Data Processing Addendum

1. Definitions

Capitalised terms used but not defined in this DPA have the meaning given to them in the Principal Agreement. For the purposes of this DPA, the following definitions apply. Where a term is defined in the GDPR, the UK GDPR or the KVKK, it shall have the meaning given there unless the context requires otherwise.

• "Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under the KVKK the corresponding role is the data controller (veri sorumlusu). The Customer is the Controller in respect of Customer Personal Data.
• "Processor" means the natural or legal person that Processes Personal Data on behalf of the Controller. Under the KVKK the corresponding role is the data processor (veri işleyen). Ercan Technology is the Processor in respect of Customer Personal Data.
• "Personal Data" means any information relating to an identified or identifiable natural person (the "Data Subject"), as defined in the GDPR and the KVKK, that is Processed by Ercan Technology on behalf of the Customer under the Principal Agreement ("Customer Personal Data").
• "Processing" (and "Process") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, transmission, restriction, erasure or destruction.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates (under the KVKK, the relevant person / ilgili kişi).
• "Sub-processor" means any third party engaged by Ercan Technology (including its affiliates) to Process Customer Personal Data on its behalf in connection with the Services.
• "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Customer Personal Data under the Principal Agreement, including the GDPR, the UK GDPR and the KVKK, in each case as amended or replaced.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, and/or the UK International Data Transfer Agreement or Addendum, as applicable to a given transfer.

2. Roles, Scope and Order of Precedence

The parties acknowledge and agree that, with regard to the Processing of Customer Personal Data, the Customer acts as the Controller and Ercan Technology acts as the Processor. Where the Customer itself acts as a processor on behalf of a third-party controller, the Customer warrants that it has the necessary authority to instruct Ercan Technology and to enter into this DPA, and Ercan Technology acts as a sub-processor of the Customer.

This DPA applies only to the Processing of Customer Personal Data by Ercan Technology as Processor. It does not apply to data that Ercan Technology Processes as a controller for its own purposes (for example, account administration, billing, security and service improvement), which is governed by our Privacy Policy. The subject-matter, duration, nature and purpose of the Processing, the categories of Personal Data and the categories of Data Subjects are described in Annex I (Section 13).

In the event of any conflict or inconsistency between this DPA and the Principal Agreement, this DPA prevails with respect to the subject-matter of data protection. In the event of any conflict between this DPA and any applicable Standard Contractual Clauses, the Standard Contractual Clauses prevail. Except as expressly modified by this DPA, the Principal Agreement remains in full force and effect.

3. Processor Obligations and Documented Instructions

Ercan Technology shall Process Customer Personal Data only on the documented instructions of the Customer, including with regard to international transfers, unless required to do so by a law to which Ercan Technology is subject. In such a case, Ercan Technology shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

The Principal Agreement, this DPA (including Annex I) and the Customer's use of the configuration options made available within the Services constitute the Customer's complete and final documented instructions for the Processing. Additional or alternative instructions must be agreed in writing. Ercan Technology shall immediately inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, without obligation to perform a legal review of the lawfulness of the Customer's instructions.

Confidentiality of Personnel

Ercan Technology shall ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access to Customer Personal Data is limited to those personnel who need access to perform the Principal Agreement.

4. Security of Processing (Technical and Organisational Measures)

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risks to the rights and freedoms of Data Subjects, Ercan Technology shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR and Article 12 of the KVKK. A summary of those measures is set out in Annex II (Section 14).

• Encryption of Customer Personal Data in transit using TLS, and at rest where supported by the underlying infrastructure;
• Measures to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
• Role-based access controls, the principle of least privilege, and strong authentication (including multi-factor authentication) for administrative access;
• The ability to restore the availability of and access to Customer Personal Data in a timely manner in the event of a physical or technical incident;
• A process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures;
• Logging and monitoring, vetted Sub-processors, and secure software development and change-management practices.

The Customer acknowledges that the security measures are subject to technical progress and development and that Ercan Technology may update or modify them from time to time, provided that such updates do not materially reduce the overall level of security of the Services.

