How Harmonity processes personal data on your behalf under GDPR, UK GDPR, and KVKK.
LegalX Yapay Zeka Teknolojileri A.Ş.
APY Tekmer, Ataşehir Bulvarı, Atatürk, Ertuğrul Gazi Sk. D:2 Blok No:13, 34758 Ataşehir/İstanbul, Türkiye
This Data Processing Addendum ("DPA") forms part of the Agreement between the Customer and LegalX Yapay Zeka Teknolojileri A.Ş. ("Harmonity"). It outlines our obligations as a data processor when handling personal data on your behalf in connection with the Harmonity service.
Related documents
| The Legal Text | In Plain English |
|---|---|
| 1.1 This Data Processing Addendum ("DPA") forms part of the Agreement between the customer identified in an Order Form ("Customer") and LegalX Yapay Zeka Teknolojileri A.Ş. ("Harmonity", "Processor", "we"). Capitalized terms not defined in this DPA have the meanings set out in the Terms of Service or the applicable Order Form. | This DPA is a part of the contract you sign for Harmonity. |
| 1.2 This DPA applies to the Processing of Personal Data by Harmonity on behalf of Customer in connection with the Service, where Customer is a Controller (or acts on behalf of a Controller) and Harmonity is a Processor. | This covers the personal data we process for you when you use Harmonity. |
| 1.3 Order of precedence. If there is a conflict between the Terms and this DPA regarding Personal Data Processing, this DPA will prevail. If there is a conflict between an Order Form and this DPA, the Order Form will prevail only to the extent it explicitly states it overrides this DPA. | For privacy/data-processing issues, this DPA wins over the general Terms—unless your signed Order Form clearly says otherwise. |
| 1.4 This DPA does not apply to data we process as an independent Controller (e.g., website visitors, marketing contacts). Those activities are covered by our Privacy Policy. | Website/marketing data is covered by the Privacy Policy, not this DPA. |
| The Legal Text | In Plain English |
|---|---|
| 2.1 "Applicable Data Protection Laws" means all laws applicable to the Processing of Personal Data under the Agreement, including, where applicable: (a) EU GDPR (Regulation (EU) 2016/679); (b) UK GDPR and UK Data Protection Act 2018; and (c) the Turkish Law on the Protection of Personal Data No. 6698 ("KVKK") and related secondary legislation and guidance. | This references GDPR/UK GDPR if relevant, and KVKK for Türkiye. |
| 2.2 "Personal Data," "Processing," "Controller," "Processor," and "Personal Data Breach" have the meanings given in GDPR and/or KVKK (as applicable). | Standard privacy definitions. |
| 2.3 "Customer Data" means data (including Personal Data) submitted to, stored in, or processed through the Service by or on behalf of Customer, including contract documents, metadata, and derived outputs. | Your contracts + related data in Harmonity. |
| 2.4 "Subprocessor" means any Processor engaged by Harmonity to Process Customer Personal Data on Customer’s behalf. | Vendors we use to run the service. |
| 2.5 "Security Package" means procurement/security documentation Harmonity may provide under NDA or otherwise (as available), including summaries of technical and organizational measures and related materials. | The packet enterprise teams request during security review. |
| The Legal Text | In Plain English |
|---|---|
| 3.1 Customer is the Controller of Customer Personal Data and determines the purposes and means of Processing. Harmonity is the Processor and Processes Customer Personal Data only on Customer’s documented instructions, including as necessary to provide the Service under the Agreement. | You decide "why/how" personal data is processed; we process it only to deliver Harmonity and follow your instructions. |
| 3.2 Customer’s instructions are documented in: (a) the Agreement; (b) Customer’s configuration and use of the Service; and (c) any additional written instructions mutually agreed by the parties, provided they are consistent with the Agreement and Applicable Data Protection Laws. | Your instructions are mostly: the contract + how you use/configure Harmonity. |
| 3.3 Harmonity will inform Customer if, in Harmonity’s opinion, an instruction infringes Applicable Data Protection Laws (where legally permitted). | If you ask us to do something unlawful with personal data, we’ll flag it. |
| 3.4 Details of Processing (subject matter, duration, nature/purpose, categories of data and data subjects) are set out in Annex 1. | Annex 1 is the "Processing Details" appendix. |
| The Legal Text | In Plain English |
|---|---|
| 4.1 Confidentiality. Harmonity will ensure that persons authorized to Process Customer Personal Data are bound by confidentiality obligations (contractual or statutory) and receive appropriate privacy/security instructions relevant to their roles. | Our staff/contractors must keep your data confidential. |
