This Data Processing Agreement ("DPA") applies between Madar AI (operated by Zyrix Global Technologies, Istanbul) and Enterprise customers whose use of the service involves Madar processing personal data on the customer's behalf. It supplements the Terms of Service, follows the GDPR Art. 28 / KVKK / PDPL structure, and is the document we sign as part of every Enterprise contract.
1. Scope and roles
Customer is the Data Controller. Madar is the Data Processor. Madar processes Personal Data only on documented Customer instructions, which are set in the Order Form, the product configuration, and this DPA. We do not sell, share, or otherwise disclose Personal Data to third parties except as required to deliver the service or by law.
2. Subject matter, duration, nature
Subject matter: provision of the Madar AI growth platform. Nature and purpose: hosted analysis of the Customer's mobile-app growth data to produce audits, forecasts, briefings, and autonomous-action proposals — all gated by Customer-approved actions before any external system is touched. Duration: the lifetime of the Customer subscription plus the 30-day post-cancellation retention window. Type of data: business-account metrics, ad-platform spend and creative metadata, attribution events, subscription/billing data, and the contact details of the Customer's authorised users. We do not process special-category data and we do not process end-user identifiers from the Customer's app users.
3. Obligations of Madar
We ensure persons authorised to process Personal Data are bound by confidentiality. We implement the technical and organisational measures listed in our /security page (encryption in transit and at rest, least-privilege access controls, audit logging, vulnerability management, incident response). We assist the Customer in responding to data-subject requests and in meeting the Customer's own obligations under GDPR Art. 32–36 / KVKK / PDPL.
4. Sub-processors
We use a small, fixed list of sub-processors to deliver the service (currently: AWS for hosting, Cloudflare for edge and DNS, Resend for transactional email, Supabase for managed Postgres, Anthropic for the underlying LLM where the product invokes it). The current list with addresses and processing purposes is published at /legal/dpa/sub-processors. We will notify Customer by email at least 30 days before adding or replacing any sub-processor, and Customer may object on reasonable grounds in writing; if we cannot accommodate the objection, the Customer may terminate the affected service without penalty.
5. International transfers
Primary processing is in EU-West-2 (London) with a US fail-over for resilience. KSA/UAE in-region processing is available on request for Enterprise customers (additional 4–6 weeks to provision). Where transfers leave the EU/UK, we rely on the EU Standard Contractual Clauses (2021/914) supplemented by the UK Addendum, and Türkiye binding corporate rules under KVKK; for KSA we rely on PDPL-authorised cross-border-transfer mechanisms once the in-region option is provisioned.
6. Security measures
Encryption: TLS 1.2+ in transit; AES-256 at rest for databases and backups. Access: SSO + 2FA mandatory for all Madar staff; least-privilege role-based access; quarterly access reviews. Logging: append-only audit logs of all access to Customer data, retained 13 months. Vulnerability management: continuous dependency scanning, third-party pen test annually (next: Q4 2026). Incident response: 24/7 on-call rotation; documented runbook; tabletop exercise twice per year. Full technical posture and roadmap on /security and /trust.
7. Data-subject rights assistance
For any data-subject request (access, rectification, erasure, portability, restriction, objection) that reaches the Customer about its own end-users' or its own staff's data held in Madar, we will, on Customer instruction, provide the technical means to export or delete that data within 30 days. We do not respond directly to the Customer's data subjects; the Customer remains the Controller.
8. Breach notification
We notify Customer of any Personal Data Breach without undue delay and in any event within 72 hours of becoming aware. Notification includes the nature of the breach, categories and approximate number of data subjects and records concerned, the contact point of the Data Protection Officer, the likely consequences, and the measures taken or proposed to address it. We assist Customer in fulfilling its own notification obligations to supervisory authorities and affected data subjects.
9. Audit rights
Customer may audit Madar's compliance with this DPA on reasonable prior notice (minimum 30 days), no more than once per year except in case of a confirmed Personal Data Breach. In practice, we satisfy most audits with our annual third-party report (SOC 2 Type II once available) plus a written response to the Customer's questionnaire. On-site audits are available for Enterprise customers at Customer's cost.
10. Return and deletion of data
On termination or expiry of the subscription, Customer may export all Personal Data via the dashboard's one-click export (CSV + JSON) at any time during the 30-day retention window. After the window, we permanently delete Personal Data from production systems within 7 days; encrypted backups age out on their normal rotation (90 days maximum). On request we will provide a written deletion certificate.
11. Liability and governing law
Liability under this DPA is governed by the limitation-of-liability clause in the Terms of Service. The DPA is governed by the laws of Türkiye; disputes that cannot be resolved by good-faith negotiation are submitted to the courts of Istanbul. Nothing in this DPA limits any data subject's rights under applicable data-protection law.
12. Signature and execution
This DPA is executed as part of the Enterprise Order Form. The signed Order Form, the Terms of Service, this DPA, and the /security page together form the complete data-protection contract between the parties. To request a signed PDF copy or to start the contract conversation, email enterprise@madarai.co with your company name and jurisdiction.
Need a signed DPA?
Enterprise contracts include the signed DPA. Email the contracts team and we send the PDF within one business day
enterprise@madarai.co →