Effective date: May 3, 2026
This Data Processing Agreement (this "DPA") supplements and forms part of the Terms of Use, the Marketplace Service Agreement ("MSA"), the Seller Service Agreement ("SSA"), and any Order Form, statement of work, or other agreement (collectively, the "Agreement") between Turtles.com Inc. and its Affiliates (collectively, "Turtles," "we," "us," or "our") and the customer that has executed or otherwise accepted the Agreement (the "Customer," "you," or "your"). It governs the processing of Personal Data by Turtles on behalf of Customer in connection with Turtles' provision of the Service.
This DPA applies whenever Turtles processes Personal Data subject to (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"); (ii) other U.S. state comprehensive privacy laws (including those of Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Delaware, New Jersey, New Hampshire, Maryland, Kentucky, Minnesota, Rhode Island, Indiana, and Tennessee); and (iii) any other Applicable Data Protection Law in the United States (each, an "Applicable Data Protection Law"), or where the Customer otherwise instructs.
The Service is intended for use by, and the Processing of Personal Data is conducted in respect of individuals in, the United States. This DPA does not extend to the processing of Personal Data subject to the EU/UK General Data Protection Regulation, the Swiss FADP, or other non-U.S. data protection laws unless Turtles and Customer agree in a separate written addendum.
By executing the Agreement, Customer is deemed to have accepted this DPA. Customer represents and warrants that the individual accepting this DPA has authority to bind Customer.
In addition to terms defined elsewhere in this DPA or in the Agreement:
Customer is the Business (or, where applicable under another U.S. state privacy law, the equivalent role of "controller") of Customer Personal Data. Customer determines the purposes and means of Processing and is responsible for the lawfulness of its instructions and the processing it directs. Where Customer is itself a Service Provider of Customer Personal Data on behalf of a third party, Customer represents and warrants that it has obtained the necessary authorization to engage Turtles as a Sub-processor and to enter into this DPA on that third party's behalf. Customer remains accountable to that third party for any acts or omissions of Turtles.
Turtles is a Service Provider (or, where applicable, a Contractor or "processor") of Customer Personal Data. Turtles will Process Customer Personal Data only on Customer's documented instructions, except as required by Applicable Law. Where Turtles is required by Applicable Law to Process Customer Personal Data otherwise than as instructed, Turtles will inform Customer of that legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest.
Notwithstanding Section 2.2, Turtles acts as an independent Business of Personal Information that it Processes for its own purposes, including (a) operating, securing, and improving the Service; (b) billing and account administration; (c) compliance with Applicable Law and lawful requests by public authorities; (d) detection and prevention of fraud, abuse, and security threats; and (e) generation of de-identified or aggregated data. Turtles' Processing as a Business is governed by the Privacy Policy.
Turtles will not (i) "sell" or "share" Customer Personal Data within the meaning of the CCPA or other Applicable Data Protection Law, (ii) retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Turtles, (iii) retain, use, or disclose Customer Personal Data for any purpose (including any "commercial purpose") other than the business purposes specified in this DPA and the Agreement, or (iv) combine Customer Personal Data with Personal Information received from or on behalf of any other person, except as expressly permitted by 11 C.C.R. § 7050(b) or analogous law. Turtles certifies its understanding of the foregoing restrictions and its agreement to comply with them.
Customer's instructions to Turtles for the Processing of Customer Personal Data are set out in (a) this DPA, (b) the Agreement (including Order Forms and applicable supplementary terms), (c) the configuration of the Service made available to Customer (e.g., admin settings, integrations, retention controls), and (d) any further written instructions reasonably necessary for Turtles to provide the Service.
Customer represents and warrants that (a) it has provided all required notices and obtained all required consents and authorizations to enable Turtles to Process Customer Personal Data as contemplated by the Agreement; (b) Customer's instructions comply with Applicable Data Protection Law; and (c) Customer Personal Data is accurate and lawfully collected.
Turtles will inform Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Law. Turtles is not required to perform a legal review of Customer's instructions or activities.
The subject matter, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are described in Annex I to this DPA.
Turtles will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate written confidentiality obligations or are under an appropriate statutory duty of confidentiality, and that access is limited to those personnel with a "need to know."
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, Turtles will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further described in Annex II and the Security Policy.
Turtles may update its technical and organizational measures from time to time, provided that the security of Customer Personal Data is not materially diminished.
Customer grants Turtles a general authorization to engage Sub-processors to Process Customer Personal Data, subject to this Section 7.
A current list of Sub-processors is summarized in Annex III. Customer may obtain a complete, up-to-date list of Sub-processors (including specific entity names, countries of establishment, and processing activities) by emailing privacy@turtles.com.
Turtles will provide notice of new Sub-processors at least thirty (30) days before they begin Processing Customer Personal Data, by email or in-product notice to Customer's designated administrator (or to the address Customer maintains in our subscription system for sub-processor notices).
