Data Processing Addendum

This Data Processing Addendum (“DPA”) sets out the additional terms, requirements and conditions on which Turtl and the Customer will process personal data when providing Services under the Agreement.  In the event of any conflict between the terms of this DPA and the Agreement, the Agreement shall prevail.

1.1. In this Data Processing Addendum defined terms shall have the same meaning, and the same rules of interpretation shall apply, as in the Agreement. In addition, in this DPA the following definitions have the meanings given below

2.1. Both parties will comply with all applicable requirements of Applicable Data Protection Laws. This clause 2 is in addition to, and does not relieve, remove or replace, a party’s obligations or rights under Applicable Data Protection Laws.

2.2. The parties have determined that, for the purposes of Applicable Data Protection Laws:

2.2.1. Turtl shall act as controller in respect of the Customer Personal Data and processing activities set out in Part 1 of Annex A;

2.2.2. Turtl shall process the Customer Personal Data set out in Part 2 of Annex A, as a processor on behalf of the Customer in respect of the processing activities set out in Annex B;

2.3. Should the determination in clause 2.2 change, then each party shall work together in good faith to make any changes which are necessary to this clause 2 or the related schedules.

2.4. By entering into this Agreement, the Customer consents to (and shall procure all required consents, from its personnel, representatives and agents, in respect of) all actions taken by Turtl in connection with the processing of Customer Personal Data by Turtl as controller, provided these are in compliance with the then-current version of the Privacy Policy.

2.5. Without prejudice to the generality of clause 2.2, the Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of Customer Personal Data to Turtl and lawful collection of the same by Turtl for the duration and purposes of this Agreement.

2.6. In relation to the Customer Personal Data processed by Turtl as processor on behalf of Customer, Annex B sets out the scope, nature and purpose of processing by Turtl, the duration of the processing and the types of personal data and categories of data subject.

2.7. Without prejudice to the generality of clause 2.2 Turtl shall, in relation to Customer Personal Data which it processes as processor on behalf of Customer:

2.7.1. process that Customer Personal Data only on the documented instructions of the Customer, unless Turtl is required by Applicable Laws to otherwise process that Customer Personal Data. Where Turtl is relying on Applicable Laws as the basis for processing Customer Processor Data, Turtl shall notify the Customer of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit the Provider from so notifying the Customer on important grounds of public interest. Turtl shall inform the Customer if, in the opinion of Turtl, the instructions of the Customer infringe Applicable Data Protection Legislation;

2.7.2 implement the technical and organisational measures set out in Annex C to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, which the Customer has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;

2.7.3. ensure that any personnel engaged and authorised by Turtl to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality;

2.7.4. assist the Customer insofar as this is possible (taking into account the nature of the processing and the information available to Turtl), and at the Customer’s cost and written request, in responding to any request from a data subject and in ensuring the Customer’s compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

2.7.5. notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data;

2.7.6. at the written direction of the Customer, delete or return Customer Personal Data and copies thereof to the Customer on termination of the agreement unless Turtl is required by Applicable Law to continue to process that Customer Personal Data. For the purposes of this clause 2.7.6 Customer Personal Data shall be considered deleted where it is put beyond further use by Turtl; and

2.7.7. maintain records to demonstrate its compliance with this clause 2 and allow for reasonable audits by the Customer or the Customer’s designated auditor, for this purpose, on reasonable written notice, no more than once per year.

2.8. The Customer hereby provides its prior, general authorisation for Turtl to:

2.8.1. appoint processors to process the Customer Personal Data, provided that Turtl:

(a) shall ensure that the terms on which it appoints such processors comply with Applicable Data Protection Laws, and are consistent with the obligations imposed on Turtl in this clause 2;

(b) shall remain responsible for the failure of any such processor to meet its data protection obligations; and

(c) shall update the Sub-Processor List to reflect any intended changes concerning the addition or replacement of Sub-Processors, thereby giving the Customer the opportunity, acting reasonably, to object to such changes within 30 days of the update.  If the Customer does not object in this period the new sub-processor(s) will be deemed accepted. The Customer can subscribe to automatic notification of changes to the Sub-Processor List via the link provided. If Turtl receives a reasonable objection to the appointment of a sub-processor within the specified time limit, Turtl may in its sole discretion and without any liability to the Customer:

(i) cease using the new sub-processor to process Customer Personal Data, which may limit the functionality of the services available to the Customer; or

(ii) take any other action reasonably required to address the objection which will permit Turtl to continue to use the sub-processor.

2.8.2. transfer Customer Personal Data outside of the UK as required for the Purpose, provided that Turtl shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws, including if applicable under standard data protection clauses adopted by the EU Commission from time to time (where the EU GDPR applies to the transfer) or adopted by the UK Information Commissioner from time to time (where the UK GDPR applies to the transfer).

Part 1 – Where Turtl acts as a controller

• when processing Customer Personal Data for account management (user log-in details), billing, business administration and other customer relationship management purposes.

