Legal

Data Processing Agreement

Last updated: 22 January 2026

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (“Agreement”) between:

Navlo Teknoloji Limited Şirketi (“Processor”)

and

the Customer / User (“Controller”)

(together referred to as the “Parties”).

1. Purpose and Scope

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Navlo platform (“Service”).

The Parties agree that:

  • The Controller determines the purposes and means of processing Personal Data
  • The Processor processes Personal Data solely on behalf of the Controller

This DPA is designed to comply with:

  • Article 28 of the GDPR
  • Applicable KVKK requirements (where relevant)

2. Definitions

  • “Personal Data”: Any information relating to an identified or identifiable natural person
  • “Processing”: Any operation performed on Personal Data
  • “Data Subject”: The individual to whom the Personal Data relates
  • “Sub-processor”: Any third party engaged by the Processor
  • “Supervisory Authority”: Relevant data protection authority

3. Nature and Purpose of Processing

3.1 Nature of Processing

Processing includes:

  • Collection
  • Storage
  • Structuring
  • Retrieval
  • Analysis
  • Transmission

3.2 Purpose of Processing

Personal Data is processed solely for:

  • Providing shipment tracking services
  • Enabling analytics and reporting
  • Supporting platform functionality

4. Categories of Data and Data Subjects

4.1 Categories of Personal Data

May include:

  • Name
  • Email address
  • Phone number
  • Company-related identifiers
  • Shipment-related information (if containing personal data)

4.2 Categories of Data Subjects

  • Customer employees
  • Logistics stakeholders
  • Third parties included in shipment data

5. Processor Obligations

Navlo, as Processor, shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures (TOMs)
  • Assist the Controller in fulfilling data subject rights
  • Assist with GDPR compliance obligations (e.g., DPIA, breach notification)

6. Security Measures

Navlo shall implement industry-standard security measures, including:

  • Encryption (in transit and at rest where applicable)
  • Role-based access control (RBAC)
  • Logging and monitoring systems
  • Infrastructure security (cloud-based protection)

Navlo shall regularly review and update such measures.

7. Sub-processors

The Controller authorizes Navlo to engage Sub-processors.

Navlo shall:

  • Ensure Sub-processors are bound by equivalent data protection obligations
  • Maintain a list of Sub-processors
  • Notify the Controller of material changes

The Controller may object to new Sub-processors on reasonable grounds.

8. International Data Transfers

Where Personal Data is transferred outside the EEA or Türkiye:

Navlo shall ensure appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs)
  • Secure transfer protocols
  • Compliance with applicable regulations

9. Data Subject Rights

Navlo shall assist the Controller in responding to requests related to:

  • Access
  • Rectification
  • Erasure
  • Restriction
  • Data portability

Navlo shall not respond directly unless instructed by the Controller.

10. Data Breach Notification

In the event of a Personal Data Breach, Navlo shall:

  • Notify the Controller without undue delay
  • Provide relevant details regarding the breach
  • Assist in mitigation and compliance

11. Data Retention and Deletion

Upon termination of the Agreement:

  • Personal Data shall be deleted or returned to the Controller
  • Unless retention is required by law

Backup data may be retained temporarily under secure conditions.

12. Audit Rights

The Controller may request information necessary to demonstrate compliance.

Navlo may:

  • Provide documentation, certifications, or audit reports
  • Limit audits to reasonable frequency and scope

13. Liability

Each Party’s liability shall be subject to the limitations set forth in the main Agreement.

14. Governing Law

This DPA shall be governed by:

  • GDPR (where applicable)
  • Laws of the Republic of Türkiye

15. Order of Precedence

In case of conflict:

  1. This DPA
  2. Terms and Conditions
  3. Other agreements

Annex I — Processing Details

Subject Matter:

Provision of shipment tracking and analytics platform

Duration:

For the duration of the Agreement

Nature & Purpose:

Processing required to deliver SaaS logistics services

Categories of Data:

Basic identification and operational shipment data

Data Subjects:

Users, employees, logistics stakeholders

Annex II — Technical and Organizational Measures (TOMs)

  • Data encryption (TLS/HTTPS)
  • Access control (role-based permissions)
  • Secure cloud infrastructure
  • Regular security updates
  • Monitoring and anomaly detection
  • Backup and disaster recovery mechanisms