Data Processing Addendum

Last updated: 2026-06-02 · v2.0 · This DPA forms part of the Agreement between you and turmo.dev

1. Parties and Definitions

1.1 Definitions

In this DPA, the following terms have the meanings set out below:

• "Agreement" means the master services agreement, terms of service, or other commercial agreement between the parties governing the services.
• "Customer" means the entity that is the data controller and has agreed to the Agreement.
• "turmo.dev", "we", "us" means turmo.dev (Turmo.dev), the data processor.
• "Personal Data" means any information relating to an identified or identifiable natural person ("data subject") as defined in GDPR.
• "Processing" means any operation performed on Personal Data, whether by automated or non-automated means, as defined in GDPR Art. 4(2).
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.
• "Sub-processor" means any processor engaged by turmo.dev to process Personal Data on the Customer's behalf.
• "Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.2 Roles

The parties acknowledge and agree that:

• The Customer is the data controller (or, where applicable, the data processor acting under the Customer's instructions) and determines the purposes and means of processing Personal Data.
• turmo.dev is the data processor, processing Personal Data only on documented instructions from the Customer, unless required otherwise by EU or Member State law.
• turmo.dev does not sell, transfer, or use Personal Data for any purpose other than providing the services under the Agreement.

2. Scope and Applicability

This DPA applies to the processing of Personal Data in connection with the services described in the Agreement. It applies to all processing activities where turmo.dev acts as data processor for the Customer.

This DPA does not apply where the Customer processes Personal Data as a data processor (acting on behalf of its own customers) — in such cases, the Customer remains responsible for ensuring it has the necessary agreements in place with its own customers.

3. Processing Obligations

3.1 Instructions

turmo.dev shall process Personal Data only on the documented instructions of the Customer. Processing outside the scope of the Agreement (including any amendments agreed in writing) requires prior written consent from the Customer.

3.2 Purpose Limitation

turmo.dev shall process Personal Data only for the specific purposes of providing the services under the Agreement: account management, service delivery, technical support, billing, and security. Processing for any other purpose requires the Customer's written consent.

3.3 Data Minimization

turmo.dev shall process only the minimum Personal Data necessary for the purposes of the Agreement. Where technically feasible, Personal Data shall be anonymized or pseudonymized to reduce risk.

3.4 Accuracy

turmo.dev is not responsible for ensuring the accuracy of Personal Data. The Customer is responsible for ensuring that Personal Data is accurate and up to date before submitting it for processing.

3.5 Storage Limitation

Personal Data shall not be retained beyond the periods specified in the Agreement and Privacy Policy, subject to legal retention obligations. Upon termination or Customer request, turmo.dev shall delete or return Personal Data as specified in Section 10.

3.6 Documentation

turmo.dev shall maintain records of processing activities in accordance with GDPR Art. 30, including: the name and contact details of the controller and processor, the categories of processing, the categories of data subjects, the categories of Personal Data, the purposes of processing, and the security measures applied.

4. Sub-Processors

4.1 Authorized Sub-Processors

The Customer authorizes turmo.dev to engage the following categories of Sub-processors: cloud infrastructure providers (e.g., Cloudflare), payment processors (e.g., Stripe), email delivery providers (e.g., Resend), and AI model providers (e.g., OpenAI, Anthropic, Google).

A complete list of Sub-processors is available at /sub-processors and is updated at least annually. Notification of material changes to the Sub-processor list will be provided at least 30 days in advance.

4.2 Sub-processor Obligations

turmo.dev shall impose data protection obligations on Sub-processors that are at least as stringent as those in this DPA, including requiring them to provide appropriate technical and organizational security measures (GDPR Art. 32).

4.3 Objection Right

The Customer may object to a new Sub-processor by notifying turmo.dev in writing within 14 days of receiving notice of the new Sub-processor. turmo.dev will work with the Customer in good faith to find an alternative solution or waive the objection.

5. Security Measures

5.1 Technical Measures

turmo.dev implements appropriate technical security measures, including:

• TLS 1.3 encryption for all data in transit; AES-256 encryption for data at rest.
• Access controls restricted to authorized personnel on a least-privilege basis, with MFA required for all production system access.
• Regular vulnerability scanning and patch management.
• Network segmentation and firewall policies.
• Automated backup with encryption, stored in EU data centers.

