Data Processing Agreement (DPA) Summary
Last updated: July 2, 2026
This summary explains, for our corporate customers, how we process tenant data on the CarbonTrex platform. The processing of corporate customer data is governed by a Data Processing Agreement (DPA), which forms an integral part of the service agreement. The DPA becomes binding on the parties before processing begins, by way of electronic acceptance, the master agreement or a written addendum.
1. Parties and Roles
The corporate customer is the data controller for the tenant data it uploads. Opsida Teknoloji Yazılım Bilgisayar ve Danışmanlık Ltd. Şti., which operates CarbonTrex, acts as data processor, processing such data solely on the customer's behalf and per its instructions.
2. Subject and Duration
Processing is limited to providing the contracted services (emission calculation, reporting, archiving) for the duration of the service agreement, and ends upon its termination.
The DPA sets out the subject matter and duration of processing, its nature and purpose, the types of personal data, the categories of data subjects, the customer's rights and obligations, a confidentiality undertaking, technical and organisational measures, a general written authorisation for sub-processors together with an objection mechanism, assistance with data-subject requests and with the security obligations under the GDPR/KVKK, audit and information provision, notice of unlawful instructions, and provisions on deletion/return at the end of the agreement.
3. Processing Instructions
The processor processes tenant data only per the customer's documented instructions and as required to deliver the service; it does not use the data for its own purposes or sell it to third parties.
4. Sub-processors
- Supabase — hosting and database (infrastructure: AWS, eu-central-1 / EU)
- Vercel — application hosting
The customer is notified a reasonable time in advance before a new sub-processor is added.
5. Security Measures
- Encryption in transit and at rest (TLS / at-rest)
- Per-tenant access isolation (Row Level Security)
- Role-based authorization and access logging
- Regular backups
6. International Transfers
Data is hosted in the European Union (Frankfurt) region. For KVKK purposes, regular transfers from Türkiye to infrastructure providers in the EU are made under KVKK standard contractual clauses or other appropriate safeguards, absent an adequacy decision. Where the GDPR applies, any transfer from the EEA to Türkiye or to other third countries is subject to the EU Standard Contractual Clauses and any transfer impact assessments required.
7. Breach Notification
Upon detecting a personal data breach, the processor notifies the customer without undue delay and provides reasonable assistance to mitigate its effects.
8. Deletion / Return on Termination
After termination, tenant data is, at the customer's choice, returned or deleted/anonymized, subject to any statutory retention obligations.
9. Contact
For a binding DPA or any questions, please contact info@carbontrex.com.