1. Introduction

This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“you”, “your”, “the business”) and GoDigital2Achieve Ltd (“GoDitach”, “we”, “our”, “us”).

This DPA applies to all websites, platforms, products, services, and subdomains operated by GoDitach, including all current and future domains and service pages used to deliver GoDitach-branded services.

This document is prepared to align with the UK Data Protection Act, GDPR, CCPA, and applicable requirements under the Turkish KVKK.

GoDitach is a UK-registered company, and the English version of this DPA is the legally binding version.

2. Roles of the Parties

2.1 Customer as Data Controller

The customer is the Data Controller for all personal data submitted, uploaded, imported, collected, or generated through GoDitach’s services.

The customer determines:

• The purpose of processing

• The legal basis of processing

• The content of all communications

• The timing and recipients of all messages

• All consent and permission requirements

The customer is solely responsible for ensuring compliance with GDPR, UK DPA, CCPA, KVKK, CAN-SPAM, and all relevant messaging and advertising regulations.

2.2 GoDitach as Service Provider / Technical Infrastructure Provider

GoDitach does not act as a Data Controller or independent Data Processor for customer data.

GoDitach provides access to a third-party professional software infrastructure enabling automation, communication, CRM functions, review management, and related capabilities.

GoDitach does not determine:

• What data is processed

• Why the data is processed

• How or when messages are sent

• The recipients of communications

GoDitach supplies the technical environment, while the customer controls all data-related decisions.

3. Customer Responsibilities

The customer agrees that:

• All personal data is processed under the customer’s exclusive direction

• The customer obtains all required consents from data subjects

• All messages, automations, reminders, review requests, WhatsApp/SMS/email sequences are sent on behalf of the customer, not GoDitach

• All uploaded/imported data is lawful and compliant

• Sector-specific rules (healthcare, finance, education, etc.) are the customer’s responsibility

• Access credentials must be kept secure

• Any data uploaded by the customer must comply with applicable privacy laws

4. GoDitach Responsibilities

GoDitach agrees to:

• Provide a secure hosted platform environment

• Implement industry-standard security controls

• Restrict unauthorized access

• Maintain platform availability except during planned or emergency maintenance

• Not access customer data unless required for technical support or security

• Not sell, share, or commercially exploit customer data

• Ensure subprocessors follow industry-standard safeguards

GoDitach does not validate or approve message content, contact lists, or permission records.

5. Assistance With Automation Configuration

To support onboarding and implementation, GoDitach may assist with technical setup activities.

However, GoDitach does not assume the role of Data Controller or Data Processor.

“GoDitach may assist the customer by configuring automation workflows, templates, triggers, integrations, review-collection flows, and other technical settings required for the customer’s system setup. However, all activations, message content, recipient selection, timing, consent collection, and communication triggers occur strictly under the customer’s sole direction as the Data Controller. GoDitach does not initiate or authorize messaging on behalf of the customer and does not determine the purpose or legal basis of any processing activities.”

This clause legally protects GoDitach while allowing full automation setup services.

6. Subprocessors / Third-Party Infrastructure Providers

The customer acknowledges that GoDitach uses third-party infrastructure to host and deliver its services, including:

• Global hosting providers

• Messaging gateways (SMS, WhatsApp, Email)

• Automation and workflow engines

• Communication and marketing API tools

• Secure backup and storage providers

These subprocessors operate under industry-standard compliance frameworks (e.g., GDPR-aligned safeguards).

7. International Data Transfers

Because GoDitach relies on global technical infrastructure, personal data may be stored or processed outside the customer’s country.

Such transfers occur solely due to the nature of the hosting infrastructure and do not represent an independent data-transfer decision made by GoDitach or by the customer.

(This avoids KVKK/GDPR “intentional transfer” risk.)

8. Security Measures

GoDitach implements industry-standard safeguards including:

• Encryption in transit

• Role-based access controls

• Logging and system monitoring

• Secure hosting environments

• Regular updates and vulnerability management

9. Data Subject Requests

If GoDitach receives a request from a data subject (access, correction, deletion, etc.), it will forward the request to the customer.

Responding to such requests is the customer’s sole responsibility as the Data Controller.

10. Incident Notification

If unauthorized access or a data breach affecting the customer’s data is detected, GoDitach will notify the customer without undue delay.

11. Termination

Upon termination:

• Customer access to GoDitach services will end

• Data may be deleted according to platform retention policies

• Backups may remain temporarily for security and continuity purposes

12. Contact

GoDigital2Achieve Ltd

London, United Kingdom

[email protected]