5.2 Organizational Measures

• Employee training on GDPR compliance and data security.
• Data Protection Officer (DPO) designated where required by GDPR Art. 37.
• Written data processing agreements with all employees and contractors with access to Personal Data.
• Incident response procedures including notification obligations under GDPR Art. 33.
• Vendor security assessment process for all Sub-processors.

5.3 Security Certifications

turmo.dev maintains the following security certifications and assessments: [List applicable certifications, e.g., SOC 2 Type II, ISO 27001, annual penetration test results — insert if available].

6. Data Subject Rights

6.1 Assistance

turmo.dev shall, taking into account the nature of the processing, assist the Customer in fulfilling its obligations under GDPR Arts. 12–22 to respond to data subject requests, including:

• Right to access (Art. 15)
• Right to rectification (Art. 16)
• Right to erasure (Art. 17)
• Right to portability (Art. 20)
• Right to restriction (Art. 18)
• Right to object (Art. 21)

The Customer may request assistance by contacting ola@turmo.dev. turmo.dev shall respond to assistance requests within 7 business days.

6.2 Automated Decision-Making

If turmo.dev performs processing that constitutes automated decision-making (including profiling) with legal or similarly significant effects, turmo.dev shall implement mechanisms to allow data subjects to request human intervention, express their point of view, and contest the decision, in accordance with GDPR Art. 22.

7. Data Breach Notification

7.1 Notification

turmo.dev shall notify the Customer without undue delay and at the latest within 48 hours of becoming aware of a Personal Data Breach, providing:

• A description of the nature of the breach, including categories and approximate number of data subjects and Personal Data records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.
• The name and contact details of the DPO or other point of contact for further information.

7.2 Documentation

turmo.dev shall document all Personal Data Breaches, including their nature, effects, and remedial actions taken, and make this documentation available to the supervisory authority upon request.

8. International Transfers

8.1 Transfer Mechanisms

Personal Data shall not be transferred to a country outside the EEA unless one of the following legal mechanisms is in place:

• Standard Contractual Clauses (SCCs): 2021/914/EU, Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor), as published by the European Commission.
• EU-US Data Privacy Framework (DPF): where the US recipient is certified under the DPF (adequacy decision of 10 July 2023).
• UK adequacy: UK adequacy regulations for transfers to the UK.
• Other mechanism: any other mechanism permitted under GDPR Chapter V.

A copy of the applicable SCCs is available upon request at ola@turmo.dev.

8.2 Transfer Documentation

turmo.dev shall maintain records of transfers of Personal Data outside the EEA, including the transfer mechanism used, the destination country, and the safeguards applied.

9. Audits and Inspections

9.1 Audit Rights

The Customer is entitled to verify turmo.dev's compliance with this DPA through:

• Review of turmo.dev's security certifications and audit reports (e.g., SOC 2 Type II, ISO 27001 reports) provided upon request.
• Questionnaires and compliance documentation provided at least annually.
• On-site audits only where a specific compliance concern cannot be resolved through documentation review, with 30 days' written notice and at the Customer's expense.

9.2 Audit Response

turmo.dev shall provide the Customer with all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

10. Termination and Deletion

10.1 Termination

This DPA remains in effect for the duration of the Agreement. Upon termination, turmo.dev shall, at the Customer's election:

• Delete: permanently delete all Personal Data within 30 days of termination, including backups, unless retention is required by EU or national law.
• Return: return all Personal Data to the Customer in a structured, machine-readable format (CSV or JSON) within 14 days of termination, at the Customer's expense.

10.2 Retention Exception

turmo.dev may retain Personal Data beyond termination solely where required by EU or national law, and only for the minimum period necessary. turmo.dev shall notify the Customer of any such required retention.

11. Liability

turmo.dev's liability under this DPA and the GDPR shall be limited in accordance with the liability provisions in the Agreement, subject to the following:

turmo.dev shall be liable for damages arising from its processing in violation of the GDPR, where turmo.dev acted without instructions from the Customer or acted outside those instructions.

turmo.dev shall be exempt from liability if it proves it is not at fault, in particular where the Customer failed to provide accurate instructions or the damage was caused by the Customer or a third party.

12. Governing Law

This DPA is governed by the same law and jurisdiction as the Agreement. Disputes arising from this DPA shall be resolved in the courts specified in the Agreement.

The parties agree to cooperate in good faith to resolve any disputes relating to this DPA, including engaging in the dispute resolution procedures specified in the Agreement before commencing litigation.

13. Signatures