> hakkinda > sartlar ve politikalar > KVKK & Standard Contractual Clauses (SCC) Position Paper)

KVKK & Standard Contractual Clauses (SCC) Position Paper)

KVKK & Standard Contractual Clauses (SCC) Position Paper)
PDF (İngilizce)

KVKK & Standard Contractual Clauses (SCC) Position

Effective starting: September 24, 2025

Purpose: Compliance positioning for customers subject to KVKK (Law No. 6698) and cross-border data transfer requirements

1. Purpose and Scope

This document outlines how ProcessMind positions itself with respect to:

  • The Turkish Personal Data Protection Law (KVKK – Law No. 6698)
  • EU Standard Contractual Clauses (SCCs) for cross-border data transfers

It is intended to support customer compliance assessments, procurement processes, and regulatory discussions, particularly in regulated industries such as banking and financial services.

2. Roles and Responsibilities under KVKK

In a typical deployment:

  • Customer acts as the Data Controller under KVKK
  • ProcessMind acts as the Data Processor

ProcessMind processes personal data solely on documented customer instructions and does not determine the purposes or means of processing. Details on our processing activities are set out in our Data Processing Addendum.

This role allocation aligns with KVKK Articles 3, 10, and 12, and mirrors the processor obligations under GDPR Article 28.

3. Alignment with KVKK Principles

KVKK is largely aligned with GDPR in terms of its core data protection principles. ProcessMind is designed in accordance with these principles, including:

  • Lawfulness and purpose limitation
  • Data minimization and proportionality
  • Accuracy and retention limitation
  • Confidentiality and security of processing

ProcessMind does not require directly identifiable personal data to deliver process mining insights. Customers retain full control over which data attributes are ingested, masked, pseudonymized, or excluded.

4. Technical and Organizational Measures (TOMs)

ProcessMind implements appropriate technical and organizational measures to protect personal data, including but not limited to:

  • Encryption of data in transit and at rest
  • Role-based access control and least-privilege principles
  • Audit logging and traceability of access
  • Secure tenant isolation
  • Configurable data retention and deletion mechanisms

These measures are designed to support compliance with KVKK Article 12 and SCC security requirements. For more details, see our Privacy Policy and security measures documentation.

5. Sensitive Data and Regulated Environments

ProcessMind is suitable for use in regulated environments, including banking, where event logs may contain employee or customer-related identifiers.

The platform supports:

  • Pseudonymized identifiers in event logs
  • Attribute-level data exclusion or masking
  • Customer-controlled ingestion pipelines

Customers remain responsible for ensuring a lawful processing basis and for determining whether explicit consent or other legal grounds apply under KVKK.

6. Cross-Border Data Transfers & SCCs

Where personal data is transferred outside Turkey or the EU, ProcessMind supports the execution of EU Standard Contractual Clauses (SCCs) as part of its Data Processing Addendum.

Key points:

  • SCCs are executed between the Data Controller and ProcessMind as Data Processor
  • SCCs apply only where cross-border transfers occur
  • SCCs are supplemented by ProcessMind’s technical and organizational safeguards

Upon request, ProcessMind can provide information required to support SCC transfer impact assessments.

7. Shared Responsibility Model

KVKK compliance is a shared responsibility:

  • Customers are responsible for lawful basis, transparency obligations, and data subject rights
  • ProcessMind is responsible for secure processing, confidentiality, and adherence to customer instructions

This shared model ensures regulatory clarity and operational accountability.

8. Conclusion

ProcessMind positions itself as a GDPR-first, KVKK-compatible process intelligence platform that supports regulated customers through:

  • Clear processor role definition
  • Strong technical and organizational safeguards
  • Support for SCC-based cross-border data transfers
  • Customer-controlled data governance

ProcessMind does not claim KVKK certification but enables customers to deploy the platform in a KVKK-compliant manner.

For additional information, please review our Privacy Policy and Data Processing Addendum.

ProcessMind
Integrated Process Intelligence, designed for clarity, security, and trust.