| 4.2 Security Measures. Harmonity will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. A high-level description of measures is in Annex 2. | We run security controls appropriate for sensitive contract data; Annex 2 summarizes them. |
| 4.3 Assistance with Data Subject Requests. Taking into account the nature of Processing, Harmonity will provide reasonable assistance to Customer to respond to Data Subject requests (e.g., access, deletion, correction), to the extent Customer cannot address the request through the Service’s self-service controls. | If someone exercises GDPR/KVKK rights, we’ll help you respond when you can’t do it directly in the product. |
| 4.4 Assistance with compliance. Harmonity will provide reasonable assistance to Customer with: (a) security and breach notifications; (b) DPIAs and prior consultations where required; and (c) demonstrating compliance, to the extent applicable and reasonable given the Service. | We’ll support your compliance work (DPIA, breach handling, etc.) in a practical way. |
| 4.5 Personal Data Breach Notification. Harmonity will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably necessary for Customer’s compliance with Applicable Data Protection Laws. Where feasible, Harmonity will include available details such as the nature of the incident, categories/approximate number of affected Data Subjects/records, likely consequences, and mitigation steps taken. | If there’s a breach involving your data, we’ll tell you quickly and share what you need to handle obligations. |
| 4.6 Timing note (GDPR). Where GDPR applies, Harmonity will aim (where feasible) to provide initial notification to Customer in a timeframe that supports Customer’s obligation to notify supervisory authorities within 72 hours of awareness, recognizing incident facts may evolve. | We’ll help you meet GDPR’s 72-hour expectations—without promising perfect info instantly. |
| 4.7 No "legal advice." Harmonity does not provide legal advice. Customer is responsible for determining whether the Service’s features, workflows, and outputs are appropriate for Customer’s compliance obligations. | We’re a software provider, not your lawyers. |
| The Legal Text | In Plain English |
|---|---|
| 5.1 Authorization. Customer grants Harmonity a general authorization to engage Subprocessors to Process Customer Personal Data for the provision of the Service. | You generally allow us to use vendors to run Harmonity. |
| 5.2 Subprocessor list. Harmonity will maintain an up-to-date list of Subprocessors at /trust/subprocessors (the "Subprocessor List"). The Subprocessor List will include, at minimum, the Subprocessor name, purpose, and (where applicable) processing region/location at a high level. | The canonical vendor list will live on the Trust Center page. |
| 5.3 Changes and notice. Harmonity will provide notice of material changes to the Subprocessor List by updating the Trust Center page and, where commercially reasonable, by providing advance notice through reasonable channels (e.g., email or in-product notice). | When vendors change, we’ll update the list and try to give notice. |
| 5.4 Objection process. If Customer reasonably objects to a new Subprocessor on data protection grounds, Customer must notify Harmonity in writing within a reasonable period after notice. The parties will work in good faith to address the objection (e.g., by providing information, offering a reasonable workaround, or, if feasible, using an alternative). If the parties cannot resolve the objection, Customer may terminate the affected Service component pursuant to the Agreement (subject to applicable contractual commitments). | You can object to a new vendor for valid privacy reasons; we’ll try to resolve it, and if not possible, termination remedies apply. |
| 5.5 Flow-down terms. Harmonity will impose written obligations on Subprocessors that are no less protective than this DPA with respect to Customer Personal Data, including confidentiality and security obligations. Harmonity remains responsible for Subprocessors’ performance of their obligations under such flow-down terms. | We contractually bind vendors to protect your data, and we remain responsible. |
| The Legal Text | In Plain English |
|---|---|
| 6.1 Customer acknowledges that the Service may involve Processing of Customer Personal Data in Türkiye, the EEA/UK, and other jurisdictions depending on Customer configuration and the Subprocessor List. | Data may be processed in different regions depending on the setup and vendors. |
| 6.2 Where GDPR/UK GDPR applies and Customer Personal Data is transferred outside the EEA/UK to a jurisdiction not recognized as providing adequate protection, the parties will rely on an appropriate transfer mechanism (such as the European Commission’s Standard Contractual Clauses, or the UK IDTA/addendum), as applicable. | If GDPR applies and data goes outside the EEA/UK, we’ll use recognized legal transfer tools where needed. |
