When does this DPA apply? This agreement applies when you submit GPR survey data to SubGeoMap for processing and that data includes or is associated with personal data (for example, site owner identities, employee names, or precise geolocation that could be linked to an individual). If you are a survey firm processing data on behalf of your own clients, you are the data controller and SubGeoMap is your data processor.
This Data Processing Agreement ("DPA") is entered into between:
Where SubGeoMap processes data about the Client's own personnel or users (e.g. contact persons named in an inquiry), SubGeoMap acts as an independent data controller for that limited purpose, as described in our Privacy Policy.
SubGeoMap processes personal data on behalf of the Client solely for the following purpose:
SubGeoMap will not process the data for any purpose beyond what is documented in this DPA and the applicable project instructions, unless required by law.
GPR B-scan waveform data itself does not typically constitute personal data. However, when combined with precise RTK positioning linked to an identifiable property or individual, the combined dataset may fall within the definition of personal data under applicable law.
SubGeoMap will use reasonable endeavours to:
The Client is responsible for:
SubGeoMap may engage third-party sub-processors (e.g. cloud infrastructure, file storage, or AI compute providers) at its discretion to assist in delivering the service. When doing so, SubGeoMap will:
A current list of sub-processors is available on request at info@subgeomap.com. SubGeoMap is not liable for the acts or omissions of sub-processors beyond what is recoverable from the sub-processor itself. If the Client has a specific objection to a sub-processor, the parties will discuss the matter in good faith, but SubGeoMap retains the right to select the infrastructure and tooling necessary to deliver the service.
SubGeoMap implements the following measures to protect personal data:
Client data is primarily processed and stored in Turkey. Where data is transferred outside Turkey (for example, to a cloud sub-processor with infrastructure in the EU or US), SubGeoMap ensures an appropriate transfer mechanism is in place:
Details of the transfer mechanism in place for each sub-processor are available on request.
If SubGeoMap receives a request directly from a data subject (e.g. a site owner whose property was surveyed) in relation to data processed on behalf of the Client, SubGeoMap will:
The Client remains responsible for responding to data subject rights requests within applicable legal timeframes.
In the event of a confirmed personal data breach directly affecting Client data, SubGeoMap will:
The Client is solely responsible for determining whether and how to notify supervisory authorities or data subjects under applicable law. SubGeoMap's notification to the Client does not constitute an admission of fault or liability. SubGeoMap is not liable for any regulatory fines, penalties, or third-party claims arising from a breach that results from circumstances outside SubGeoMap's reasonable control, including vulnerabilities in third-party infrastructure or client-side credential mishandling.
After a project is completed, SubGeoMap will handle Client data in accordance with its standard data lifecycle and retention practices, as described in the Privacy Policy. SubGeoMap will delete Client personal data within a reasonable period after the project retention window closes, taking into account operational, legal, and backup infrastructure timelines.
Clients may submit a written deletion request to info@subgeomap.com. SubGeoMap will use reasonable efforts to process such requests within a reasonable timeframe, subject to any legal or operational retention obligations. SubGeoMap is not obligated to provide written deletion certification unless separately agreed in a signed project contract.
SubGeoMap will provide reasonable documentary information to assist the Client in assessing compliance with this DPA, where such information is readily available and its disclosure does not compromise the security, confidentiality, or proprietary interests of SubGeoMap or other clients.
SubGeoMap does not grant a general right to audit. Any on-site inspection or technical audit requires SubGeoMap's prior written consent, must be agreed in writing including scope, timing, and cost allocation, may not occur more than once per year, and must be conducted by a mutually agreed independent third party at the Client's sole expense. SubGeoMap may satisfy any audit request by providing existing third-party security assessments, certifications, or summary compliance reports in lieu of direct inspection.
To the maximum extent permitted by applicable law:
Nothing in this DPA limits liability for death or personal injury caused by negligence, or fraud, to the extent such limitation is prohibited by Turkish law.
This DPA is governed exclusively by Turkish law, including the Law on the Protection of Personal Data (KVKK, Law No. 6698). Disputes arising under or in connection with this DPA shall be submitted to the exclusive jurisdiction of the Istanbul courts.
Clients established outside Turkey submit to this jurisdiction by accepting this DPA. While SubGeoMap has designed this DPA with reference to GDPR Article 28 principles, SubGeoMap does not warrant that this DPA satisfies any particular foreign regulatory requirement. Clients subject to GDPR or other non-Turkish data protection regimes are responsible for assessing their own compliance obligations.
This DPA is incorporated into and forms part of SubGeoMap's terms of service. By submitting a project to SubGeoMap, the Client acknowledges having read and agreed to this DPA.
Clients who require a separately signed DPA (e.g. for enterprise procurement or regulatory purposes) may request one by contacting:
SubGeoMap — SubGeoMap
Email: info@subgeomap.com
We will respond to DPA execution requests as promptly as reasonably practicable.