CLOSE

Data Security and Privacy Plan

This Data Security and Privacy Plan (“Plan”) was executed by and between Ayasis Yazılım ve Bilişim Teknolojileri Anonim Şirketi (“the Company”) located at Yıldız Teknik Üniversitesi Davutpaşa Kampüsü Teknopark D2 Blok No: 1B06 Esenler/Istanbul in its capacity as the “Data Controller” and applies all individuals (“Member”) who use the MentalUP products/services through www.mentalup.net and www.mentalup.co web sites and MentalUP mobile application (“MentalUP”) owned and operated by the Company.

When a Member uses MentalUP or communicates with MentalUP in any way, MentalUP collects information about the Member, in accordance with the nature of the information and transaction, within the limits of existing technical capabilities. The Member acknowledges, declares, and undertakes that their personal information and data may be used by the Company and/or through MentalUP in the manner and for the purposes specified in this Plan.

The Company might collect the Member's personal information (user name, name if provided, IP address, the date and time of access, the pages accessed while being on MentalUP) and the activities taken place under MentalUP in order to provide better service to the Member, to make suggestions, to improve its services, to facilitate the use of MentalUP at the works related to the Member's interests and preferences, within the framework of legal legislation.

The information provided by the Member in order for the Company to communicate with itself as well as the information obtained by the Company via cookies and similar technologies during the Member’s activities on MentalUP; might be recorded, stored in printed / magnetic archives, updated whenever necessary, shared, transferred, used and processed by the Company in accordance with the personal data processing requirements and purposes set out in the applicable legislation. The information obtained may also be shared, transferred or processed by the Company’s current and future affiliates, subsidiaries, shareholders, business partners, domestic and/or international program partners, service providers or third parties (including but not limited to legal and tax consultants, banks, and independent auditors) in order to carry out the Company's services and operations, to provide the services offered, and to fulfill related legal or contractual obligations. This also includes providing certain services to you in connection with the use of MentalUP, to fulfill the necessary procedures for payment in the event that the goods and services provided are subject to any fee, to inform regarding the services rendered, to be able to respond to questions, to make sure that the necessary permits are received and taken from parents/legal representatives if the Member is between the ages of 13 and 18, if it is required directly for the execution and performance of a contract between the Company and the Member and for the Company to fulfill its legal obligations and also for the purposes of asserting the relevant rights or establishing the defense in relation to such personal data, limited to the purpose of use, and for a period of time limited with such use.. This information shared may be changed and updated by the Member at any time. Data collected through MentalUP may not be used or shared with third parties for purposes unrelated to improving the user experience or software/hardware performance connected to the MentalUP’s functionality.

The data shared by the Member shall not be used directly or indirectly for the benefit of any third party for any reason whatsoever; without the express and explicit written permission of the Member, shall not be shared, partly or completely copied and published with any third party, firm or entity other than for the purposes set forth in this Plan. Additional authorization from the Member may be required if it is compulsory within the provisions of the relevant legislation or if the data transmitted by the Member must be used for purposes other than those specified in this text. In this case, the Member will be contacted, and its explicit consent will be requested. If the Member does not agree, no additional data shall be obtained.

If the personal data provided to the Company by the Member is requested by official institutions/organizations as necessitated by the law, the data may be transmitted to the relevant authorities and courts if requested by the courts.

It may be required to open an account in order to have access to the services of the Company. The Member declares that he or she is at least 18 years old (or older) and they understand and accept these conditions in order to open an account on his behalf. If the Member is under the age of 18 but at least 13 years old and has the authority to exercise discretion, they may only provide their data in the presence of one of their parents or a legal representative. In this context, the Member declares that his or her parent or legal representative has reviewed and accepted this Plan and that the data has been shared following the said permission. Neither person under 13 (thirteen) years of age can be directly a Member of the MentalUP itself, nor submit his/her own personal data directly.

In the event that the internet sites of the Company contain links to other internet sites according to the nature of the situation, the Company shall have no commitment to ensure that the operators of these sites comply with the data protection provisions. The Company shall never be responsible for the content of the sites to which it links with other methods such as links or the like.