| 6.3 KVKK transfers. Where KVKK applies and cross-border transfers require specific safeguards, approvals, or undertakings, the parties will cooperate in good faith to implement the legally required mechanism, taking into account the roles of Controller and Processor and the relevant guidance and decisions of the Turkish Personal Data Protection Authority. | If KVKK requires extra steps for international transfers, we’ll cooperate to implement them. |
| 6.4 This section is subject to the limitations and allocation of responsibilities set out in the Agreement and Applicable Data Protection Laws. | Transfer compliance is shared and depends on the law and roles. |
| The Legal Text | In Plain English |
|---|---|
| 7.1 During the term of the Agreement, Customer may export or retrieve Customer Data using the Service’s available functionality. | You can export your data during the subscription. |
| 7.2 Upon termination or expiration of the Agreement, Harmonity will make Customer Personal Data available for export for a limited period as described in the Agreement (unless legally prohibited). After that period, Harmonity will delete or anonymize Customer Personal Data within a reasonable timeframe, unless retention is required by applicable law or necessary to establish, exercise, or defend legal claims. | After cancellation, you get a limited time to download data; then we delete it, unless we must keep some for legal reasons. |
| 7.3 Customer acknowledges that residual copies may persist in backups for a limited time, provided such backups are protected and not actively processed except for restoration and business continuity purposes, and are deleted/overwritten according to Harmonity’s backup retention cycle. | Backups may keep data briefly, but they’re protected and eventually overwritten. |
| The Legal Text | In Plain English |
|---|---|
| 8.1 Upon request and subject to confidentiality obligations (including NDA where required), Harmonity will provide Customer with reasonable information necessary to demonstrate compliance with this DPA, including summaries of relevant security measures and (where available) third-party audit reports, certifications, or assessments. | We’ll share security documentation for procurement review (under NDA if needed). |
| 8.2 Customer may conduct an audit of Harmonity’s compliance with this DPA only where: (a) Customer cannot reasonably satisfy compliance requirements through documentation provided; and (b) the audit is limited in scope to Customer Personal Data Processing. Any audit must be: (i) on reasonable prior written notice; (ii) during business hours; (iii) no more than once per 12-month period (unless required by law or following a confirmed breach); and (iv) subject to confidentiality and security restrictions designed to protect other customers and Harmonity’s systems. | Audits are possible but controlled: documentation first; audits limited, scheduled, and not disruptive. |
| 8.3 Customer will bear its own audit costs. If the audit reveals material non-compliance, the parties will discuss remediation in good faith. | You pay for your audit; if we’re materially off, we fix it. |
| The Legal Text | In Plain English |
|---|---|
| 9.1 Service provision only. Harmonity will Process Customer Personal Data only to provide, secure, maintain, and improve the Service for Customer, including to provide requested AI-enabled features where Customer initiates such features. | We use your data to run the product for you. |
| 9.2 No training on Customer Data (general models). Harmonity will not use Customer Data (including Customer Personal Data) to train or improve general-purpose machine learning models intended for use by other customers, except where Customer has explicitly opted in in writing. | Your contracts are not used to train a model for other customers—unless you explicitly opt in. |
| 9.3 Aggregated/anonymous data. Harmonity may generate and use aggregated and/or anonymized data derived from the Service for analytics, product improvement, and security purposes, provided such data does not identify Customer or any individual. | We may use truly anonymized analytics to improve the platform. |
| The Legal Text | In Plain English |
|---|---|
| 10.1 This DPA remains in effect for the duration of Harmonity’s Processing of Customer Personal Data under the Agreement. Sections intended to survive termination (including confidentiality, audit, and deletion obligations) will survive as applicable. | The DPA applies as long as we process your data. |
