Data Processing Agreement
Effective date: June 24, 2026
1.Scope and Applicability
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between TeleRadar (“Processor”) and the Customer (“Controller”). It applies whenever TeleRadar processes Personal Data on behalf of the Customer in connection with the Service.
This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the Turkish Personal Data Protection Law (KVKK), the California Consumer Privacy Act (CCPA), and the UK Data Protection Act 2018.
2.Definitions
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by TeleRadar on behalf of the Customer through the Service.
“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
“Sub-processor” means any third party engaged by TeleRadar to process Personal Data on behalf of the Customer. The current list is maintained at teleradar.org/subprocessors.
3.Roles of the Parties
The Customer acts as the Controller (or, where applicable, the Business under CCPA) and determines the purposes and means of processing. TeleRadar acts as the Processor (or Service Provider under CCPA) and processes Personal Data only on behalf of and in accordance with the Customer’s documented instructions.
4.Processing Instructions
TeleRadar will process Personal Data only in accordance with the Customer’s documented instructions, including with regard to transfers of data to a third country, unless required to do so by applicable law. In such a case, TeleRadar will inform the Customer of that legal requirement before processing, unless the law prohibits such notification.
The subject matter, duration, nature, and purpose of processing, as well as the categories of data subjects and types of Personal Data, are described in Annex 1 of this DPA (available upon request).
5.Sub-processing
The Customer provides general written authorization for TeleRadar to engage sub-processors. TeleRadar maintains a current list of sub-processors at teleradar.org/subprocessors.
TeleRadar will notify the Customer at least 30 days before adding or replacing a sub-processor. If the Customer objects to a new sub-processor on reasonable data protection grounds, the Customer may terminate the affected Service component without penalty within 30 days of the notification.
TeleRadar imposes the same data protection obligations on each sub-processor as set out in this DPA through a written contract.
6.Data Security
TeleRadar implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
- AES-256-GCM encryption at rest with per-tenant key isolation
- TLS 1.3 encryption for all data in transit
- Multi-factor authentication for all operator and administrative access
- Role-based access control with least-privilege principles
- Continuous monitoring, anomaly detection, and audit logging
- 90-day key rotation cycle with HSM-rooted key management
A detailed overview of security controls is available at teleradar.org/security.
7.Data Subject Requests
TeleRadar will assist the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, and objection) by providing appropriate technical and organizational measures, insofar as this is possible.
If TeleRadar receives a data subject request directly, we will promptly redirect the individual to the Customer, unless legally prohibited from doing so.
8.Data Breach Notification
TeleRadar will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include:
- A description of the nature of the breach, including categories and approximate number of data subjects affected
- The name and contact details of the point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
9.Data Protection Impact Assessments
TeleRadar will provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under applicable data protection law, taking into account the nature of processing and the information available to TeleRadar.
10.International Transfers
TeleRadar processes data in Turkey (TR), the United States (US), and the European Union (EU). For transfers outside the EEA or Turkey, TeleRadar relies on:
- EU Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
- UK International Data Transfer Agreement (IDTA) where applicable
- Adequacy decisions where available
Copies of the executed SCCs are available upon request from privacy@teleradar.org.
11.Audit Rights
TeleRadar will make available to the Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.
Audit requests must be submitted with at least 30 days’ written notice and shall be conducted during normal business hours, no more than once per year, unless a regulatory authority or data breach requires additional audits.
12.Deletion and Return of Data
Upon termination of the Service, TeleRadar will, at the Customer’s choice, delete or return all Personal Data within 30 days, unless applicable law requires continued storage. TeleRadar will certify the deletion in writing upon request.
13.Term and Termination
This DPA takes effect upon the Customer’s acceptance of the Terms of Service and remains in effect for as long as TeleRadar processes Personal Data on behalf of the Customer. The obligations imposed by this DPA survive termination of the agreement to the extent necessary to protect Personal Data.
DPA Inquiries
For questions about this DPA or to request a signed copy, contact privacy@teleradar.org.