Within the scope of the data you have provided to the Company, the Member may apply to the Company and be entitled to;

  • find out whether personal data is being processed;
  • request information on personal data, if it has been processed;
  • find out the purpose of processing his/her personal data and whether they are being used appropriately in line with their purposes;
  • know the third parties to whom personal data is transmitted in or out of the country;
  • request that his/her personal data be corrected if it is incomplete or incorrectly processed;
  • request that personal data be erased or destroyed if the circumstances requiring the processing of the personal data disappearance;
  • require correction, deletion or destruction to be reported to a third party to whom personal data is transferred;
  • object to the occurrence of an adverse consequence by analyzing the processed data exclusively through automated systems; and
  • have the right to claim damages in case of impairment because his/her personal data is processed in violation of the relevant legal legislation.

In the event that a Member submits his/her claims for his/ her rights towards the Company in the manner set forth in this Plan, the Company shall conclude the application as soon as possible and in any event not later than 30 (thirty) days in accordance with the nature of the claim.

Despite the fact that the processing activity is carried out in accordance with the relevant legislation, the personal data of the Member shall be deleted, destroyed or anonymized in accordance with the related legislation after the end of the processing purposes stated in this Plan.

In order to use the rights notified to the Member in this Plan, the Member must include the necessary information that can be used by the Company to identify the Member and the description/explanations regarding which right he/she requests to exercise must be delivered to Yıldız Technical University Davutpaşa Campus at Kampüsü Teknopark D2 Blok No:1B06 Esenler/Istanbul by hand or sent through notary or other methods specified in the related legislation or may be sent as signed by secure electronic signature to info@ayasis.com, which is the e-mail address of the Company. The Company accepts the request on the application of the Member or rejects it by explaining the reason and declares the answer to the related person in writing or in electronic form. If the application is accepted, it will be fulfilled by the Company. If the applicant is attributable to any fault of the Company and a fee is collected from the Member, the remuneration shall be returned to the Member.

The Company undertakes to keep the Member's data and any confidential information strictly private and confidential, without prejudice to the contents hereof, to regard it as an obligation to keep confidentiality, to take all measures and act in due diligence to prevent all or any part of the Member's information from entering into the public domain or be subject to unauthorized use, or to take measures to prevent the confidential information from disclosure to any third party. If, despite all necessary data security measures taken by the Company, the confidential information is damaged as a result of attacks on the system or captured by third parties, the Company shall have no responsibility with that respect.

The Company's data security measures are as follows:

  • Access logs are regularly maintained.
  • Corporate policies regarding access, information security, usage, storage, and disposal have been prepared and implemented.
  • Confidentiality agreements are in place.
  • Access rights related to data security are revoked for employees who change roles or leave the company.
  • Policies and procedures for the protection of personal data have been established.
  • The security of personal data is actively monitored.
  • Necessary security measures are in place for entry and exit to physical environments containing personal data.
  • Physical environments containing personal data are secured against external risks (e.g., fire, flood, etc.).
  • Security of environments containing personal data is ensured.
  • Personal data is minimized as much as possible.
  • Personal data is backed up, and the security of these backups is ensured.
  • Internal periodic and/or random audits are conducted or commissioned.
  • Existing risks and threats have been identified.
  • Disciplinary regulations including data security provisions are in place for employees.
  • Regular training and awareness activities on data security are provided to employees.
  • Protocols and procedures for the protection of sensitive personal data have been established and are in practice.
  • Signed contracts include data security provisions.
  • Data encryption is applied.

The Company ensures the implementation of data security and privacy requirements throughout the contract in accordance with internal policies aligned with applicable data protection legislation. Access controls, secure data storage, and encryption protocols are consistently applied during the collection, processing, and transmission of data. Access to sensitive information is restricted to authorized personnel only.

The Company implements administrative safeguards, including staff training, written security policies, and access control procedures. The Company applies operational safeguards such as role-based access, session logging, and regular reviews of user activity. The Company also enforces technical safeguards, including encryption (both in transit and at rest), firewalls, and secure authentication mechanisms such as two-factor authentication.

The Company’s employees and subcontractors with access to personally identifiable information receive training on the processing and protection of personal data, data privacy, secure communication practices, and incident response procedures

All employees and subcontractors undergo annual training on data privacy and FERPA/Ed Law 2-d compliance. New team members complete onboarding training within their first week. Training covers the handling of personally identifiable information, secure communication practices, and incident response procedures.

