This Security Policy summarizes how Turtles.com Inc. and its Affiliates (collectively, "Turtles," "we," "us," or "our") approach the security of the products, websites, applications, and services we operate (the "Service"). The binding security commitments that apply to a particular customer are set out in the Terms of Use, the Marketplace Service Agreement ("MSA"), the Seller Service Agreement ("SSA"), the Data Processing Agreement, and any executed Order Form (collectively, the "Agreement").

This Policy is informational. Specific safeguards vary by environment, feature, and risk profile, and may evolve as the Service evolves.

1. Our approach

We treat security as part of building good software: we work to keep customer data confidential, available, and accurate, and we limit access to it to those who need it.

2. Compliance posture

Payment-card data is processed by our PCI-DSS-compliant payment partners; we do not store full payment card numbers (PANs) on Turtles infrastructure.

We do not currently hold a SOC 2 Type II report or ISO/IEC 27001 certification. Any third-party attestations or certifications we obtain in the future will be communicated through our customer-facing trust resources.

3. Hosting

The Service runs in cloud infrastructure operated by major commercial providers. Those providers operate physically secure, environmentally controlled, and redundantly powered data-center facilities, and Turtles relies on the providers' physical and environmental controls.

4. Network protections

We use DDoS protection at the network edge, provided through commercial CDN and edge partners.

Data is encrypted in transit using TLS.

5. Access controls

Access to systems containing sensitive customer data requires multi-factor authentication (MFA) and is gated through our VPN. Access is granted based on need, and is revoked when no longer needed.

6. Personnel

All Turtles personnel receive security awareness training and phishing awareness training, and are bound by written confidentiality obligations.

7. Incident response

If we become aware of a security incident affecting Customer Personal Data, we will respond consistent with the Data Processing Agreement and Applicable Law, including by notifying affected customers as required.

8. AI and automated systems

We may use machine learning and automated decisioning in certain features (for example, fraud detection, abuse detection, search ranking, recommendations, and customer-support automation). We do not use Customer Personal Data to train general-purpose foundation models that are made available to third parties for unrelated uses.

9. Customer responsibilities

The security of your Account and the data you process through the Service depends, in part, on you:

• Choose a strong, unique password; never reuse passwords across services.
• Enable multi-factor authentication (MFA) on your Account where available; require it for your team where the Service supports administrative controls.
• Limit administrative access to those who need it; review your team's permissions regularly.
• Promptly remove access for departed personnel or contractors.
• Keep your devices, browsers, and operating systems up to date.
• Avoid sharing credentials and never share API keys, signing secrets, or other tokens.
• Report suspicious activity to security@turtles.com and to your administrator.

10. Reporting security issues

If you believe you have found a security issue or vulnerability in the Service, please email security@turtles.com with enough detail to reproduce the issue (proof-of-concept, affected URL, request/response, and impact). We ask that you:

• give us a reasonable opportunity to address the issue before public disclosure;
• avoid privacy violations, destruction of data, and degradation of the Service;
• avoid social-engineering, phishing, denial-of-service, and physical attacks against Turtles, our employees, or our infrastructure; and
• only test against accounts you control or are authorized to test against.

We will not pursue legal action against researchers who comply with this Section in good faith.

11. No warranty; relationship to other terms

This Policy is informational and does not create representations, warranties, or service-level commitments beyond those expressly set out in the Agreement. The disclaimers and limitations of liability in the Terms of Use, the MSA, the SSA, the Data Processing Agreement, and any executed Order Form apply to this Policy. No system can be made perfectly secure; we cannot and do not guarantee that the Service is or will remain free of vulnerabilities, intrusions, or compromises.

12. Updates

We may update this Policy from time to time. The effective date above reflects the most recent version.

13. Contact

Turtles.com Inc. — security@turtles.com