# Data Processing Agreement (DPA)

**Version 2 · Effective 2026-05-01**
**Between BestPeopleDo (Processor) and the School (Controller)**

> Changes from v1: Annex I now lists "internal product-telemetry events"
> as a category of processing, with explicit hashed-identifier and
> 90-day-retention disclosures. No other clauses changed.

This Data Processing Agreement ("**DPA**") forms part of the BestPeopleDo
B2B Schools Agreement and applies whenever the School ("**Controller**")
makes BestPeopleDo ("**Processor**") process personal data on its behalf
under the EU General Data Protection Regulation 2016/679 ("**GDPR**"),
the UK GDPR, and Türkiye's KVKK (Law 6698) where applicable.

This is a template. Square-bracketed values must be completed before
signature.

---

## 1. Parties

**Controller:** [School Legal Name], registered at [School Address]
("**School**" / "**Controller**").

**Processor:** MEC Eğitim Danışmanlık Hizmetleri Ltd. Şti., trading as
**BestPeopleDo**, Kestel Plaza No:2-4 D:5, Ataşehir, İstanbul 34636,
Türkiye ("**BestPeopleDo**" / "**Processor**").

## 2. Subject matter & duration

The Processor processes the personal data described in **Annex I** on
behalf of the Controller solely to provide the Services agreed in the
B2B Schools Agreement. Processing continues for the term of that
agreement plus the deletion / return period set out in §11.

## 3. Nature & purpose of processing

BestPeopleDo provides school-discovery, family-matching, lead-routing,
and verified profile services. Processing is limited to:

- delivering verified school information to families;
- routing inbound family inquiries from BestPeopleDo to the School's
  designated admissions contact(s);
- generating non-personalised performance reports for the School about
  inquiry volume, geography, and stage progression;
- providing the School-admin dashboard, including any uploaded images,
  programme details, and tuition information.

Processing for any other purpose, including marketing or product
analytics about identifiable families, requires the Controller's prior
written instruction.

## 4. Categories of data subjects & personal data

See **Annex I**.

## 5. Controller obligations

The Controller warrants that it has a lawful basis for any personal data
it provides to the Processor, that it has issued the disclosures required
under Articles 13–14 GDPR, and that it has the authority to instruct the
Processor as set out in this DPA.

## 6. Processor obligations

The Processor shall:

- (a) process personal data only on documented instructions from the
  Controller, including with regard to international transfers (§9),
  unless required to do otherwise by EU, UK, or Türkiye law, in which
  case the Processor will inform the Controller before processing,
  unless prohibited by that law;
- (b) ensure that personnel authorised to process the personal data
  have committed themselves to confidentiality or are under an
  appropriate statutory obligation of confidentiality;
- (c) implement the technical and organisational measures set out in
  **Annex II** ("**TOMs**");
- (d) respect the conditions in §8 for engaging sub-processors;
- (e) assist the Controller, taking into account the nature of the
  processing, with appropriate technical and organisational measures
  insofar as possible, to fulfil the Controller's obligation to respond
  to data-subject requests;
- (f) assist the Controller in ensuring compliance with the obligations
  pursuant to Articles 32–36 GDPR, taking into account the nature of
  processing and the information available to the Processor;
- (g) at the choice of the Controller, delete or return all personal
  data to the Controller after the end of provision of services
  relating to processing, and delete existing copies unless EU, UK, or
  Türkiye law requires storage of the personal data;
- (h) make available to the Controller all information necessary to
  demonstrate compliance with this DPA and allow for and contribute to
  audits, including inspections, conducted by the Controller or another
  auditor mandated by the Controller, subject to §10.

## 7. Personal data breaches

The Processor will notify the Controller without undue delay and in any
event within **48 hours** of becoming aware of a personal data breach
affecting Controller data. Notice will include the information specified
in Article 33(3) GDPR to the extent then known, and the Processor will
provide updates as further information becomes available.

## 8. Sub-processors

The Controller authorises the Processor to engage the sub-processors
listed in **Annex III**. The Processor will inform the Controller in
advance of any addition or replacement of sub-processors, giving the
Controller the opportunity to object on reasonable data-protection
grounds within 14 days. Where the Controller objects, the parties will
work in good faith to reach an alternative arrangement; failing that,
either party may terminate the affected services without penalty.

The Processor will impose on each sub-processor the same data-protection
obligations as set out in this DPA, in particular providing sufficient
guarantees to implement appropriate technical and organisational
measures.

## 9. International transfers

Where personal data is transferred outside the EEA, UK, or Türkiye, the
parties rely on:

- (a) the European Commission's Standard Contractual Clauses (SCCs)
  Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor)
  as updated, hereby incorporated by reference;
- (b) the UK International Data Transfer Addendum where UK personal
  data is transferred;
- (c) any successor mechanism approved by the relevant authority;
- (d) Türkiye-to-third-country transfers comply with KVKK Article 9
  including, where applicable, KVKK Board approval.