5. Sub-processors

The Customer provides a general authorisation for Ercan Technology to engage Sub-processors to Process Customer Personal Data, subject to the conditions in this Section. Ercan Technology shall maintain an up-to-date list of Sub-processors and shall make that list available to the Customer on request at privacy@ercantechnology.com.

Where Ercan Technology engages a Sub-processor, it shall impose on that Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Ercan Technology remains fully liable to the Customer for the performance of each Sub-processor's obligations.

Ercan Technology shall give the Customer prior notice of any intended addition or replacement of a Sub-processor, thereby giving the Customer the opportunity to object on reasonable data-protection grounds. If the Customer reasonably objects, the parties shall work together in good faith to find a mutually acceptable resolution; if no resolution is reached, the Customer may, as its sole remedy, terminate the affected part of the Services in accordance with the Principal Agreement.

6. Assistance with Data-Subject Requests

Taking into account the nature of the Processing, Ercan Technology shall assist the Customer, by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, data portability and objection (and the corresponding rights under Article 11 of the KVKK).

If Ercan Technology receives a request directly from a Data Subject relating to Customer Personal Data, it shall, unless legally prohibited, promptly notify the Customer and shall not respond to the request itself except on the documented instructions of the Customer or as required by law. To the extent permitted, Ercan Technology may direct the Data Subject to the Customer.

7. Assistance with Security, Breach Notification and DPIAs

Ercan Technology shall assist the Customer in ensuring compliance with the obligations relating to security of Processing, notification of personal data breaches to supervisory authorities and Data Subjects, and data protection impact assessments and prior consultation, under Articles 32 to 36 of the GDPR and the equivalent provisions of the KVKK, taking into account the nature of the Processing and the information available to Ercan Technology.

Personal Data Breach Notification

Ercan Technology shall notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. Such notification shall, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Ercan Technology shall provide reasonable cooperation to assist the Customer in meeting its own notification obligations to supervisory authorities (including the Turkish Data Protection Authority, the KVKK Kurumu) and to affected Data Subjects, where applicable.

8. International Data Transfers

Customer Personal Data may be Processed in the United States and in other countries where Ercan Technology or its Sub-processors operate. Where such Processing involves a transfer of Customer Personal Data from the European Economic Area, the United Kingdom, Switzerland or Türkiye to a country that has not been recognised as providing an adequate level of protection, the parties shall ensure that the transfer is subject to appropriate safeguards in accordance with Applicable Data Protection Law.

• For transfers subject to the GDPR, the European Commission's Standard Contractual Clauses are hereby incorporated by reference and shall apply, with the Customer acting as data exporter and Ercan Technology as data importer;
• For transfers subject to the UK GDPR, the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs shall apply;
• For transfers of Personal Data subject to the KVKK abroad, the parties shall rely on a lawful transfer mechanism under the KVKK, including the Customer's explicit consent where required, an undertaking (taahhütname) approved by the Turkish Data Protection Authority, or standard contracts as permitted under Article 9 of the KVKK and applicable secondary legislation.

Where required, Ercan Technology shall provide reasonable assistance to the Customer in conducting any transfer impact assessment and shall implement supplementary technical and organisational measures appropriate to the transfer.

9. Audits and Information Rights

Ercan Technology shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and the equivalent provisions of Applicable Data Protection Law, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

The Customer agrees that, to the extent available, such audit rights may first be satisfied by Ercan Technology providing relevant certifications, third-party audit reports or summaries of its technical and organisational measures. Any on-site audit shall be carried out on reasonable prior written notice, no more than once per twelve-month period (except where required by a supervisory authority or following a personal data breach), during normal business hours, subject to confidentiality obligations, and in a manner that does not unreasonably disrupt Ercan Technology's operations. The Customer shall bear its own costs and any reasonable costs incurred by Ercan Technology in supporting an on-site audit.

10. Return and Deletion of Data

Upon termination or expiry of the Principal Agreement, and at the choice of the Customer, Ercan Technology shall delete or return all Customer Personal Data to the Customer and delete existing copies, unless storage is required by a law to which Ercan Technology is subject. Where the Customer does not make a choice within a reasonable period, Ercan Technology may delete the Customer Personal Data in accordance with its standard data-retention practices.

