Our Data Processing Addendum (DPA)

A Data Processing Addendum (DPA) is the contract term that governs how Turtini handles personal data on your behalf when you use the Platform. If you are a business or government customer whose own compliance obligations (GDPR, UK GDPR, CCPA / CPRA, and similar laws) require your vendors to commit to specific data-protection terms, the DPA is the document that makes those commitments.

**Where to find it:** the DPA is published at /dpa and linked from both the Privacy Policy and the Security page. It is a code-owned page, so the version you read is always the current one — there is no separately-negotiated PDF to go stale.

What it covers:

• **Roles** — you are the controller of the personal data you bring to the Platform; Turtini is the processor, acting on your instructions.
• **Scope and purpose** — Turtini processes that data only to provide the Platform, never for its own purposes.
• **Security** — the technical and organizational measures that protect the data (the Security page has the specifics: encryption in transit and at rest, tenant isolation, audit logging, image moderation).
• **Sub-processors** — the third parties Turtini relies on, each receiving only what its function needs. The list is the same one published in the Privacy Policy (see "Who our sub-processors are"), so the two can never drift.
• **Data-subject rights, breach notification, and deletion or return** of data on termination.

**Countersigned copies:** the DPA applies automatically when you accept the Terms and use the Platform — there is nothing to sign to be covered. If you need a countersigned copy for an enterprise or government agreement, contact us and we will provide one.

Turtini provides the Platform and these terms; it does not give legal advice. Your own counsel should confirm the DPA meets your specific regulatory obligations.