Applicable jurisdiction
These documents are presented for the United States. KeyBrox is operated by a Turkish company (ASTRAL GAYRİMENKUL DANIŞMANLIK TİC. LTD. ŞTİ.); Turkish law governs the agreement, while your mandatory local data-protection and consumer rights remain reserved and unaffected.
Data-protection framework: CCPA / CPRA · Supervisory authority: the California Privacy Protection Agency or your State Attorney General
Data Processing Agreement
This Data Processing Agreement (the “Agreement”) governs the personal-data processing relationship between the Broker who opens a virtual office on the KeyBrox platform (the “Data Controller”) and ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ, which operates the platform’s technical infrastructure (the “Data Processor”).
The governing law is Turkish law; however, your mandatory data-protection rights under the laws of your country of residence (GDPR, UK-GDPR, CCPA, LGPD, etc.) are reserved and cannot be limited by this Agreement.
1. The Parties
| Role | Party | Description |
|---|---|---|
| Data Controller | Broker Office | The party that decides on the processing of its agents’ and clients’ personal data and determines the purposes and means of processing. |
| Data Processor | ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ | The party that processes personal data through the platform’s technical infrastructure on the Data Controller’s instructions. |
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, such as obtaining, recording, storing, retaining, altering, reorganising, disclosing, transferring, classifying, or restricting use.
- Data Controller: The party that determines the purposes and means of processing (the Broker).
- Data Processor: The party that processes personal data on behalf of and on the instructions of the Data Controller (ASTRAL / KeyBrox).
- Sub-processor: A third party authorised by the Data Processor to carry out part of the processing activities.
- Data Subject: The natural person whose personal data is processed.
- Personal Data Breach: The unlawful acquisition, loss, alteration, or unauthorised access of processed personal data.
- Platform: The KeyBrox SaaS application and related API services accessible via keybrox.com.
3. Subject Matter and Scope of Processing
3.1. Categories of Personal Data Processed
| Category | Examples |
|---|---|
| Identity data | First name, surname, national ID / tax number (for accounting) |
| Contact data | Phone, e-mail, business address |
| Financial data | Commission, invoice, payment information |
| Professional data | Performance metrics, transaction history, portfolio |
| Location data | GPS (panic button, showings, AR pricing) |
| Digital trace | IP, device information, session logs |
| Visual/audio | Profile photo, signature, mediation files |
For Broker offices operating in Turkey, identity data may include the Turkish national identity number (T.C. kimlik no); this data is processed solely for accounting and invoicing obligations.
3.2. Categories of Data Subjects
- Broker-office agents (employees)
- Broker-office clients (prospective buyers/sellers)
- Property owners (listing providers)
- Visitors (showing participants)
3.3. Purpose of Processing
The Data Processor processes personal data solely for the purpose of providing the Platform service and in accordance with the Data Controller’s written instructions. These purposes are:
- Providing CRM functions (portfolio, matching, messaging)
- Transaction and commission management
- Gamification modules (XP, leaderboard calculation)
- Sending push notifications
- Reporting and analytics (in anonymised/aggregated form)
- Security (panic button, access logs)
- Backup and disaster recovery
4. Processing Instructions
- The Data Processor processes personal data only in accordance with the Data Controller’s written instructions (including the Platform terms of use).
- If the Data Processor considers an instruction to be unlawful, it shall immediately notify the Data Controller.
- The Data Processor may not process personal data for its own purposes beyond the instructions.
- Platform features (gamification, mediation, assist chain) fall within the general processing instruction; the Broker may enable/disable these modules from account settings.
5. Security Measures
The Data Processor implements the following technical and organisational security measures under GDPR Article 32 (and KVKK Article 12 in Turkey):
5.1. Technical Measures
| Measure | Detail |
|---|---|
| Transport encryption | TLS 1.3 (all HTTP traffic over HTTPS) |
| Storage encryption | AES-256-GCM (session cookies), bcrypt (passwords, never plaintext) |
| Access control | RBAC (Broker/Agent/Admin), JWT authentication (15-min access / 30-day refresh) |
| Tenant isolation | Multi-tenant data separation (user_id + office_id filter) |
| Firewall | Cloudflare WAF + DDoS protection |
| Backup | Daily automatic (7-day retention), 4-hourly incremental |
| Log management | Access logs kept immutable (for retention period see 11.2) |
| Security testing | Periodic vulnerability scanning, dependency auditing |
| Pseudonymisation | Phone numbers via SHA-256 hash (mediation, assist) |
5.2. Organisational Measures
- All personnel sign a confidentiality agreement.
- Annual data-protection awareness training.
- Access-authorisation matrix: least-data principle (need-to-know).
- Data-processing inventory and records system.
- Internal audit every 6 months.
- Off-boarding procedure for departing personnel (immediate access revocation).
6. Sub-processors
6.1. Current Sub-processors
The Data Processor works with the following sub-processors. By accepting this Agreement, the Data Controller grants general authorisation for the use of these sub-processors:
| Sub-processor | Location | Purpose of Processing | Safeguard |
|---|---|---|---|
| Vercel Inc. | USA | Frontend hosting, edge rendering, CDN | SCC + SOC 2 Type II |
| Hostinger International | Lithuania (EU) | Backend hosting, database | GDPR-adequate (EU location) |
| OneSignal Inc. | USA | Push notification infrastructure | SCC + DPA |
| Google LLC (Gemini) | USA/EU | AI Assistant — chat, listing-text generation | SCC + DPA + not used for model training |
| Google LLC (Firebase) | USA/EU | FCM mobile push infrastructure | SCC + ISO 27001 |
| Cloudflare Inc. | Global | CDN, DNS, WAF security | SCC + ISO 27001 + SOC 2 |
6.2. Adding a New Sub-processor
- Before adding a new sub-processor, the Data Processor notifies the Data Controller at least 30 days in advance via in-platform notice and e-mail.
