Data Processing Agreement (DPA)

1. Parties and Definitions

Data Controller (Tenant): The business or organization that provides guest WiFi service using the Captivo platform.

Data Processor (Captivo): The platform provider that processes personal data on behalf of the Data Controller.

Data Subject: The guest WiFi users whose personal data is processed.

2. Personal Data Processed

Categories of personal data processed under this agreement:

Phone number (mandatory)
First and last name (optional, depending on portal settings)
Email address (optional, depending on portal settings)
MAC address (device identification)
IP address (session information)
Connection durations and data usage

3. Purposes of Processing

Personal data is processed only for the following purposes:

Providing guest WiFi access service
User authentication
Fulfilling legal obligations under Law No. 5651
Service quality and security monitoring

4. Legal Basis

Personal data is processed under KVKK Art. 5/2-c (performance of a contract), Art. 5/2-ç (legal obligation) and Art. 5/1 (explicit consent).

5. Data Security Measures

Captivo applies the following technical and administrative measures:

At-rest data protection with AES-256-GCM encryption
In-transit data encryption with TLS 1.3
Role-based access control (RBAC)
Personal data masked by default
Comprehensive audit logging
Automatic data anonymization and deletion mechanisms

6. Retention Period

Personal data is retained for a minimum of 2 years under Law No. 5651. At the end of this period, data is automatically anonymized or deleted.

7. Obligations of the Data Controller

Important: The following obligations belong to the Data Controller (Tenant):

Obtaining explicit consent from guests
Fulfilling the KVKK duty to inform
Managing panel access permissions
VERBİS notification (if required)
Responding to data subject requests

8. Panel Access Obligation

Critical Clause

"The Tenant is obliged to ensure that only authorized personnel access the personal data displayed through the Captivo.io panel, and to audit such access. Legal liabilities that may arise from enabling the unmasked data display setting belong to the Tenant."

9. Unmasked Report Export

Critical Clause

"Exporting unmasked reports is a feature deliberately enabled by the Tenant. All legal liability arising from the use, storage and sharing of these reports with third parties belongs to the Tenant."

By default, all reports (CSV, Excel, PDF) contain personal data masked. The unmasked report feature can only be enabled by users with the Tenant Owner/Admin role, with explicit consent. Every unmasked report export is recorded in the audit log.

10. Sub-Processors

Captivo may use the following sub-processors to provide the service:

Cloud infrastructure providers (server hosting)
SMS gateway providers (for SMS verification)
Email service providers (for email verification)

All sub-processors are subject to data protection obligations at least at the level of this agreement.

11. Data Subject Rights

Guest WiFi users may apply to the Data Controller (Tenant) to exercise their rights under KVKK Art. 11. Captivo provides technical support to the Data Controller in responding to these requests.

Rights supported through the platform:

Data portability (export in JSON format)
Right to erasure (right to be forgotten)
Right to rectification

12. Data Breach Notification

In the event of a possible data breach, Captivo notifies the Data Controller within 24 hours at the latest. Notifying the Personal Data Protection Authority and the data subjects is the responsibility of the Data Controller.

13. Term and Termination

This agreement is valid for as long as Captivo services are used. When the service is terminated, all personal data is deleted or returned upon the Data Controller's request (without prejudice to statutory retention periods).

14. Governing Law

This agreement is governed by the laws of the Republic of Turkey. The Courts and Enforcement Offices of Istanbul have jurisdiction over disputes.