The Processor will implement supplementary measures including
encryption in transit and at rest, role-based access controls, and
documented sub-processor due diligence.

## 10. Audits

The Controller may, no more than once per calendar year and on at least
30 days' written notice, conduct an audit at the Processor's expense
limited to documents, policies, and records reasonably necessary to
verify compliance with this DPA. On-site audits at production
infrastructure are not permitted; the Processor may meet audit requests
by providing the Controller with current third-party audit reports
(e.g., SOC 2, ISO 27001) and written responses. Auditors must enter a
confidentiality agreement before reviewing materials.

## 11. Deletion or return

On termination of the B2B Schools Agreement, the Controller will choose
whether the Processor returns the personal data in a commonly used
format or deletes it. Unless instructed otherwise within 30 days of
termination, the Processor will delete the personal data within 60 days
of termination, except where retention is required by law (e.g.,
financial records under Turkish Tax Procedure Law) — those records will
remain subject to the obligations of this DPA until securely erased.

## 12. Term & survival

This DPA is effective on the same date as the B2B Schools Agreement and
remains in force for as long as the Processor processes personal data
on behalf of the Controller. Sections 7, 10, 11, 12, and 13 survive
termination.

## 13. Governing law & venue

This DPA is governed by the law governing the B2B Schools Agreement.
Where it concerns processing of EU-resident data, the GDPR applies and
the supervisory authority of the Controller's main establishment has
jurisdiction. Where it concerns Türkiye-resident data, KVKK applies and
the Personal Data Protection Authority of Türkiye has jurisdiction.

---

## Annex I — Description of Processing

| Item | Detail |
|---|---|
| **Categories of data subjects** | Parents and guardians submitting inquiries; their children (where the parent provides the child's name, age, grade); School-admin users uploading or maintaining the School's profile. |
| **Categories of personal data** | Name, email address, country of residence, language preference, child's age and curriculum interest, message content, IP address, browser fingerprint (for security only), engagement events (page views, form submissions), and internal product-telemetry events (e.g. AI Match completion, school view, advisor booking) recorded server-side with **hashed-only** identifiers (SHA-256 + salt) and **90-day retention**. |
| **Special-category data** | None processed by default. The Controller is instructed not to upload special-category data (health, religion, ethnicity) to BestPeopleDo systems. |
| **Frequency of processing** | Continuous for the term. |
| **Duration of processing** | For the term of the B2B Schools Agreement plus the deletion period in §11. |
| **Nature of operations** | Collection, storage, retrieval, transmission to authorised admissions contacts, generation of aggregate reports, secure deletion. |
| **Purpose** | As stated in §3. |

## Annex II — Technical & Organisational Measures (TOMs)

1. **Encryption in transit** — TLS 1.2+ for all external traffic; HSTS;
   internal service mesh TLS.
2. **Encryption at rest** — AES-256 server-side encryption on database,
   object storage, and backups.
3. **Access control** — Role-based access; least-privilege; production
   access restricted to named engineers; quarterly access review.
4. **Authentication** — SSO + MFA for all admin access; magic-link or
   password + bcrypt(>= 12) for end-user access.
5. **Network security** — Production VPC isolation; security groups
   default-deny; secrets stored in AWS Secrets Manager.
6. **Logging & monitoring** — CloudWatch metrics + alerts; access logs
   retained 90 days; anomaly alerting on auth failure spikes.
7. **Backup & recovery** — Daily encrypted backups; 30-day retention;
   documented restore runbook; restore tested quarterly.
8. **Data segregation** — Logical multi-tenancy with row-level filters;
   per-School API keys.
9. **Software development** — Code review on every change; CI tests;
   dependency scanning (npm audit / GitHub Dependabot); secrets-in-code
   scanning on commit.
10. **Vendor management** — Annual review of sub-processors; DPAs in
    place with each.
11. **Incident response** — 24/7 on-call escalation; documented breach
    notification procedure (§7); post-incident review within 14 days.
12. **Personnel** — Confidentiality agreements; security awareness on
    onboarding; offboarding access removal within 24 hours.
13. **Physical security** — Production infrastructure runs on AWS
    (eu-central-1); no on-prem servers; no removable media on production.

## Annex III — Authorised Sub-processors

| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services EMEA SARL | Hosting, storage, compute, networking | eu-central-1 (Frankfurt) |
| AWS Simple Email Service | Transactional email delivery | eu-central-1 |
| Google LLC (reCAPTCHA, only if enabled) | Form bot mitigation | EU/Global |
| Cloudflare, Inc. | CDN, DDoS protection, DNS | EU edge |
| Sentry / equivalent | Error monitoring, no PII transmitted | EU region |

---

**Signed for the Controller (School):**

Name: ______________________________
Title: _____________________________
Date: ______________________________
Signature: _________________________

**Signed for the Processor (BestPeopleDo / MEC Eğitim Danışmanlık):**

Name: ______________________________
Title: _____________________________
Date: ______________________________
Signature: _________________________