Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service. Where Solustiq processes personal data contained in your Customer Data, you are the controller and Solustiq is the processor (or, under KVKK, the data processor / “veri işleyen”).

• Subject matter: provision of the Resilira business continuity management Service.
• Duration: for the term of the subscription plus the post-termination export window.
• Nature and purpose: hosting, storing, and processing Customer Data to deliver the Service and support.
• Data subjects: your personnel and contacts (e.g. emergency contacts, process owners, responders).
• Categories of data: identification and contact details, job role/department, and continuity-programme content you choose to enter.

We process personal data only on your documented instructions, including as set out in the Terms and this DPA, unless required to do otherwise by law (in which case we will inform you where legally permitted).

We ensure that personnel authorised to process Customer Data are bound by confidentiality, and we implement appropriate technical and organisational measures (as described in our Privacy Policy and Security page), including encryption, tenant isolation, access control and audit logging.

You authorise us to engage the subprocessors listed on our Subprocessors page (for hosting, email, payments and AI). We impose data-protection obligations on subprocessors no less protective than this DPA and remain responsible for their performance. We will give notice of intended changes so you may object on reasonable grounds.

Where processing involves transfers outside the EEA or Türkiye, we rely on appropriate safeguards such as the Standard Contractual Clauses and equivalent KVKK mechanisms.

• We assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification and impact-assessment obligations.
• We notify you without undue delay after becoming aware of a personal-data breach affecting Customer Data.
• We make available information necessary to demonstrate compliance and allow for reasonable audits, subject to confidentiality.

On termination, we delete or return Customer Data at your choice after the export window, except where storage is required by law. A counsel-reviewed, signable DPA is available for Business and Enterprise customers on request.