Data Processing Agreement

Data Controller

The Customer operating the white-label eSIM marketplace, responsible for determining the purposes and means of processing personal data.

Data Processor

EsimPanel.io, providing secure data storage and platform services without independent use of the data.

Personal Data

Any information relating to an identified or identifiable natural person processed through the EsimPanel platform.

Processing

Any operation performed on personal data, limited strictly to storage, backup, and security operations.

Sub Processor

Third-party service providers engaged by EsimPanel to support platform operations.

Data Subject

End-users purchasing eSIMs through the Customer's white-label platform.

Sensitive Data

Special categories of personal data as defined under GDPR Article 9, explicitly excluded from processing.

Authorized Processing Purposes

• Secure storage of end-user personal data
• Platform operation and eSIM delivery services
• Backup and disaster recovery operations
• Security monitoring and audit logging

Explicitly Excluded

• Data selling, renting, or trading
• Marketing or advertising use
• Data profiling or commercial analytics
• Cross-customer data sharing
• Independent data processing without Controller's instructions

Processing Limitations

EsimPanel.io acts solely as a data storage provider, with no independent right to use, analyze, or repurpose the data.

Data Controller Obligations

• Ensure legal basis for data collection
• Manage data subject consent
• Provide comprehensive privacy notices
• Maintain GDPR/KVKK compliance
• Complete VERBİS registration if applicable
• Provide clear processing instructions to Processor

Data Processor Obligations

• Implement and maintain AES-256 encryption for data storage
• Enforce strict access controls and authentication mechanisms
• Maintain comprehensive audit logging of data access
• Conduct annual independent security assessments
• Provide immediate breach notification
• Comply strictly with Controller's documented instructions

Collected Data Categories

• Identity Data: Name, email, phone number
• Transaction Data: eSIM purchases, payment records
• Device Data: IMEI, device type for eSIM activation
• Geographic Data: Country, city for eSIM coverage
• Authentication Data: Hashed passwords, API tokens

Excluded Data Categories

• Payment card details (processed via PCI-DSS compliant Stripe)
• Sensitive personal data (health, religion, political views)
• Children's personal data

Data Minimization

Only data necessary for eSIM marketplace operation will be collected and stored.

Current Sub-processors

• Amazon Web Services (AWS) - Hosting and secure data storage (EU Data Centers)
• Stripe - Payment processing (United States (EU Standard Contractual Clauses applied))
• AirAlo - eSIM provisioning (Global)
• Maya Mobile - eSIM provisioning (Global)

Sub-processor Requirements

• GDPR compliance certification mandatory
• Individual data processing agreements required
• Annual security audit documentation
• Breach notification obligations
• Customer approval required for new sub-processors

Addition Process

Customer will receive 30-day notification before adding any new sub-processor

Technical Measures

• AES-256 encryption at rest
• TLS 1.3 encryption in transit
• bcrypt password hashing
• Multi-factor authentication
• Automatic API token rotation
• Advanced firewall and intrusion detection systems

Organizational Measures

• Role-based access control policies
• Comprehensive audit logging
• Mandatory employee confidentiality agreements
• Regular security awareness training
• Formal incident response plan
• Annual third-party penetration testing