| 10.2 Liability under this DPA is subject to the limitations of liability set out in the Agreement, except to the extent such limitations are prohibited by Applicable Data Protection Laws. | Same liability limits as the main Terms, unless the law forbids limiting something. |
| 10.3 Governing law and disputes. Disputes arising under or in connection with this DPA will be resolved in accordance with the dispute resolution clause in the Terms of Service, including arbitration at ISTAC in Istanbul, Türkiye, with proceedings in Turkish, unless mandatory law requires otherwise. | Same dispute clause as the Terms (ISTAC, Istanbul, Turkish). |
| The Legal Text | In Plain English |
|---|---|
| A1.1 Subject matter. Provision of the Service: contract creation, review, collaboration, approval workflows, contract repository features, and related support/operations, including AI-enabled features initiated by Customer. | What the processing is for. |
| A1.2 Duration. For the term of the Agreement and any post-termination retention/export period and backup cycle as described in the Agreement and this DPA. | How long we process data. |
| A1.3 Nature of Processing. Hosting, storage, retrieval, organization, transmission, rendering, transformation (e.g., extracting metadata), access control enforcement, audit logging, and support operations; and where requested by Customer, AI processing of Customer-provided inputs to generate outputs within the Service. | What we do with the data in practice. |
| A1.4 Purpose(s). To provide, maintain, secure, and support the Service for Customer; to prevent abuse and ensure reliability; to comply with legal obligations; and to provide AI features requested by Customer. | Why we process it. |
| A1.5 Categories of Data Subjects. Customer’s authorized users; Customer’s employees; Customer’s counterparties and their representatives; signatories; collaborators; and other individuals whose Personal Data is included in contracts or related records uploaded to the Service. | Whose data could appear in the platform. |
| A1.6 Categories of Personal Data. May include: names, business contact details, titles/roles, signatures, identifiers in contract documents, communication content in collaboration workflows, and contract-related metadata. Customer controls the content submitted to the Service. | Typical personal data in contracts + collaboration. |
| A1.7 Special categories / sensitive data. The Service is not designed for Customer to submit special categories of data (GDPR Art. 9) or highly sensitive identifiers unless Customer has assessed necessity and applied appropriate safeguards. Harmonity does not intentionally require such data. | Don’t put sensitive data in unless necessary and you’ve assessed it. |
| A1.8 Processing operations. Collection (from Customer), storage, organization, access, disclosure (to authorized users), deletion, and transfer as required to deliver the Service. | The operations list. |
| The Legal Text | In Plain English |
|---|---|
| A2.1 Access control. Role-based access controls and permission boundaries at workspace and document level; authentication controls; least-privilege principles for internal access. | Permissions and least privilege. |
| A2.2 Encryption. Encryption in transit and at rest (high-level), with secure key handling practices appropriate for the Service. | Data is encrypted moving and stored (high-level). |
| A2.3 Logging and auditability. Security logging and audit trails designed to support investigations and governance; attributable actions where feasible. | Who did what and when (audit trail). |
| A2.4 Secure development and change management. Practices designed to reduce vulnerabilities (e.g., code review, environment separation, controlled deployment). | Secure SDLC basics. |
| A2.5 Vulnerability management. Processes to identify, prioritize, and remediate vulnerabilities; dependency updates and monitoring as appropriate. | We patch and manage vulnerabilities. |
| A2.6 Incident response. Documented incident response process with investigation, containment, remediation, and customer notification pathways. | We have an IR process. |
| A2.7 Backup and recovery. Backups and recovery processes designed to support business continuity; access controls around backup systems. | Backups exist and are protected. |
| A2.8 Subprocessor controls. Contractual safeguards and due diligence for Subprocessors; limitation of access to what is necessary. | Vendors are controlled contractually and operationally. |
| A2.9 Organizational measures. Security awareness expectations, confidentiality obligations, and internal access governance. | People/process controls too. |
| The Legal Text | In Plain English |
|---|---|
| A3.1 The current Subprocessor List is maintained at /trust/subprocessors and is incorporated by reference into this DPA. | The vendor list lives on the Trust Center page. |
Questions about this DPA? Contact us at support@harmonity.ai