1. Parties
This Data Processing Agreement ("DPA") is entered into between the following parties:
- Data Processor: Hareki LLC, New Mexico, USA ("Hareki", "we")
- Data Controller: The natural or legal person using the Hareki Studio platform ("User", "you")
This DPA is an integral part of the Hareki Studio Terms of Use and governs the rights and obligations of the parties regarding the processing of personal data on behalf of the User.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person (GDPR Article 4/1, KVKK Article 3/d).
- Special Category Personal Data: Sensitive categories such as race, ethnic origin, political opinion, religion, health data, etc. (GDPR Article 9, KVKK Article 6).
- Data Processing: Any operation performed on personal data including collection, recording, organization, storage, alteration, transfer, deletion.
- Sub-processor: A third-party service provider engaged to process personal data on behalf of the Data Processor.
- Data Breach: A security incident leading to unauthorized access, loss, destruction, alteration, or disclosure of personal data.
- Data Controller: The natural or legal person that determines the purposes and means of processing personal data.
- Data Processor: The natural or legal person that processes personal data on behalf of and under the authority of the Data Controller.
3. Scope and Purpose of Processing
The following categories of personal data are processed on the Hareki Studio platform:
| Data Category | Processing Purpose | Legal Basis |
|---|
| Brand data (logo, colors, tone of voice) | AI content generation | Contract performance |
| Account information (name, email) | Service delivery, authentication | Contract performance |
| Payment data | Billing via Stripe | Contract performance |
| Usage data (logs, preferences) | Service improvement, error tracking | Legitimate interest |
| Generated content | Content management and export | Contract performance |
No special category personal data is processed. The Platform does not collect health, biometric, or genetic data.
4. Data Processor Obligations
Hareki LLC, as Data Processor, assumes the following obligations:
- Instruction adherence: Processes personal data only in accordance with the Data Controller's documented written instructions. Informs the Data Controller before processing if a legal obligation requires otherwise.
- Confidentiality commitment: Ensures that all personnel with access to personal data are under a confidentiality obligation. This obligation continues after the end of the employment relationship.
- Security measures: Implements technical and organizational security measures appropriate to the nature of processing in accordance with GDPR Article 32 (details in Annex).
- Sub-processor usage: Obtains the Data Controller's prior general written consent before engaging sub-processors. Provides 30 days' advance notice when adding new sub-processors.
- Assistance obligation: Provides the Data Controller with necessary technical support in exercising data subjects' rights (access, rectification, deletion, portability).
- Data deletion/return: Upon termination of the processing relationship, deletes or returns all personal data according to the Data Controller's preference. Subject to legal retention obligations.
- Audit right: Accepts that the Data Controller or their appointed independent auditor may conduct reasonable audits to verify compliance with obligations under this DPA.
5. Sub-processors
Hareki Studio uses the following sub-processors for service delivery:
| Sub-processor | Service | Location |
|---|
| Vercel Inc. | Hosting, CDN, Edge Network | San Francisco, CA, USA |
| Supabase Inc. | Database, Authentication | San Francisco, CA, USA |
| OpenRouter / OpenAI | AI Content Processing | San Francisco, CA, USA |
| Stripe Inc. | Payment Processing | San Francisco, CA, USA |
| Sentry | Error Tracking and Performance | San Francisco, CA, USA |
| Resend | Email Delivery | USA |
Change notification: Written notice is provided to the Data Controller at least 30 days in advance when adding a new sub-processor or changing an existing one.
The Data Controller may object with reasonable grounds within 14 days of the notification date. If the objection cannot be resolved, the Data Controller may terminate the agreement.
6. International Data Transfers
Hareki LLC is US-based, and personal data is processed on servers in the USA. The following protection mechanisms apply for data transfers from the EU/EEA or Turkey:
- Standard Contractual Clauses (SCC): The current Standard Contractual Clauses under the European Commission's Implementing Decision of June 4, 2021 (2021/914) apply.
- EU-U.S. Data Privacy Framework: Considered as an additional protection mechanism to the extent that sub-processors' relevant certifications are valid.
- Additional protection measures: End-to-end encryption (TLS 1.3), pseudonymization, and access controls are applied to transferred data.
- KVKK compliance: For transfers from Turkey, necessary commitments and compliance with Board decisions are ensured under KVKK Article 9 of Law No. 6698.
7. Data Breach Notification
In case a personal data breach is detected, Hareki LLC:
- Notifies the Data Controller in writing within 72 hours at the latest from the moment the breach is discovered.
- The notification includes the following information:
- Nature and scope of the breach
- Affected data categories and estimated number of records
- Possible consequences of the breach
- Measures taken and recommended measures
- Contact person's information
- Takes immediate necessary measures to mitigate the effects of the breach and prevent recurrence.
- Provides full cooperation to the Data Controller during the investigation and reporting process.
- Documents all facts, effects, and corrective measures related to the breach.
8. Technical and Organizational Measures (Annex)
Security measures applied in accordance with GDPR Article 32:
8.1 Encryption
- Data in transit: TLS 1.3 protocol
- Data at rest: AES-256 encryption
- Database connections: SSL/TLS mandatory
- Backups: encrypted storage
8.2 Access Control
- Role-Based Access Control (RBAC)
- Supabase Row Level Security (RLS) — database-level isolation
- Tenant-based data separation — multi-tenant architecture
- Principle of least privilege
8.3 Authentication
- Password hash: bcrypt algorithm
- OAuth 2.0 integrations (Google, Apple, Microsoft, LinkedIn)
- Session management: JWT token, secure cookie
- Rate limiting: brute-force protection
8.4 Monitoring and Logging
- Application error tracking: Sentry
- Access logs and audit trail
- Abnormal activity detection
8.5 Backup and Disaster Recovery
- Daily automatic database backup
- Geographically distributed backup
- Point-in-time recovery capability
- Disaster recovery plan and regular testing
8.6 Personnel and Organization
- Data protection awareness training
- Confidentiality agreements (NDA)
- Regular access authorization review
- Security incident response procedures
9. Term and Termination
- This DPA becomes effective upon the Terms of Use coming into force and remains in effect for the duration of the service relationship.
- Upon termination of the service relationship, the Data Processor deletes or returns all personal data to the Data Controller within 30 days.
- Data retained under legal retention obligations is automatically deleted at the end of the relevant period.
- Written confirmation is sent to the Data Controller when the data deletion process is completed.
10. Applicable Law
- GDPR: European Union General Data Protection Regulation (Regulation 2016/679) — applicable for EU/EEA citizens' data.
- KVKK: Law No. 6698 on the Protection of Personal Data — applicable for Republic of Turkey citizens' data.
- Dispute resolution: Disputes between the parties shall first be attempted to be resolved amicably. If resolution cannot be achieved, the courts of New Mexico, USA shall have jurisdiction.
Last updated: March 12, 2026 · Contact: legal@hareki.com