This Data Processing Agreement ("DPA") governs the processing of personal data by OzcenkLabs Ltd. ("Processor") on behalf of the Customer ("Controller") using the Service, pursuant to UK GDPR Article 28. Acceptance of the Service subscription constitutes acceptance of this DPA.
1. Definitions
- Controller: The Customer (legal or natural person subscribing to the Service — healthcare practice, real estate, retail, beauty, automotive, etc.).
- Processor: OzcenkLabs Ltd.
- Data Subjects: Customer's End Users (patients, leads, prospects, buyers) and Customer admin personnel.
- Personal Data: As defined in UK GDPR.
2. Scope of Processing (Annex 1)
| Subject matter | SaaS Service comprising AI chat, lead/appointment/inquiry management (sector-dependent). |
| Duration | Throughout the subscription + 90 days after termination. |
| Purpose | Enabling the Customer to communicate with and serve its End Users. |
| Data types | Name, phone, email, message content, sector-specific details (appointments, listings, products, etc.), hashed IP. |
| Data subject categories | End Users, Customer admin personnel. |
| Special category data | Only for healthcare-sector Customers (patient health data); not present in other sectors. |
3. Processor Obligations
OzcenkLabs commits to:
- Process personal data only on documented instructions of the Controller.
- Ensure authorised personnel are bound by confidentiality.
- Implement appropriate security measures (Art. 32, see Annex 2).
- Provide 30 days' notice for sub-processor additions/changes; allow Controller to object.
- Provide reasonable assistance for data subject requests.
- Notify the Controller within 24 hours of any personal data breach.
- Delete or return data on request.
4. Controller Obligations
- Provide a valid lawful basis for processing.
- Provide all necessary notices to End Users (Customer's own privacy policy).
- Comply with sector-specific regulations (healthcare, finance, etc.).
- Meet additional conditions for special category data (e.g. professional confidentiality for health data).
- Keep system passwords and admin access secure.
5. Sub-processors (Annex 3)
| Sub-processor | Location | Purpose |
|---|---|---|
| OpenAI Inc. | USA | AI chat (GPT-4o) |
| Meta Platforms Ireland Ltd. | Ireland | WhatsApp Cloud API |
| Twilio Inc. | USA | SMS/WhatsApp legacy |
| Vercel Inc. | USA (EU edge) | Hosting |
| Supabase Inc. | EU | Database + Auth |
| Upstash Inc. | EU | Cache |
| Cloudflare Inc. | Global | DNS, email routing |
| Sentry GmbH | EU | Error monitoring |
All transfers outside the EU/UK are protected by Standard Contractual Clauses + UK Addendum.
6. Security Measures (Annex 2)
- TLS 1.2+ encryption for all transit
- Postgres Row Level Security for multi-tenant isolation
- Column-level access restriction on sensitive fields
- Passwords hashed with bcrypt
- Regular security audits
- Rate limiting, abuse prevention
- Encrypted backups, retained within EU
- Access logging (admin operations)
- Sentry error monitoring — PII excluded
7. Data Subject Requests
OzcenkLabs assists the Controller with data subject rights requests. Requests received directly by OzcenkLabs are forwarded to the Controller without delay.
8. Data Breach Notification
Upon detection OzcenkLabs notifies the Controller via email within 24 hours. The Controller is responsible for ICO notification within 72 hours per UK GDPR Art. 33.
9. Audit
The Controller may, with reasonable advance notice (30 days), audit OzcenkLabs's compliance. Independent third-party audit reports (e.g. SOC 2) may substitute on-site audits.
10. Data Return and Deletion
Upon termination, at the Controller's choice, all personal data is deleted or returned within 90 days. Backup copies are deleted within 90 additional days.
11. Governing Law
Laws of England and Wales. UK GDPR applies; mandatory local rules (e.g. Turkey KVKK) also apply where relevant.
12. Acceptance
Use of the Service constitutes acceptance of this DPA. A signed copy can be requested at privacy@ozcenklabs.com.