Ercan Technology may retain Customer Personal Data to the extent and for the period required by Applicable Data Protection Law or other applicable law, provided that it continues to ensure the confidentiality and security of such data and Processes it only as necessary for the purpose specified by that law. Upon request, Ercan Technology shall certify in writing that it has complied with this Section.

11. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Principal Agreement, and any reference in the Principal Agreement to the liability of a party means the aggregate liability of that party under the Principal Agreement and this DPA together.

Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under Applicable Data Protection Law, including any rights or remedies that a Data Subject may have under mandatory law. Where the SCCs apply, nothing in this Section limits a Data Subject's rights under the SCCs.

12. Term, Governing Law and Execution

This DPA takes effect on the date of the Principal Agreement (or, if later, the date this DPA is accepted or executed) and continues for as long as Ercan Technology Processes Customer Personal Data on behalf of the Customer. Provisions that by their nature should survive termination shall survive.

This DPA is governed by the laws of the State of New Mexico, USA, and the parties submit to the venue of the State of New Mexico, USA, except that the foregoing does not override (a) the governing law and jurisdiction provisions required by any applicable Standard Contractual Clauses and (b) mandatory data-protection rights and remedies that a Data Subject or the Customer enjoys under Applicable Data Protection Law (including the GDPR, UK GDPR and KVKK) in their own country, which are preserved.

This DPA is a template intended to be reviewed by your legal advisers and executed alongside the Principal Agreement. To request a counter-signed version or to discuss your specific Processing requirements, contact privacy@ercantechnology.com.

13. Annex I — Description of the Processing

Subject-matter and Duration

Subject-matter: the Processing of Customer Personal Data by Ercan Technology as necessary to provide the Services under the Principal Agreement (for example, the Forgevid AI-assisted video creation platform for content creators). Duration: for the term of the Principal Agreement, plus any period during which Customer Personal Data is retained in accordance with Section 10.

Nature and Purpose of the Processing

Nature and purpose: hosting, storage and processing of Customer Personal Data, account and user management, and provision, maintenance, security and support of the Services in accordance with the Customer's instructions. The specific operations depend on the Customer's configuration and use of the Services.

Categories of Data Subjects and Personal Data

Categories of Data Subjects (as determined by the Customer): the Customer's authorised users, employees, contractors, end users and other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer.

• Identification and contact data (such as names, email addresses, usernames and account identifiers);
• Account, profile and usage data generated through use of the Services;
• Content data submitted to the Services by the Customer or its users (for example, prompts, uploaded media and generated outputs), which may incidentally contain Personal Data;
• Technical data such as IP addresses, device and log information processed in connection with providing and securing the Services.

Special categories of Personal Data: the Services are not intended for the Processing of special categories of Personal Data (sensitive data under the GDPR or KVKK). The Customer is responsible for not submitting such data unless expressly agreed in writing and subject to additional safeguards. Frequency of Processing: continuous, for the duration of the Principal Agreement.

14. Annex II — Technical and Organisational Security Measures

Ercan Technology maintains the following technical and organisational measures, which may be updated from time to time provided the overall level of security is not materially reduced. These measures supplement the security obligations described in Section 4.

• Access control: role-based access, least-privilege principles, unique user accounts, and multi-factor authentication for administrative and privileged access;
• Encryption and pseudonymisation: encryption of data in transit (TLS) and, where supported, at rest; use of pseudonymisation or minimisation where appropriate;
• Network and infrastructure security: reputable cloud infrastructure providers, firewalls, segregation of environments, and vulnerability and patch management;
• Confidentiality and integrity: confidentiality undertakings for personnel, secure software development practices, change management, and integrity controls;
• Availability and resilience: backups, redundancy where applicable, and procedures to restore availability and access to data after an incident;
• Logging and monitoring: security logging, monitoring and alerting to detect and respond to suspicious activity;
• Incident response: documented procedures for identifying, assessing, escalating and notifying personal data breaches in accordance with Section 7;
• Sub-processor management: due diligence and contractual flow-down of data-protection obligations to Sub-processors;
• Governance and testing: assignment of internal responsibility for data protection, staff awareness, and periodic testing and review of the effectiveness of these measures.