Effective Date: March 25, 2026
Carna Test Platform is committed to compliance with the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK). This page outlines our data protection practices and your rights as a data subject.
1. Our Role
- Organizations using Carna Test Platform act as Data Controllers — they determine the purposes and means of processing their participants' personal data
- Carna Test Platform acts as a Data Processor — we process personal data on behalf of organizations according to their instructions
For individual users who register directly (not through an organization), Carna acts as both controller and processor.
2. Legal Bases for Processing
We process personal data under the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Contract performance |
| Delivering test results and certificates | Contract performance |
| Platform analytics and improvement | Legitimate interest |
| Email notifications | Consent / Contract performance |
| Legal compliance and security | Legal obligation |
3. Data Processing Agreement (DPA)
Organizations on Professional and Enterprise plans can request a Data Processing Agreement that covers:
- Scope and purpose of data processing
- Data subject categories and data types
- Sub-processor list and notification procedures
- Data breach notification commitments (within 72 hours)
- Data deletion and return procedures
Contact legal@carnatest.com to request a DPA.
4. Data Subject Rights
Under GDPR and KVKK, you have the right to:
Right of Access
Request a copy of all personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your personal data (subject to legal retention requirements).
Right to Data Portability
Receive your data in a structured, machine-readable format (JSON/CSV).
Right to Restrict Processing
Request limitation of processing in certain circumstances.
Right to Object
Object to processing based on legitimate interest.
Right to Withdraw Consent
Withdraw consent at any time where processing is based on consent.
To exercise any of these rights , email privacy@carnatest.com with your request. We will respond within 30 days.
5. Data Protection Measures
Technical Measures
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Regular penetration testing and security audits
- Access control with role-based permissions
- Automated backup with encryption
Organizational Measures
- Staff data protection training
- Incident response procedures
- Vendor security assessments
- Privacy by design in product development
6. Sub-Processors
We use the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DDoS protection | Global (EU data centers) |
| Neon | Database hosting | EU (Frankfurt) |
| Resend | Transactional email | EU |
| PostHog | Product analytics | EU |
We notify organizations of any sub-processor changes 30 days in advance.
7. International Transfers
All primary data processing occurs within the European Union. Where transfers outside the EU are necessary, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs).
8. Data Breach Procedures
In the event of a data breach:
- We notify affected organizations within 72 hours of becoming aware
- We provide full details of the breach scope and affected data
- We assist organizations in fulfilling their notification obligations to supervisory authorities and data subjects
9. Data Protection Officer
For data protection inquiries:
- Email: dpo@carnatest.com
- Address: Carna Test Platform, Istanbul, Turkey
10. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
- Turkey: Kişisel Verileri Koruma Kurumu (KVKK) — kvkk.gov.tr
- EU: Your local data protection authority