The Company requires all employees and subcontractors to sign confidentiality and data privacy agreements. These agreements include specific clauses about compliance with the contract and applicable state and federal data privacy laws.

The Company maintains a documented Incident Response Plan. The Company reports any suspected or confirmed data breaches involving personally identifiable information to the The Educational Agency (“EA”) within 24 hours. Root causes are investigated and corrective actions are implemented accordingly. Breach logs and reports are archived and provided upon request.

The Company returns all relevant data to the EA using encrypted transmission methods upon completion of contractual obligations or when the data is no longer required. The transfer is executed over secure, access-controlled channels and is accompanied by a detailed data transfer report. The EA is required to confirm receipt and integrity of the transferred data prior to data deletion from the Company's systems.

The Company securely destroys data using methods compliant with NIST SP 800-88. A certificate of destruction is generated and submitted to the EA upon completion. For cloud-based records, secure deletion is carried out through platform-specific data removal protocols.

The Company’s data security and privacy program is reviewed and updated regularly to ensure alignment with EA policies. All custom configurations, data retention timelines, and user roles are adjusted to meet the specific privacy requirements provided by the EA.

The Company's Identity Regarding Data Security

  • Asset Management, The Company regularly reviews and updates its data security and privacy program to ensure alignment with EA policies. Custom configurations, data retention periods, and user roles are tailored to EA’s specific privacy requirements. The Company documents and tracks all data, devices, and systems involved in delivering its services. Access to data is role-based and limited to authorized personnel. The Company maintains an inventory of critical assets and regularly reviews access logs to ensure proper usage and compliance with internal policies.
  • Business Environment, The Company’s platform is designed to support personalized educational experiences for students. The Company prioritizes user privacy, regulatory compliance, and secure data practices in alignment with its mission. The Company reviews stakeholder needs (e.g., schools, students, parents) during feature planning and security assessments.
  • Governance, The Company maintains internal policies for data security, access control, and incident response. The Company requires all team members to review and adhere to these policies. Governance practices are implemented in accordance with the legal rules applicable to our company regarding personal data.
  • Risk Assessment, The Company conducts internal risk assessments regularly to identify potential threats to user data, including unauthorized access and service misuse. The Company utilizes technical audits and automated monitoring tools to detect and prioritize security risks that may impact organizational operations or users.
  • Risk Management Strategy, The Company’s risk strategy defines thresholds and response plans for security incidents. The Company categorizes risks by severity and documents action plans for high-risk items. The Company takes startup constraints into account when assigning risk tolerances and controls.
  • Supply Chain Risk Management, The Company’s platform relies on secure third-party cloud providers (e.g., AWS, Azure) and complies with their published data protection standards (e.g., SOC 2, ISO 27001). The Company reviews vendor documentation annually and avoids using third-party tools that lack sufficient security transparency.

Data Security Protection Methods

  • Identity Management, Authentication and Access Control, The Company restricts access to systems and databases to authorized personnel via role-based access controls. The Company enforces authentication using strong credentials, and limits administrative access to backend developers. The Company uses Azure Identity Management and AWS IAM tools where applicable.
  • Awareness and Training, The Company briefs team members on cybersecurity best practices during onboarding, including the handling of sensitive educational data. Although formal training is not conducted regularly, The Company clearly defines and communicates responsibilities related to student data protection and Ed Law § 2-d internally.
  • Data Security, The Company encrypts user data in transit and at rest using industry standards (e.g., TLS, AES-256). The Company restricts data access to essential personnel and maintains audit trails through platform-level monitoring. The Company follows a minimal data collection approach to reduce exposure.
  • Information Protection Processes and Procedures, The Company maintains a publicly available Plan that outlines its data handling practices, including access controls, breach response, and secure data destruction. The Company follows internal procedures in accordance with this plan, which are reviewed regularly.
  • Maintenance, The Company applies system updates and patches regularly using platform-level management tools (e.g., Azure automatic updates, AWS automatic updates). The Company operates exclusively cloud-based systems with no unmanaged physical components, thereby minimizing hardware-level maintenance risks.
  • Protective Technology, The Company’s cloud infrastructure includes protective technologies such as network-level firewalls, access controls, and encrypted storage. The Company utilizes both Microsoft Azure and Amazon Web Services (AWS) platforms. On Azure, The Company uses Azure Security Center to monitor configurations and receive recommendations for improving system security and resilience. On AWS, The Company employs services such as AWS Shield, AWS WAF, CloudTrail, and Security Hub to protect its infrastructure against unauthorized access, DDoS attacks, and misconfigurations. The Company encrypts data at rest using AWS KMS and in transit using TLS.