- The Data Controller may object in writing within 15 days.
- In the event of an objection, the parties seek a reasonable solution; if none is found, the Data Controller may terminate the Agreement.
- The Data Processor signs a written agreement with sub-processors containing security commitments at least at the level of this Agreement.
7. Personal Data Breach Notification
7.1. Notification Timeline
The Data Processor notifies the Data Controller within 24 hours at the latest after becoming aware of a personal data breach. This deadline is triggered before the 72-hour supervisory-authority notification window under GDPR Article 33, so that the Data Controller can fulfil its legal obligation in time.
7.2. Notification Content
The breach notification includes the following information:
- The nature of the breach (access, deletion, alteration, disclosure)
- The categories of data affected and the estimated number of records
- The categories of data subjects affected
- The likely consequences of the breach
- The measures taken and recommended
- Contact-person details
7.3. Response Plan
- 0-2 hours: Detect the breach, determine the scope of impact, cut off access.
- 2-24 hours: Notify the Data Controller, initiate forensic investigation.
- 24-72 hours: The Data Controller notifies the relevant supervisory authority; decision on notifying data subjects.
- After 72 hours: Root-cause analysis, implementation of preventive measures, closure report to the Data Controller.
8. International Data Transfers
8.1. Transfer Mechanisms
For transfers of data to countries outside the EU/EEA via sub-processors, the following mechanisms are used:
- EU Standard Contractual Clauses (SCC): The standard clauses approved by the European Commission’s Implementing Decision 2021/914.
- Supplementary Technical Measures: TLS 1.3 encryption in transit, AES-256 in storage, pseudonymisation.
- Transfer Impact Assessment (TIA): The access powers in each sub-processor’s host country (e.g. FISA 702) have been assessed.
For UK transfers the UK IDTA/Addendum applies, and for other jurisdictions equivalent lawful transfer mechanisms are used.
9. Right to Audit
- The Data Controller has the right to audit the Data Processor’s compliance with this Agreement once a year (or following a data breach).
- An audit is requested in writing at least 30 days in advance.
- The audit is conducted during business hours in a manner that does not disrupt the Data Processor’s business continuity.
- The Data Processor may share independent third-party audit reports (SOC 2, ISO 27001) with the Data Controller; by mutual agreement, these reports may replace an on-site audit.
- Audit costs are borne by the Data Controller (except for audits arising from a data breach).
10. Term and Termination
10.1. Term
This Agreement begins on the same date as the Platform membership agreement and remains in effect for as long as the membership continues. Upon termination of the membership agreement, this Agreement automatically terminates.
10.2. Grounds for Termination
- Termination of the Platform membership agreement for any reason.
- A material breach by the Data Processor of its obligations under this Agreement that is not remedied within a 30-day cure period.
- An unresolved objection to a sub-processor change.
- Processing becoming impossible due to a change in legislation.
11. Return and Destruction of Data
11.1. Upon Termination
- Within 30 days of termination, the Data Controller may request the return of its data (in JSON/CSV format) or its destruction.
- If no request is made, the Data Processor irreversibly destroys all personal data 90 days after termination.
11.2. Destruction Methods
- Database records: Permanent deletion (DELETE + VACUUM) or cryptographic erasure (destruction of the encryption key).
- Files (images, documents): Overwrite and deletion at the file-system level.
- Backups: Naturally expire within the backup-cycle period (7 days); additionally, a manual purge is performed.
Log records (Turkey): Access/traffic logs are retained for 2 years pursuant to Law No. 5651; they are automatically deleted once the statutory retention period expires.
11.3. Destruction Certificate
Once destruction is complete, the Data Processor sends the Data Controller a written “Data Destruction Certificate” stating the date, method, and scope of destruction.
12. Duty to Cooperate
The Data Processor cooperates with the Data Controller in the following situations:
- Data-subject rights requests (access, erasure, rectification, portability): provides the necessary information within 5 business days at the latest.
- Data Protection Impact Assessment (DPIA): shares the necessary technical information and risk assessment.
- Investigation by the competent data-protection authority or relevant body: provides the requested information and documents in good time.
13. Liability and Indemnity
- The Data Processor indemnifies the Data Controller for damages suffered as a result of conduct contrary to the obligations set out in this Agreement.
- The Data Processor’s maximum liability shall not exceed the total platform fees received in the 12 months preceding the year in which the damage occurred (except in cases of gross negligence and wilful misconduct).
- The Data Controller is responsible for damages arising from incorrect or incomplete instructions.
14. Governing Law and Jurisdiction
This Agreement is governed by the laws of the Republic of Türkiye. Notwithstanding the foregoing, the mandatory data-protection and consumer-protection rights of the data subject’s/user’s country of residence are reserved, and this clause does not affect those rights.
15. Contact
Data Processor (ASTRAL GAYRİMENKUL DANIŞMANLIK TİCARET LİMİTED ŞİRKETİ):
Data Protection Officer: kvkk@keybrox.com
KEP: astralgayrimenkuldanismanlik@hs01.kep.tr
Address: Aksoy Mahallesi Girne Caddesi 36/3 Zemin Kat, Karşıyaka/İzmir, Türkiye
Phone / WhatsApp: +90 505 869 00 81
16. Annexes
- Annex 1: Details of categories of personal data processed and categories of data subjects (Section 3 of this Agreement).
- Annex 2: Details of technical and organisational security measures (Section 5 of this Agreement).
- Annex 3: List of sub-processors (Section 6.1 of this Agreement — the current list is published via the Platform).
- Annex 4: EU Standard Contractual Clauses (SCC) — copies signed with the relevant sub-processors are provided on request.
