that a valid legal basis (articles 5 and 6 of the KVKK and articles 6 and 9 of the GDPR) exists for the processing of the personal data it transfers into the system, that the requisite information notice has been provided and that, where required, explicit consent has been obtained.

The Controller is solely responsible for the lawfulness of the instructions it gives to the Processor. Where the Processor forms the view that an instruction given to it infringes the KVKK, the GDPR or other legislation, it shall inform the Controller without delay.

The Processor processes personal data only for the purposes set out in this Agreement and within the framework of the Controller’s instructions, and fulfils the obligations falling upon a processor under article 12 of the KVKK and article 28 of the GDPR.

The Processor processes personal data only on the documented, written instructions of the Controller, unless required to do otherwise by a legal obligation. In that exceptional case, the Processor shall, unless legally prohibited from doing so, inform the Controller of that obligation before carrying out the processing.

The Processor ensures that persons processing the personal data are under an obligation of confidentiality or are subject to an appropriate statutory obligation of confidentiality. This obligation of confidentiality continues indefinitely after the termination of this Agreement.

Pursuant to article 12 of the KVKK, the Processor takes all necessary technical and organisational measures to ensure an appropriate level of security, in order to prevent the unlawful processing of and unlawful access to personal data and to ensure the safekeeping of the data. These measures include encryption in transit and at rest, per-matter isolation, and the maintenance of an audit trail of approval, citation and masking steps.

The Processor undertakes that client data are masked before any call is made to an artificial-intelligence model, that no model is trained on client data, and that the masking key is not removed from the jurisdiction. The Processor further provides the Controller with appropriate assistance, insofar as technically possible, in responding to requests from data subjects under article 11 of the KVKK and articles 12 to 22 of the GDPR, and in fulfilling the Controller’s obligations under articles 12 to 15 of the KVKK and articles 32 to 36 of the GDPR.

The Controller grants the Processor general authorisation to engage sub-processors for the provision of the service under this Agreement. As at the date of execution of this Agreement, the sub-processors used by the Processor are principally [barındırma sağlayıcısı] and [yapay zekâ model sağlayıcısı].

The Processor concludes with each sub-processor a contract imposing data-protection obligations that are in substance the same as those provided for in this Agreement, and remains liable to the Controller for the sub-processor’s compliance with those obligations.

Where it intends to replace existing sub-processors or to add new sub-processors, the Processor shall inform the Controller a reasonable time in advance and afford the Controller the opportunity to object on reasonable grounds. In the event of an objection, the Parties shall endeavour in good faith to agree upon a solution.

The transfer of personal data abroad shall be carried out in accordance with article 9 of the KVKK and the Regulation on Transfer Abroad, and, where European Union law applies, with the provisions of Chapter V of the GDPR. A transfer may be made to a country in respect of which an adequacy decision exists, by the provision of appropriate safeguards (standard contractual clauses, a written undertaking, binding corporate rules or the standard data-protection clauses under the GDPR), or in the exceptional situations provided for by law.

Where a transfer abroad is made through sub-processors, the Processor ensures that the legal mechanism required for such transfer is in place. By the design of Omnilegal, the masking key or table is not removed from the jurisdiction and the artificial-intelligence model only sees the masked text; embedding operations may be routed to the European Union.

Where a representative must be appointed in respect of data subjects established in the European Union, the Controller shall notify the Processor of the [veri sorumlusu temsilcisi, varsa]. The Parties agree to review this article in order to maintain compliance with changes in the applicable legislation and decisions of the Board concerning cross-border transfers.

Where the Processor becomes aware that the personal data it processes have been unlawfully obtained by others, it shall notify the Controller without any delay and as soon as reasonably practicable. Such notification shall be made in sufficient detail to enable the Controller to fulfil its own obligations, describing the nature of the breach, the categories of data subjects and records likely to be affected, the likely consequences, and the measures taken or proposed to be taken.

The obligation to notify a personal data breach to the Personal Data Protection Board and to the data subjects rests with the Controller, pursuant to article 12 of the KVKK and the relevant decisions of the Board. The Controller is obliged to notify the breach to the Board and to the data subjects within the procedures and time limits set by the Board (to the Board without delay and, in any event, within seventy-two hours of becoming aware of the breach).

The Processor provides the Controller with appropriate assistance by furnishing the information and documents necessary to enable the Controller to fulfil these notification obligations.

The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations arising from this Agreement and from article 12 of the KVKK and article 28 of the GDPR.

The Controller is entitled to carry out, or have carried out, audits and inspections for the purpose of verifying compliance with this Agreement, provided that it gives reasonable prior written notice, interferes as little as possible with the Processor’s activities and complies with its confidentiality obligations. Such audits shall be conducted during working hours and a reasonable number of times per year; the case of a justified suspicion of a breach is reserved.

The Processor states that it maintains an audit trail of the approval, citation and masking steps and that, in accordance with the principle of accountability, it retains those records for use in responding to audit requests.

Upon termination of the Subscription Agreement, the Processor shall, at the Controller’s option, return to the Controller or destroy all personal data it processes. If the Controller does not communicate its choice within a reasonable period from the date of termination, the Processor shall be entitled to destroy the data securely.

In respect of data that it is legally obliged to retain, the Processor may continue to retain the relevant data, limited to the period and purpose required by such retention and provided that it maintains the confidentiality and security obligations set out in this Agreement.

Upon request, the Processor shall confirm in writing that the return or destruction has been completed. Destruction shall be carried out by methods that make recovery of the data impossible.

The liability of the Parties under this Agreement shall be determined within the framework of the mandatory provisions of the Turkish Code of Obligations no. 6098 and the liability arrangements set out in the Subscription Agreement. It is reserved that, under article 115 of the Turkish Code of Obligations, liability arising from gross fault and wilful misconduct may not be excluded in advance.

Each Party is responsible for the damages arising from personal-data protection breaches caused by its own fault. Claims by data subjects for compensation of damages arising under article 11 of the KVKK and other legislation are reserved.

The Controller is responsible for damages arising from the Processor’s compliance with the lawful instructions given to it. Conversely, where the Processor acts manifestly outside the instructions given to it, it shall be liable for the damages arising from such conduct.

This Agreement is governed by the laws of the Republic of Türkiye and shall be construed within the framework of the KVKK and its related secondary legislation. The mandatory provisions of the GDPR are reserved in respect of processing relating to data subjects in the European Union.

For the resolution of disputes arising from this Agreement, the courts and enforcement offices designated as competent in the Subscription Agreement shall have jurisdiction. In the absence of any provision to the contrary in the Subscription Agreement, the İstanbul (Çağlayan) Courts and Enforcement Offices shall have jurisdiction.

For firm customers, this Agreement is concluded together with the Subscription Agreement and forms an integral and complementary annex to it. The invalidity of any provision of this Agreement shall not affect the validity of the remaining provisions.