This Data Processing Agreement ("DPA") governs the processing of personal data by MarineFlux (as Data Processor) on behalf of its customers (as Data Controllers). When you become a customer, this DPA forms part of your service agreement (the Terms of Use). It reflects the requirements of GDPR Art. 28, UK GDPR, KVKK m.8/m.9, and LGPD Art. 39.
"MarineFlux" means Emre Can Yenikan, trading as "Ballast Yazılım ve Teknoloji" (sole proprietorship, Türkiye); "Customer" means the company that subscribes to the Service. Capitalised terms not defined here have the meaning given in the Terms of Use.
Current DPA version: 1.0.0. This DPA incorporates, by reference, the EU 2021 Standard Contractual Clauses (Module 2, controller-to-processor), the UK IDTA addendum, the Swiss FDPIC addendum, and the KVKK Standart Sözleşme, applied according to the source of the data (Section 8).
1. Roles of the Parties
The Customer is the Data Controller and determines the purposes and means of processing the personal data contained in its Customer Content. MarineFlux is the Data Processor and processes that personal data only on the Customer's documented instructions (including those given through the configuration and ordinary use of the Service), except where required by law. MarineFlux will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law.
2. Subject Matter, Duration, and Purpose
MarineFlux processes personal data for the duration of the Customer's service agreement, plus the retention and deletion periods in Section 9, for the sole purpose of providing and supporting the Service — operating the procurement Agent, sourcing suppliers, exchanging RFQ and order communications, parsing and validating documents, and the related functions described in the Terms of Use and Privacy Policy.
3. Categories of Data and Data Subjects
- Data subjects: the Customer's Authorised Users; and supplier representatives whose business-contact details appear in communications and documents exchanged through the Service.
- Categories of personal data: account and contact data (name, work email, company, role); operational data (RFQ, quotation, order, vessel, and document data, which may contain third-party business-contact details); and technical data (IP, device, log, and event data). The Customer must not submit special categories of personal data through the Service.
4. Sub-Processor List
The Customer authorises MarineFlux to engage the sub-processors below. MarineFlux imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance.
| Sub-processor | Service | Location |
|---|---|---|
| Google LLC (Firebase) | Database, authentication, storage | United States and/or European Union |
| Vercel Inc. | Hosting (fra1, Frankfurt), analytics |
European Union |
| Anthropic PBC | AI processing (the Agent) | United States |
| Twilio Inc. (SendGrid) | Outbound and inbound email | United States |
MarineFlux will give the Customer at least 30 days' prior notice before adding or replacing a sub-processor (by email to the Customer's primary contact and by updating this list). The Customer may object on reasonable, data-protection grounds within that period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the Service per Section 9.
5. Security Measures (Annex II)
MarineFlux applies technical and organisational measures appropriate to the risk, including: encryption of data in transit (TLS) and at rest; role-based access control and authentication; least-privilege access and segregation of environments; logging and monitoring; secure software-development practices; and contractual confidentiality obligations on personnel and sub-processors. These measures may be updated to keep pace with evolving risk, provided the level of protection is not reduced.
6. Breach Notification Timeline
MarineFlux will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting the Customer's data, and will provide the information reasonably available to help the Customer meet its own notification obligations, together with the steps taken to address and mitigate the breach.
7. Audit Rights
On reasonable prior written notice and no more than once per year (except where required by a supervisory authority or following a breach), MarineFlux will make available the information necessary to demonstrate compliance with this DPA and allow for and contribute to a reasonable audit, subject to confidentiality and to minimising disruption. MarineFlux may satisfy an audit request by providing an independent third-party report (for example a SOC 2 report) where available.
8. International Transfers
Where MarineFlux transfers Customer personal data across a border, it relies on the mechanism required by the source jurisdiction: the EU 2021 Standard Contractual Clauses (Module 2) for transfers from the EEA; the UK IDTA addendum for UK transfers; the Swiss FDPIC-recognised SCCs for Swiss transfers; and a KVKK Standart Sözleşme, notified to the KVKK Authority within 5 business days, for transfers of Turkish-source data. These clauses are incorporated into this DPA by reference, with MarineFlux as data importer and the Customer as data exporter where applicable, and supplemented by the technical measures in Section 5.
9. End of Contract — Data Deletion and Return
On termination or expiry of the service agreement, the Customer has a 30-day window to export its Customer Content. After that window, MarineFlux deletes or returns the personal data, except where retention is required by law (for example, tax and accounting records, and pseudonymised consent-evidence retained for legal-claim defence — see the retention periods in our Privacy Policy).
For a fully executed copy of this DPA, contact info@marineflux.com.