DATA PROCESSING ADDENDUM (KVKK/GDPR)

Version: 1.0 Effective Date: 20.08.2025

This Data Processing Addendum (the “DPA”) forms part of the master agreement, order form, or terms of use between the parties that references this DPA (the “Agreement”) and reflects the parties’ agreement with respect to the Processing of Personal Data under Law No. 6698 on the Protection of Personal Data (KVKK), the EU/UK GDPR, and applicable data‑protection laws.

1. Parties & Roles

  • Controller: The Customer identified in the Agreement and/or Order Form.
  • Processor: NOTRINO RESEARCH BİLGİ TEKNOLOJİLERİ ARAŞTIRMA GELİŞTİRME LİMİTED ŞİRKETİ, ÜNİVERSİTELER MAH. İHSAN DOĞRAMACI BLV. ARGE VE EĞİTİM MERKEZİ NO: 13 ÇANKAYA/ ANKARA (“Notrino”).

Unless specified otherwise in this DPA, capitalized terms have the meanings in the Agreement. Personal Data, Data Subject, Controller, Processor, Processing, Personal Data Breach, and SCCs have the meanings given by the GDPR; equivalent KVKK terms apply mutatis mutandis.

2. Subject Matter; Nature; Duration; Purpose

Subject Matter. Notrino processes Personal Data to provide the RecapMedica Services (ambient clinical documentation, coding assist, integrations, support). Nature of Processing. Collection, recording, structuring, storage, adaptation, retrieval, transmission, deletion, and other operations necessary to provide and support the Services. Duration. For the term of the Agreement and until deletion/return as per this DPA. Purpose. Provision of the Services per Controller’s instructions; security, support, billing, compliance, and service quality.

3. Categories of Data; Data Subjects

Data Subjects. Patients; clinicians; Customer personnel; other individuals whose data are included in Customer submissions. Personal Data Types. Identification and contact data; audio/video recordings; transcripts; clinical context; device/usage metadata; account/admin data. Special Categories of Personal Data may be processed where included by Controller (e.g., health data). Controller shall ensure a valid lawful basis and disclosures.

4. Controller Instructions

Notrino shall Process Personal Data only on documented instructions from Controller, including with respect to international transfers, unless required by law. Notrino will promptly inform Controller if, in its opinion, an instruction infringes applicable law.

5. Confidentiality & Personnel

Notrino ensures that persons authorized to Process Personal Data are subject to appropriate confidentiality obligations and receive privacy/security training.

6. Security of Processing

Notrino shall implement and maintain appropriate technical and organisational measures (TOMs) as described in Schedule 2 (Security Measures), taking into account the nature, scope, context, and purposes of Processing and the risks to Data Subjects. At a minimum: encryption in transit/at rest; access controls and MFA; least privilege; network security; logging/monitoring; vulnerability management; secure SDLC; incident response; business continuity and disaster recovery.

7. Subprocessing

Controller grants general authorization for Notrino to engage Subprocessors listed in Schedule 3 (Subprocessors) and any updated list published on Notrino’s Trust/Privacy resources. Notrino will: (a) impose on Subprocessors data‑protection obligations no less protective than this DPA; (b) remain liable for Subprocessors’ acts and omissions; and (c) provide advance notice of material changes, allowing Controller to object on reasonable, documented grounds. If the parties cannot resolve an objection, Controller may suspend the affected Processing or terminate the relevant Services without penalty.

8. Assistance to Controller

Taking into account the nature of Processing, Notrino shall assist Controller by appropriate technical and organisational measures, insofar as possible, for the fulfilment of Controller’s obligations to respond to Data Subject Requests (access, rectification, erasure, restriction, portability, objection). Notrino shall also assist Controller with security, breach notifications, data protection impact assessments, and consultations with authorities, as reasonably necessary and proportionate to the Processing, and may charge reasonable fees for material efforts.

9. Personal Data Breach

Notrino shall notify Controller without undue delay after becoming aware of a Personal Data Breach. Such notice will include information reasonably available to Notrino at the time, including the nature of the breach, likely consequences, and measures taken or proposed to address it. Notrino will cooperate with Controller’s reasonable requests to investigate and remediate. Routine, unsuccessful security events (e.g., blocked scans) do not require notification.

10. International Data Transfers & Data Residency

10.1 Region Selection

Controller may select a primary data residency region (e.g., Türkiye, EU/EEA, United States). Customer Data at rest will be stored in the selected region. Notrino will not move Customer Data at rest to another region except on Controller’s documented instructions, as required by law, or for narrowly scoped support/continuity needs with safeguards.