Customer may object on reasonable grounds related to Applicable Data Protection Law to a new Sub-processor by providing written notice within thirty (30) days. The parties will work in good faith to resolve the objection. If the parties cannot reach a resolution within thirty (30) days, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Service for convenience by providing written notice and pay only fees accrued through termination; refunds of pre-paid fees will be issued only on a prorated basis. Continued use of the Service after the new Sub-processor begins Processing constitutes acceptance.
Turtles will impose data-protection terms on each Sub-processor that are no less protective than those set out in this DPA, and will remain liable to Customer for the acts and omissions of its Sub-processors to the same extent as if Turtles itself had performed the Processing, subject to the limitations of liability set forth in the Agreement.
The Service is operated from the United States. Customer Personal Data is hosted on U.S.-based cloud infrastructure and Processed by Turtles personnel and Sub-processors as described in Annex III. Some Sub-processors may operate in or transfer data to other countries; in those cases, Turtles relies on contractual data-protection commitments with the Sub-processor.
Turtles will, taking into account the nature of the Processing, provide reasonable assistance by appropriate technical and organizational measures, insofar as possible, to enable Customer to fulfill its obligation to respond to requests by Consumers under Applicable Data Protection Law (including rights to know, access, correct, delete, port, opt out of "sale" or "sharing," and limit use of sensitive Personal Information). If Turtles receives a request directly from a Consumer, Turtles will, where it can identify the relevant Customer, refer the Consumer to Customer or forward the request to Customer, and will not respond directly except to confirm the request has been forwarded or as otherwise required by Applicable Law.
Turtles will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, consistent with Applicable Law. The notification will include, to the extent then known, (a) a description of the nature of the breach; (b) likely consequences; (c) measures taken or proposed to address the breach and mitigate adverse effects; and (d) the name and contact details of a Turtles point of contact.
Turtles will provide updated information as it becomes available and will reasonably cooperate with Customer's investigation.
Customer is solely responsible for fulfilling its own breach-notification obligations to Data Subjects, Supervisory Authorities, and other parties under Applicable Data Protection Law. Notification by Turtles is not, and will not be construed as, an admission of fault, liability, or wrongdoing.
Turtles will provide Customer with reasonable assistance, taking into account the nature of Processing and the information available to Turtles, with any data protection assessments or risk assessments required of Customer by Applicable Data Protection Law (such as the data protection assessments required under U.S. state privacy laws for processing presenting heightened risk).
Turtles will make available to Customer, on Customer's written request and not more than once per twelve-month period, summary information sufficient to demonstrate Turtles' compliance with this DPA. This will typically take the form of (a) the Security Policy; (b) Turtles' responses to a reasonable industry-standard security questionnaire; and (c) any third-party audit reports or certifications Turtles has obtained.
Where Customer reasonably demonstrates that the materials in Section 12.1 are insufficient and Customer is required by a regulator or by Applicable Data Protection Law to conduct an audit, Turtles will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, subject to: (a) execution by the auditor of an appropriate non-disclosure agreement; (b) the audit being conducted during regular business hours, with reasonable advance notice (no less than thirty (30) days), no more than once every twelve (12) months (except in connection with a Personal Data Breach), and in a manner that does not unreasonably interfere with Turtles' operations; (c) the auditor not being a competitor of Turtles; (d) Customer bearing the costs of the audit; and (e) the audit report being deemed Turtles' Confidential Information.
On termination or expiration of the Agreement, or at Customer's earlier written request, Turtles will, at Customer's option, return or delete Customer Personal Data, except to the extent that retention is required by Applicable Law. Turtles will provide Customer with a reasonable period (typically thirty (30) days) following termination to export Customer Personal Data through the Service, after which Customer Personal Data will be deleted. Backup copies will be deleted in the ordinary course of Turtles' backup retention schedule.
Each party's liability under this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits liability that cannot be limited under Applicable Law.
This DPA takes effect on the effective date of the Agreement and remains in force until the Agreement is terminated and Turtles has fulfilled its obligations under Section 13. Sections that by their nature should survive termination will survive.
In the event of a conflict between this DPA and the rest of the Agreement, this DPA controls with respect to the Processing of Customer Personal Data.
This DPA is governed by, and construed in accordance with, the law and the courts specified in the Agreement.
Notices under this DPA must be given in accordance with the Agreement, with a copy to privacy@turtles.com (for general DPA matters) and security@turtles.com (for Personal Data Breach notifications).
Turtles' technical and organizational measures include:
The specific safeguards in place may evolve as the Service evolves, and additional measures are described in the Security Policy.
Turtles engages third-party Sub-processors to Process Customer Personal Data in connection with the Service. Sub-processors are engaged in categories such as cloud infrastructure, content delivery, email delivery, customer support, identity verification, payment processing, fraud prevention, product analytics, and error monitoring.
A current list of specific Sub-processors is available by emailing privacy@turtles.com.
