DATA PROCESSING AGREEMENT
Effective Date: Jan 6, 2026
This Data Processing Agreement (“DPA”) supplements the TakeCab Privacy Policy and Terms of Service for GDPR compliance.
1. Definitions
Controller: Your organization (the healthcare provider using TakeCab)
Processor: TakeCab Platform
Personal Data: Patient information you input into the platform
Processing: Any operation performed on personal data
Sub-processor: Third-party services we use (hosting, analytics)
Contact:
Adress: Zümrütova, Sinanoğlu Cd. No:53A, Muratpaşa/Antalya, Türkiye
Email: smile@antlaradental.com
Phone: +90 530 202 68 68
2. Scope and Roles
Your Role (Controller):
- You determine purposes and means of processing
- You are responsible for legal basis of data collection
- You must inform patients about data processing
- You control data retention and deletion
Our Role (Processor):
- We process data only per your instructions
- We implement appropriate security measures
- We assist with data subject requests
- We notify you of data breaches
3. Data Processing Instructions
We process personal data only to:
- Provide platform services as described in Terms
- Maintain and improve platform functionality
- Provide customer support
- Comply with legal obligations
- Prevent fraud and ensure security
No Additional Processing: We will not process data for our own purposes or share with third parties without your consent.
4. Security Measures
Technical Safeguards:
- 256-bit SSL/TLS encryption in transit
- AES-256 encryption at rest
- Multi-factor authentication options
- Regular security audits and penetration testing
- Intrusion detection and prevention systems
Organizational Safeguards:
- Employee confidentiality agreements
- Role-based access controls
- Security awareness training
- Incident response procedures
- Business continuity and disaster recovery plans
5. Sub-Processors
Current Sub-Processors:
| Service Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting | EU (Frankfurt) |
| Google Cloud Platform | Analytics, Maps | EU |
| Stripe | Payment processing | EU/US |
| Intercom | Customer support | EU/US |
| Cloudflare | CDN, Security | Global |
Sub-Processor Changes:
- We will notify you 30 days before adding new sub-processors
- You may object within 14 days
- If objection cannot be accommodated, you may terminate subscription
6. Data Subject Rights
We will assist you in responding to data subject requests:
Access Requests: Provide data export within 48 hours
Rectification: Enable real-time data corrections
Erasure: Delete data within 30 days of request
Portability: Provide data in machine-readable format
Objection: Restrict processing as instructed
Your Responsibility: Verify identity of data subjects before requests are fulfilled.
7. Data Breach Notification
Our Commitment:
- Notify you within 24 hours of discovering a breach
- Provide details: nature, affected data, likely consequences
- Describe measures taken and proposed mitigation
- Cooperate with your breach investigation
- Document all breaches for regulatory compliance
Your Responsibility:
- Assess whether to notify supervisory authorities (within 72 hours per GDPR)
- Notify affected data subjects if high risk exists
- Determine additional mitigation measures
8. Data Transfers
International Transfers:
- Data is primarily stored in EU data centers (AWS Frankfurt)
- Transfers outside EU use Standard Contractual Clauses (SCCs)
- Encryption applied to all transfers
- Transfer impact assessments conducted
Data Residency Options:
- Enterprise customers can request specific data regions
- Additional costs may apply for dedicated hosting
9. Audits and Compliance
Your Audit Rights:
- Request information about our security measures
- Conduct audits with 30 days advance notice
- Review sub-processor compliance documentation
- Costs: Reasonable audit costs borne by you
Our Certifications:
- ISO 27001 (Information Security Management)
- SOC 2 Type II (Security, Availability, Confidentiality)
- GDPR Compliance Certification
10. Data Retention and Deletion
During Subscription:
- Data retained per your instructions
- You control retention periods
- Backups retained for 90 days
Post-Termination:
- Active data: 30 days (for export)
- Archived data: 60 days
- Permanent deletion: Day 60
Legal Hold: Data retained longer if required by law or litigation.
11. Liability and Indemnification
Our Liability:
- Limited to direct damages caused by our breach of this DPA
- Maximum liability: 12 months of fees paid
- No liability for issues outside our reasonable control
Your Indemnification:
- You indemnify us against claims arising from your data processing instructions
- You ensure lawful basis for data collection exists
12. Term and Termination
Duration: This DPA remains in effect while you use TakeCab services.
Termination:
- Automatically terminates when subscription ends
- You may terminate for material DPA breach with 30 days notice
- Data deletion procedures apply upon termination
13. Amendments
We may update this DPA to reflect:
- Changes in data protection laws
- New security measures
- Sub-processor changes
- Service improvements
Notice: 60 days advance notice for material changes.
14. Governing Law
This DPA is governed by:
- GDPR (EU General Data Protection Regulation)
- Turkish Data Protection Law (KVKK)
- Local healthcare data regulations
Dispute Resolution: Courts of Antalya, Turkey.
15. Contact for DPA Matters
TakeCab Data Protection Officer
Adress: Zümrütova, Sinanoğlu Cd. No:53A, Muratpaşa/Antalya, Türkiye
Email: smile@antlaradental.com
Phone: +90 530 202 68 68
For urgent data breach notifications, call: +90 530 202-6868