10.2 Cross‑Border Access/Transfers

Remote access from outside the selected region or onward transfers constitute a cross‑border transfer. Such access/transfers will occur only: (a) on Controller’s documented instructions; (b) pursuant to a valid legal mechanism (e.g., adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or KVKK standard contracts/undertakings approved or recognized by the Personal Data Protection Board); and (c) with appropriate safeguards and access controls.

10.3 SCCs & KVKK Mechanisms

Where required, the EU SCCs (2021/914) (Controller‑to‑Processor, and where relevant Processor‑to‑Processor) are hereby incorporated by reference with the details in Schedule 1 and Schedule 2. For the UK, the UK Addendum applies. For Türkiye, Notrino will execute Board‑approved undertakings/standard contracts or rely on other lawful mechanisms where available. The parties shall cooperate in good faith to sign any documents reasonably necessary to give full effect to transfer mechanisms.

11. Audits & Information

Notrino shall make available to Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, up to once per year (and after a material Personal Data Breach), during normal business hours, on reasonable notice, and subject to confidentiality, safety, and operational constraints. Where possible, audits will be satisfied by independent third‑party reports (e.g., ISO/SOC summaries) and responses to security questionnaires.

12. Return & Deletion

Upon termination or expiry of the Services, at Controller’s choice, Notrino shall return all Personal Data (in a commonly used format) and/or securely delete Personal Data after a 30‑day retrieval window, unless retention is required by law. Backup media will be overwritten on standard cycles. Notrino may retain minimal records required to demonstrate compliance.

13. Improvement Data; De‑Identification

Personal Data for improvement. Notrino will not use Personal Data for training or improving its models or services unless expressly instructed/authorized by Controller (e.g., via Order Form or admin setting) and subject to applicable law. De‑Identified Data & Usage Data. Notrino may create De‑Identified Data and Usage Data and use them during and after the Agreement for lawful purposes (analytics, quality, benchmarking), and will not attempt re‑identification.

14. Liability & Priority

The parties’ respective liabilities under this DPA shall be governed by the liability provisions of the Agreement. In the event of conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to Processing of Personal Data. Nothing in this DPA limits Data Subjects’ rights under applicable law.

15. Miscellaneous

  • This DPA is governed by the governing law specified in the Agreement.
  • If any provision is held invalid, the remainder remains in full force.
  • This DPA may be executed electronically and in counterparts.

Schedule 1 — Details of Processing

Controller: [[Customer legal name, address]] Processor: NOTRINO RESEARCH BİLGİ TEKNOLOJİLERİ ARAŞTIRMA GELİŞTİRME LİMİTED ŞİRKETİ Subject Matter/Purpose: Provision of RecapMedica Services; support; security; integrations. Duration: Term of Agreement + data‑return window. Data Subjects: Patients; clinicians; Customer personnel. Personal Data: Identity/contact; audio/video; transcripts; clinical context; identifiers; usage data. Special Categories: Health data (as provided by Controller). Processing Operations: Collection; storage; transcription; structuring; analysis; transmission; deletion. Transfers: As per §10; mechanisms per §10.3. Region: [[Türkiye / EU/EEA / United States / Other]]

Schedule 2 — Technical & Organisational Measures (TOMs)

  • Governance: Information security policy; roles; training; vendor risk management; background checks as appropriate.
  • Access Controls: Role‑based access; least privilege; MFA; secure authentication; periodic reviews.
  • Encryption: TLS in transit; strong encryption at rest; key management.
  • Network Security: Segmentation; firewalls; endpoint protection; vulnerability scanning; patch management.
  • Application Security: Secure SDLC; code review; dependencies management; secrets management; penetration testing (periodic).
  • Logging/Monitoring: Centralized logging; anomaly detection; audit trails; immutable logs for key events.
  • Data Management: Data minimization; pseudonymization/de‑identification; backup and tested restore.
  • Incident Response: 24/7 on‑call; playbooks; breach notification; corrective actions.
  • Business Continuity/DR: RPO/RTO objectives; regional redundancy where configured.
  • Physical Security: Data center standards of cloud providers; access logging; environment controls.

Schedule 3 — Subprocessors (Summary)

Scope. The following entities act as Subprocessors to the extent they create, receive, maintain, or transmit Personal Data to provide the Services on Notrino’s behalf. Where indicated as internal/self‑hosted, the systems are operated by Notrino and do not constitute third‑party Subprocessors.

Cloud Infrastructure & Managed Databases

  • Huawei CloudIaaS/GPU + Managed Mongo‑compatible DB (DDS) Regions: Türkiye (İstanbul) Purpose: Run application/API, GPU inference for ASR/LLM workloads, VPC, load balancing; Huawei Cloud DDS (Mongo‑compatible) for data storage. Data Residency: Turkish customers are served exclusively from Türkiye.

