DATA PROCESSING AGREEMENT

1. Parties

Data Controller: User Data Processor: UR Work Yazilim ve Ticaret Ltd. Sti. (The unit operating the Platform)

2. Definitions

Personal Data: Any data relating to an identified or identifiable natural person as defined by KVKK and relevant legislation. Processing: All operations on personal data such as recording, storage, modification, access, deletion, transfer.

3. Subject and Duration of Processing

Subject of Processing: User operations on the platform, fleet vehicle movements, management of shift, leave and personnel data. Processing Duration: During the contract period and for legal retention periods after termination.

4. Categories of Personal Data Processed

• •Name, surname, email, phone
• •National ID number
• •Employee information
• •Department and leave information
• •Payment information

5. Purpose and Method of Processing

Purpose: Execution of platform services, billing, support, maintenance and reporting. Method: Storage in databases in electronic environment, backup, access and management.

6. Data Security and Technical Measures

• •Data will be stored in encrypted environment
• •Firewall and monitoring systems have been installed against unauthorized access to servers
• •Regular backups will be made, access logs will be kept
• •Unauthorized personnel data access will be prevented

7. Sub-Processors and International Transfer

The Data Processor may use sub-processors when necessary for the performance of the service. Sub-processors are subject to at least the data security and confidentiality obligations stipulated in this Agreement. Liability arising from the acts of sub-processors is limited to the Data Processor's own fault within the scope of relevant legislation. Obtaining explicit consent for the transfer of personal data abroad, establishing legal grounds and ensuring compliance with relevant legislation is the responsibility of the Data Controller. The Data Processor carries out international transfers only in accordance with the instructions of the Data Controller and to the extent required by the service. Sub-processors: AWS or other cloud providers International transfer: Will be made with the explicit consent of the data subject and in accordance with KVKK.

8. Rights of Data Subject and Request Processes

The Data Controller may request an audit to supervise the compliance of data processing activities with legislation, provided that written notice is given within a reasonable time. Audits are carried out in a manner and to a reasonable extent that will not violate the Data Processor's trade secrets, system security and data belonging to other customers. The Processor shall fulfill the data subject's requests within 30 days. All data will be processed accurately, up-to-date and in compliance with legislation.

9. Termination of Agreement

Following the termination of this Agreement, personal data shall be deleted, destroyed or anonymized within 90 (ninety) days at the latest, except for periods required to be kept pursuant to relevant legislation. Upon written request of the Data Controller, technically feasible data may be returned to them.