ARTICLE 1 - THE PARTIES

On one side, located at İçerenköy Mah. Üsküdar İçerenköy Yolu Cad. No:8/34 Ataşehir, Istanbul GÜLER CUSTOMS CONSULTANCY INC., (DATA CONTROLLER / DATA PROCESSOR) on the other hand, located at …………………………….. …………………………………..(DATA CONTROLLER / DATA PROCESSOR) have agreed to the following terms.

In the following articles GÜLER CUSTOMS CONSULTANCY INC. "GÜLER"‘, ………………………………………….. "Company" will be referred to as such. GÜLER and the Company together "Parties", individually "Party" .

ARTICLE 2 - PURPOSE - DEFINITIONS

Purpose: The purpose of this agreement is to regulate the mutual rights, principles, and responsibilities of the Parties in the event that they come into contact with any confidential information/personal data provided by the Parties to each other for the preparation of work plans covering the services to be provided/received between the Parties and any discussions and negotiations conducted in connection with or related to the establishment of a business relationship, as well as all work to be carried out within the scope of the project, and in the context of the business relationship, in relation to the service, during the performance of the contract; employees, shareholders, interns, contractor employees, and business partners, the Parties shall regulate their mutual rights, principles, and responsibilities.

Confidential Information: If either party or a third party acting on its behalf discloses a business plan to the other party for purposes related to the Agreement, either before or after the date of signing this Agreement, (whether in writing, verbally, on paper, CD, external memory, or any other medium or device) business plans, reports or data prepared by the disclosing party or any other organization on its behalf, financial models, financial simulations and examples, and any other information, including but not limited to the disclosing party's marketing and service activities, processes, plans, objectives, product information, know-how, design rights, trade secrets, software, computer programs, source code, specifications, market opportunities, customers, project names, activities, and business matters, as well as any and all information and data related thereto, including personal and special categories of personal data, but excluding the following information or data:

• Information that is or has become public knowledge without any breach of this Agreement by the receiving party, or information that the receiving party possessed or knew about prior to receiving it from the disclosing party, through its use or storage in its files, computers, or other recording media, and which was not previously received by the receiving party under any confidentiality obligation; or information or data that the receiving party demonstrates was developed independently at any time by or on behalf of the receiving party, without reference to the information disclosed by the disclosing party; or information or data that the receiving party obtained or acquired from another source without any breach of confidentiality or non-use obligations to the disclosing party, or to which the receiving party did not object when disclosed to it.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing of Personal Data: This refers to any operation performed on personal data, such as obtaining, recording, storing, preserving, modifying, reorganizing, disclosing, transferring, acquiring, making available, classifying, or preventing the use of such data, whether fully or partially automated or non-automated, provided that it is part of a data recording system.

Transfer of Personal Data : Personal data will be recorded, stored, classified, updated, and, where necessary, transferred to third parties within or outside the country for the purposes specified in this agreement.

KVKK: Law No. 6698 on the Protection of Personal Data dated March 24, 2016

Data Processor: A natural or legal person who processes personal data on behalf of the data controller based on the authority granted by the data controller.

Data Controller: A natural or legal person who determines the purposes and means of processing personal data and is responsible for establishing and managing the data recording system.

ARTICLE 3- PROTECTION AND USE OF CONFIDENTIAL INFORMATION/PERSONAL DATA

In exchange for the disclosure and disclosure of Confidential Information/Personal Data In exchange for the disclosure and disclosure of confidential information/personal data, each party shall not disclose the other party's Confidential Information/Personal Data as follows:

1. Confidential Information/Personal Data Keep confidential and use only for the intended purpose, not for any other purpose.
2. Except for any copying, reproduction, or transcription reasonably necessary for the purpose, and provided that the disclosing party retains ownership, Confidential Information/Personal Data .
3. The parties shall not disclose or share the confidential information/personal data provided to them with anyone other than employees and professional advisors who need to know such information; that they will oblige their employees and professional advisors to refrain from disclosing such confidential information/personal data within the context of the agreements they have made with them; and that they accept, declare, and undertake to compensate for any damages determined by a court decision in proportion to the fault in the event that these obligations are breached by themselves, their employees, or their professional advisors.
4. Belonging to the other party Confidential Information/Personal Data, and information of an intellectual property nature, by taking the security measures recommended by the KVK Authority and exercising the utmost care.
5. Any law or government authority or competent authority, the party receiving the information disclose any Confidential Information/Personal Data , the receiving party shall immediately notify the disclosing party of such request or order. The scope of the requested information shall be communicated between the parties in a manner proportionate to the purpose.
6. Confidential Information / Personal Data Upon learning that Confidential Information / Personal Data has been disclosed or used outside of the circumstances specified in this agreement, the receiving party shall immediately notify the disclosing party of this matter and shall take the necessary measures regarding the issues to which the disclosing party has been or may be exposed as a result of the aforementioned disclosure or use.
7. The parties agree, declare, and undertake that they will use the confidential information/personal data provided to them only in accordance with the relevant party's instructions, that they will keep the information they obtain confidential and will not use it in any other way.
8. The parties agree, declare, and undertake not to reproduce or transcribe any part of the confidential information/personal data disclosed to each other without the written consent of the other party.
9. Documents exchanged between the parties may not be used by any third party for any purpose without the written consent of the disclosing party.
10. If the parties are to send information or documents containing confidential and/or special category personal data as email attachments, they shall be sent in encrypted form. If encryption is not possible, they shall be delivered by courier on CD.
11. If the parties are to send information or documents containing personal data that is physically confidential and/or of a special nature, they shall send it in a sealed envelope addressed to the relevant party and with a special note attached.

ARTICLE 4 - OBLIGATION TO COMPLY WITH THE PERSONAL DATA PROCESSING LAW

1. During the preparatory period for the establishment of the contract, the parties shall act in accordance with the provisions of Law No. 6698 on the Protection of Personal Data and related legislation, including during the termination process, while fulfilling their obligations under the main contract.
2. The parties shall process the personal data to which they have access in a manner consistent with the subject matter and purpose of the main contract.
3. The parties shall process the personal data provided by the other party in accordance with the other party's instructions and guidance and shall not perform any actions contrary to these.
4. The parties shall guarantee the confidentiality and security of the data processed under the main contract and shall safeguard them. The parties' obligation to maintain confidentiality shall continue even after the termination of the contract.
5. If the parties need to employ personnel while performing services under the main contract, they shall inform the other party of this, provide training to their personnel on the KVK, and sign confidentiality agreements with their personnel.
6. The parties shall ensure privacy by default in the use of tools, software, and all services, including during installation. (privacy by default), and data minimization (data minimization), and data anonymization. Accordingly, the Company will use software and hardware that comply with the standards published in the Authority's Guidelines on the KVK.
7. The parties shall take all necessary technical and organizational (administrative) measures to protect personal data. In this context, they shall use up-to-date and licensed anti-virus software, take all necessary measures regarding network security, and ensure the security of environments such as computers and servers that process personal data in accordance with the methods specified in the Board's guidelines (e.g., encryption).
8. The parties shall not alter, delete, or destroy personal data without the consent and knowledge of the other party during the term of the main contract. Upon termination of the main contract and completion of the legal retention periods, either party shall notify the other party within three (3) business days following the completion of the deletion, destruction, or anonymization process. This notification shall terminate any obligations regarding the data. If the main contract is not signed, any confidential and/or personal data exchanged prior to the contract shall be destroyed within 3 (three) business days following the decision not to sign the contract, and the other party shall be notified.
9. The parties may request information from each other, when necessary, regarding compliance with the provisions of the KVK Law.
10. The Parties shall take all necessary measures to protect "sensitive personal data" within the meaning of Law No. 6698 and shall act in accordance with the Board's decisions and notifications on this matter.
11. If either party becomes aware of a situation involving a violation of personal data processing rules, it shall immediately inform the other party. Within the scope of this notification, the other party shall provide all necessary documents, information, and evidence for the relevant party's application to the competent authority.
12. If data subjects exercise their rights under Law No. 6698 and related legislation (such as the deletion, correction, or access of personal data), the Parties shall provide each other with all necessary support and facilitate the process. If either party requests information in this regard, the other party shall provide the requested information within a maximum of 3 (three) business days.
13. If the information technology infrastructure used by the parties and the corporate email service are provided from abroad, until the List of Safe Countries is published or until permission for the transfer of personal data abroad is obtained, the parties shall be responsible for informing the relevant persons and obtaining their explicit consent during the execution of the contract processes. They may request information from each other regarding the fulfillment of this obligation.
14. The parties shall ensure that any personal data contained in the information or documents they send, which goes beyond what is necessary for the performance of the service agreed upon in the main contract, is deleted, anonymized, redacted, or masked from the relevant information or document before sharing it. The parties shall be obligated to notify each other regarding any personal data shared by one party with the other that is not required by the nature of the work and to ensure that their systems are organized accordingly.
15. The Parties agree and undertake to protect Personal Data in the broadest sense. The Parties undertake not to use any Personal Data obtained at any time from the Data Subjects for any purpose unrelated to the performance of the main contract.
16. The parties acknowledge, declare, and undertake that they will delete and/or destroy and/or anonymize the Personal Data obtained during the contract process immediately at the end of the contract termination period and, in any case, at the end of the period required for the purpose of processing Personal Data or the period specified in the relevant legislation for the storage of documents, except for obligations arising from legislation regarding the storage of documents. (at the latest during the periodic destruction period).