  • Amazon Web Services (AWS)IaaS/GPU Regions: EU (Frankfurt, eu‑central‑1), UK (London, eu‑west‑2), US (N. Virginia us‑east‑1, Oregon us‑west‑2). Purpose: Run application/API, GPU inference for ASR/LLM workloads, VPC, load balancing for EU/UK/US customers (region chosen by Customer). Data Residency: EU/UK customers remain in the EU/UK; US customers remain in the US.

  • MongoDB Atlas (MongoDB, Inc.)Managed MongoDB on AWS Regions: Aligned to the selected AWS region above (EU/UK/US). Purpose: Managed document database for application data. Notes: Authenticated access; encryption in transit and at rest.

AI/ML Processing (Company‑Operated — Internal, region‑bound)

  • Self‑hosted AI/ML Services (Notrino‑operated) Location: Deployed in the Customer‑selected cloud region (Huawei Cloud TR or AWS EU/UK/US). Purpose:Speech‑to‑Text Layer 1: Fine‑tuned Whisper (company‑trained), GPU‑accelerated. • Speech‑to‑Text Layer 2: Fine‑tuned DeepSeek text correction (company‑trained), GPU‑accelerated. • Summarization/Structuring: Fine‑tuned DeepSeek (company‑trained), GPU‑accelerated. Characteristics: Autoscaled on demand; always‑online control plane; ephemeral GPU workers. Retention: Audio is never stored; deleted immediately after processing.

Identity & Internal Platforms (Company‑Operated unless noted)

  • Authentication (Self‑managed)Internal Location: Same region as Customer deployment (Huawei Cloud TR or AWS EU/UK/US). Purpose: Company‑operated JWT authentication service. Notes: No third‑party auth provider; keys rotated per policy.

  • Git Server (Self‑hosted)Internal Location: Company‑operated; region‑aligned to internal hosting policy. Purpose: Source code management and CI hooks. Notes: No Customer data; engineering‑only (not a Subprocessor for Personal Data).

Enterprise Productivity / Support (No PHI; access‑restricted)

  • Slack Technologies, LLC Regions: Global network with primary US/EU processing. Purpose: Internal communications (no PHI/PII of patients; operations and engineering coordination). Notes: Access restricted; data minimization applied.

  • Zoho CRM (Zoho Corporation) Regions: EU data centers (Netherlands/Ireland). Purpose: Customer relationship management, account and support records (no PHI). Notes: Access‑controlled; least‑privilege.

  • Trello (Atlassian) Regions: US/EU. Purpose: Project planning and task tracking (no PHI). Notes: Access‑controlled; data minimization.

  • Jitsi Meet (jit.si, operated by 8x8) Regions: Global. Purpose: Internal video/audio communications (no PHI; engineering/ops only). Notes: End‑to‑end encryption used for meetings.

  • Vanta Inc. Regions: US. Purpose: Security and compliance monitoring, control evidence, alerting (no PHI). Notes: Metadata and control evidence only; access‑controlled.

EHR Integrations (Customer‑Scoped)

  • EHR Systems (Customer‑provided) Deployment: Within Customer’s region/network as configured by Customer. Purpose: On‑prem or region‑bound integrations; no third‑party EHR subprocessor used by Notrino. Notes: Connectivity and data flows are scoped to the Customer environment; EHR vendors engaged directly by Customer are not Notrino Subprocessors.

Data Handling & Retention (Summary)

  • Audio: Not stored; deleted immediately after processing.
  • Text/transcripts/summaries: Stored in region‑bound MongoDB (Huawei Cloud DDS or MongoDB Atlas on AWS).
  • Encryption: TLS in transit and encryption at rest.

Change Notification Mechanism

  • Notrino maintains a public “Current Subprocessors” page and changelog.
  • Notrino will notify Customer admin contacts via email and in‑app banner at least 30 days prior to adding or replacing a Subprocessor, except for urgent security/emergency changes (which are notified promptly).
  • Customers may subscribe to Subprocessor updates; historical versions are archived for audit.

Schedule 4 — Transfer Impact & Supplemental Measures (Summary)

  • TIA Summary: Nature of data (primarily business records and health‑related content provided by Controller); categories; frequency; storage locations; access locations.
  • Legal Assessment: Identify third‑country laws materially affecting access (e.g., government access).
  • Supplemental Measures: Strong encryption; split‑key or KMS controls; access transparency; policy for law‑enforcement requests; customer‑controlled exports; regional support staffing where feasible.
  • Outcome: With TOMs and SCCs/standard contracts, risks are mitigated to a level consistent with GDPR/KVKK.

Signatures

Controller
Name: _________________________
Title: _________________________
Date: _________________________

Processor — NOTRINO RESEARCH BİLGİ TEKNOLOJİLERİ ARAŞTIRMA GELİŞTİRME LİMİTED ŞİRKETİ
Name: _________________________
Title: _________________________
Date: _________________________