Detecting Data Breach Risks

  • Anomalies and Events, The Company leverages logging and monitoring capabilities across both Azure and AWS to detect unusual activity, including repeated failed login attempts, abnormal data access patterns, and suspicious request behavior. The Company uses tools such as Azure Monitor, CloudWatch, CloudTrail, and AWS GuardDuty to track system events, monitor user and API behavior, and identify potential threats in real time.
  • Security Continuous Monitoring, The Company continuously monitors system activity using diagnostics, performance insights, and cloud-native alerting tools available in both Azure and AWS. The Company utilizes services such as Azure Monitor, Application Insights, Log Analytics, CloudWatch, AWS Config, and Security Hub to track system health, detect anomalies, and ensure security compliance. The Company periodically reviews logs and configures automated alerts for critical events, including unauthorized access attempts and configuration changes.
  • Detection Processes, The Company implements detection processes using built-in monitoring and alerting tools provided by its cloud infrastructure. The Company enables logging at key points across the system and configures alerts for events such as failed logins and unexpected usage patterns. These processes are reviewed and tested during development and system updates to ensure timely awareness of potential security incidents.

Responding to Data Breaches

  • Response Planning, The Company maintains an internal incident response plan that outlines the steps to be taken in the event of a security breach or system compromise. The Company assigns clear roles to team members and documents escalation paths to ensure a coordinated and timely response.
  • Communications, The Company coordinates communication of response activities through designated internal team members, ensuring that responsibilities and actions are clearly distributed across relevant roles. When incidents affect educational data or require escalation, The Company informs the EA according to pre-established procedures. The Company maintains the ability to collaborate with external partners, such as legal advisors or cybersecurity consultants, as needed.
  • Analysis, The Company reviews logs and system activity during and after an incident to understand the root cause and potential impact. The Company uses Azure and AWS monitoring tools to assist in forensic analysis and to ensure proper containment and follow-up actions.
  • Mitigation, if a threat is detected, The Company immediately restricts access to affected systems and applies patches or configuration changes to prevent further spread. The Company isolates any compromised data or systems for analysis and remediation.
  • Improvements, The Company reviews and documents lessons learned internally after each incident. Where applicable, The Company updates detection rules, access controls, and team procedures to reduce the likelihood of similar incidents in the future.

Data Recovery

  • Recovery Planning, The Company maintains cloud-based backup and recovery processes to ensure minimal disruption in the event of a cybersecurity incident. The Company restores key assets and configurations using platform-native tools such as Azure Backup or AWS Backup, depending on the deployment.
  • Improvements, The Company reviews recovery procedures after incidents to identify process gaps or delays. The Company adjusts recovery scripts, automation tools, and team roles as needed based on post-incident evaluations.
  • Communications, in the recovery phase, The Company keeps relevant stakeholders—including the EA—informed of system restoration timelines and actions taken. The Company handles internal communications via assigned leads and notifies external parties when required.

The Company shall not disclose personal data and confidential information of the Member unless (a) it is required to disclose such information in accordance with applicable laws or regulations or a court decision or administrative order issued and/or (b) it is Member's request and/or (c) it is stated within this Plan or within other agreements executed by and between the Member and the Company.

The Company shall not be responsible for damages caused by the use of information that the member discloses in comments made or messages given by third parties in public areas. If the member shares his/her name, password, etc. used by the member when creating the membership record with third parties, the Company shall not be responsible for any damages that may arise from the information shared with third parties.

The Company may at any time update, amend, or revoke the provisions of this Plan. In this case, the Member shall be notified via the services/products or by other means such as e-mail. Any provision that is updated, modified or removed from effect shall enure for the Member at the time of publication. The Member shall be deemed to have accepted such amendment if the Member continues to use the services or products of the Company after such modification has been made.

Ayasis Yazılım ve Bilişim Teknolojileri Anonim Şirketi