ARTICLE 5 - METHOD OF COLLECTING PERSONAL DATA AND LEGAL BASIS

To fulfill legal obligations, to perform the employment contract, for reasons stipulated by law and at the express request of the parties in their legitimate interest, requested in advance during the establishment of the employment contract, and collected by recording, storing, and processing legal documents and notifications exchanged between the parties to fulfill legal obligations, or data that the parties choose to share with each other during the establishment of the employment relationship.

Personal data shall be processed in accordance with the purposes specified in the contracts concluded between the parties;

The processing of personal data belonging to the parties to the contracts is necessary for the establishment of the contracts, provided that it is directly related to their performance; it is mandatory for the parties to fulfill their legal obligations; it is mandatory for the establishment, exercise, or protection of a right; or it is necessary for the legitimate interests of the parties. processed, and transferred to third parties both within and outside the country.

ARTICLE 6 – RETURN AND DESTRUCTION OF CONFIDENTIAL INFORMATION/PERSONAL DATA

Each of the parties:

1. After completing other purpose-oriented organizations and activities, or upon written request from one of the parties, it agrees, declares, and undertakes to immediately return to the requesting party any tangible materials containing the information provided to it and all copies thereof.
2. After fulfilling their obligations, the parties agree, declare, and undertake to remain bound by the obligations set forth in Article 3 (third) of this agreement.

• Upon termination of the contract, the parties shall delete or destroy the personal data belonging to the other party's personal data categories in a manner that cannot be recovered, taking into account the Board's regulations and Guidelines and in accordance with the instructions given by the parties and the Personal Data Retention and Destruction Policy.

ARTICLE 7 - NON-FORMATION OF PARTNERSHIPS / TRANSFER OF PERSONAL DATA

7.1.Each party reserves all rights and no rights or obligations are granted to the other party except those expressly stated in this Agreement, nor can any such meaning be inferred. No provision of this Agreement or the implementation of this Agreement shall create an obligation for either party to enter into a proposed business relationship or prevent or restrict either party from continuing its business in a manner that does not violate the provisions of this Agreement.

7.2.Neither party shall transfer personal data without the written consent of the other party. In the event of a transfer of personal data, the parties shall ensure that the transferees also comply with the measures specified in this agreement.

