Data Processing Agreement

Last updated: Version 1.0 · Legal basis: KVKK Articles 8, 12

This agreement is formed electronically and becomes binding on both parties upon registration on the VerifyBlind partner portal (Electronic Signature Law No. 5070).

On Legal Structure:VerifyBlind and the Partner are each independent Data Controllers with respect to their own users (KVKK Art. 3/1-ı). VerifyBlind processes the end-user's identity data under its own privacy policy and infrastructure; the Partner processes the minimum verification result (true/false + nonce) transmitted by VerifyBlind for its own purposes and under its own responsibility. This agreement governs the data transfer framework and mutual obligations between two independent data controllers.

1. Parties

Service Provider / Data Controller (vis-à-vis End Users)

Ercüment Eşkar

VerifyBlind

[email protected]

Partner / Independent Data Controller (vis-à-vis Its Own Users)

Company name and contact details from the registration form

2. Data Transmitted by VerifyBlind to the Partner

VerifyBlind transmits only the following data to the Partner:

Field	Format	Description
verified	boolean	Whether verification was successful
scope_results	{scope: boolean}	Per-scope results (e.g. age: true)
nonce	UUID	Unique transaction identifier
timestamp	ISO 8601	Transaction timestamp

Data never transmitted: National ID number (TCKN), full name, date of birth, actual age value, biometric data, facial image, NFC contents.

3. Partner Obligations

Independent KVKK Compliance

As an independent data controller, the Partner is responsible for fulfilling all KVKK obligations towards its own users (Art. 10 disclosure, Art. 11 rights, Art. 12 security, VERBİS registration). These obligations cannot be delegated to VerifyBlind.

Data Minimisation

The Partner shall use verification results only in proportion to the stated purpose. The Partner may not attempt to re-identify users from verification results.

Disclosure Obligation

The Partner is obliged to provide its own users with a disclosure notice under KVKK Art. 10. The notice must explicitly state that "biometric verification is performed via VerifyBlind." This obligation rests with the Partner.

Revoke (Consent Withdrawal) Notifications

Upon receiving a revoke notification from VerifyBlind, the Partner is obliged to immediately invalidate or flag the relevant transaction record in its own system. Maintaining a working callback_url is the Partner's responsibility.

Security Measures

The Partner shall protect verification results against unauthorised access using appropriate technical safeguards (minimum TLS 1.2, access control). Verification results shall not be retained longer than necessary.

Breach Notification

If a security breach related to VerifyBlind data is detected in its own systems, the Partner shall notify VerifyBlind within 48 hours ([email protected]).

4. VerifyBlind Obligations

✓Processes user identity data in encrypted memory inside AWS Nitro Enclave
✓Transmits to the Partner only the minimum data defined in Section 2
✓Encrypts API traffic with TLS
✓Sends revoke notifications to the Partner's callback_url within 72 hours and records them
✓Provides 30 days' notice of changes that affect the scope of this Agreement

5. Termination

This agreement terminates upon closure of the Partner account, termination by VerifyBlind, or written mutual agreement. After termination, the Partner shall destroy or anonymise all data containing VerifyBlind verification results.

6. Electronic Acceptance

Ticking the checkbox during registration constitutes acceptance of this Agreement under Electronic Signature Law No. 5070. The acceptance record (date, IP, email) is stored in the system.

Governing law: Turkish Law · Competent court: [CITY — e.g. Istanbul / data controller's registered address]

Disclosure Notice →Privacy Policy →Terms of Use →Cookie Policy →Data Processing Agreement →