7.3. Personal data belonging to the parties will not be sent to any country outside the borders of Turkey in any way and will not be processed or stored there (except in the case of corporate email being provided from abroad, such as Office 365, etc.). If the transfer of personal data abroad is involved, the parties shall obtain the other party's written consent and are obligated to implement the necessary KVKK applications, including obtaining explicit consent.

ARTICLE 8 - TERM AND TERMINATION

8.1. This Agreement shall enter into force on the date of its signing. While the main agreement and the confidentiality agreement constitute a single whole, this Confidentiality and KVKK Agreement shall also be valid independently.

8.2. Upon termination of the main contract and/or this contract by written agreement between the parties, personal/sensitive personal and confidential information/personal data remaining within the scope of personal data processing activities arising from the performance of the main contract shall be irrevocably destroyed after being stored for the period specified by law or in the storage and destruction policies. This agreement shall remain in force after the termination of the main contract relationship between the parties and following the return, destruction, or anonymization of confidential information/personal data, unless otherwise agreed.

8.3.The termination of the main contract and this Privacy and KVKK Agreement does not imply that confidential and personal data may be disclosed.

8.4.Damages arising from violations of privacy and the KVKK legislation shall give rise to a compensation obligation on the part of the party at fault.

ARTICLE 9 - NON-ASSIGNMENT

This Agreement is of a private nature and may not be assigned or otherwise transferred in whole or in part by either party without the prior written consent of the other party.

ARTICLE 10 - ENTIRE AGREEMENT, SEPARABILITY OF PROVISIONS

If the application of one or more provisions of this Agreement is found to be unlawful under applicable laws and regulations, the parties shall, in good faith, make every effort to establish alternative arrangements that are legally acceptable and as close as possible to the provisions of the Agreement in question. If any part of this Agreement is declared legally invalid by the competent authorities, the remaining part of the Agreement shall not be affected if it does not defeat the purpose of the Agreement, and the invalidated part shall be interpreted as if it had never been included.

ARTICLE 11– APPLICABLE LAW AND COMPETENT COURT

The interpretation, application, and consequences of this Agreement shall be governed in all respects by the laws of the Republic of Turkey, and the parties hereby agree to the exclusive jurisdiction of the Istanbul (Central) Courts and Enforcement Offices.

ARTICLE 12 - NOTIFICATIONS

Unless the change is notified to the other party in writing, any notification sent to the addresses specified in Article 1 (first) of this agreement shall be deemed to have been made to the parties.

If either Party fails to notify the other Party in writing of its new address within 7 (seven) business days of any change of address, any notifications sent to these addresses shall have all the legal consequences of a valid notification.

All notifications under this Agreement shall be made in writing and shall be sent to the party to whom the notification is addressed, addressed to the authorized person who signed this Agreement, by email or registered mail with return receipt requested. The date of notification shall be deemed to be the day following the date on which the notification was sent.

Data Controllers and Processors, in accordance with Article 11 of Law No. 6698; have the right to learn about the processing status of personal data, its purpose, and whether it is being used for its intended purpose; to know the third parties to whom personal data has been transferred; to request the correction of deficiencies; to request the deletion or destruction of personal data when the reasons for its processing no longer exist; to object; and to request compensation for damages. If the parties communicate their requests regarding these matters to each other using the methods set out below, they will respond to the request as soon as possible and within thirty days at the latest, depending on the nature of the request, in accordance with the second paragraph of Article 13 of the Law. To exercise the above-mentioned rights, please send your request to GÜLER, clearly stating that it relates to the KVKK, along with the necessary information to identify yourself and an explanation of the rights you wish to exercise as specified in Article 11 of the KVKK No. 6698. [email protected] to the email address ………………………………….. with a secure electronic signature.

ARTICLE 13 - ENTRY INTO FORCE

This agreement consists of 7 (seven) pages and 13 (thirteen) articles and has been mutually accepted by the parties and signed in 2 (two) copies on …./…./……, thereby entering into force.