Part 2 – Where Turtl acts as a processor

• when processing any personal data contained in or collected from Turtl Docs (which may include names and email addresses) and/or non-anonymised Content Analytics Data, which Turtl shall process during the Subscription Term in the course of providing the Services.

Definitions:

Business Continuity Plans. The documentation of a predetermined set of instructions or procedures that describe how an organisation’s mission/business processes will be sustained during and after a significant disruption.

Business Impact Assessment. The analysis of an information system’s requirements, functions, and interdependencies used to characterize system contingency requirements and priorities in the event of a significant disruption.

Disaster Recovery Plans. A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.

Security Incident. The unauthorised access, use, alteration, destruction, or other processing of, or other compromise or breach of security (electronic or physical) involving or related to any personal data.  Security Incidents include, but are not limited to, information system failures and loss of service, denial of service, errors resulting from incomplete or inaccurate business data, and breaches of confidentiality. Security Incidents will be considered confidential and will be treated in accordance with the requirements of this DPA.

Software. Computer programs consisting of a series of instructions, algorithms, lines of code, application program interfaces and statements in object code or source code form, along with any related materials and technical data, and all textual material relating to and necessary for use of such programs, including without limitation, flow charts, operating instructions, user manuals and related technical information and modifications of such documentation.

Organisational Standards:

Turtl will maintain an information security program based on an industry standard security framework, such as the National Institute of Standards and Technology (“NIST”) Cyber Security Framework (CSF), ISO 27001 certification, and/or other third party audits or certifications.

Turtl has implemented reasonable and appropriate administrative, procedural, technological, and physical security measures to protect and ensure the confidentiality, integrity, and availability of systems and information processed within Turtl’s ecosystem. Security measures shall protect against any anticipated threats or hazards to the confidentiality, availability or integrity of information. Security measures shall include, but are not limited to, the following:

Security Measures:

• Data Protection Policy. Turtl maintains a reasonable and appropriate written information security policy that mirrors the organisational standards. Policy encompasses data classification, access, retention, transport, and destruction, and that provides for disciplinary action in the event of its violation. The policy is reviewed, updated (if necessary), and approved annually.
• Employee Training.  Turtl maintains a program which includes regular and periodic training and awareness of its staff concerning: (1) security measures and risks; (2) implementation of third party processor’s information security program; and (3) the importance of the protection of personal data.
• Privacy, Security and Data Transfer Impact Assessment.  Turtl assesses security risks, (sub-)processor risk, data privacy impacts and data transfer risks and impacts, and will assure appropriate safeguards are in place to protect confidential and personal data processed by Turtl or its (sub-)processors.
• Access Controls.  Turtl maintains reasonable access controls which limits access to the minimal personal data needed, and to provide privilege access to only those individuals who have a business need to know. Turtl monitors such controls and reauthorises access regularly and makes updates whenever individuals change roles or leave Turtl.
• Multi-Tenancy. Turtl uses a multi-tenant system with each Customer’s information stored in separate databases. Controls are in place within the application to prevent any cross-contamination or leakage of data.
• Password Policy.  Turtl has a password policy in place which reasonably ensures that its employee passwords meet or exceed industry standard password strength requirements.
• Anti-virus Tools and Malware Protection. Turtl maintains software that detects, prevents, removes, and remedies malicious code or similar threats. Turtl updates such software at reasonable intervals and in response to changes in potential threats or Security Incidents.
• Zero-Trust Architecture. Turtl provides for a zero-trust security architecture. All components are designed with zero-trust principles and are managed through Terraform as code. This means that Turtl retains complete control of all aspects of its infrastructure at all times and no unauthorised changes can be made, or deviations from our security principles can occur.
• Intrusion Detection System. Turtl maintains policies, procedures, software, and/or hardware systems that automate the process for detecting, monitoring, and responding to actual or reasonably suspected intrusions and Security Incidents.
• Vulnerability Management.  Turtl maintains a vulnerability management program for its internal and external infrastructure that includes an annual external pen test conducted by a 3rd party, monthly third party external vulnerability scans, and weekly internal vulnerability scans, after which vulnerabilities are prioritized and mitigated to manage security risks. Software updates that address vulnerabilities or weaknesses in the security of a software program or operating system are monitored and reported to the Turtl’s governance team.
• Data Anonymisation or Pseudonymisation. Turtl ensures that policies, procedures, and tools are used as appropriate to de-identify personal data following industry best practices, if personal data is required for purposes other than the intended purpose for which the data was collected, e.g., for business analytics supporting the Services provided.
• Encryption. Turtl ensures that personal data is processed using strong encryption at rest or in transit through AES-256, taking into account the resources and technical capabilities; encryption keys are reliably managed.
• Retention and Destruction of Personal Data. Turtl does not store or retain any personal data except as necessary to perform the Services agreed upon or as required by applicable laws. Turtl securely destroys all copies of personal data following industry standards for secure data destruction.
• Audit. Turtl re-evaluates security measures on an ongoing basis to assure adequate levels of security, consistent with industry and legal standards, are always maintained over all information. Security measures and audit requirements are contractually imposed upon sub-processors and are subject to audit/review by Turtl.
• Business Continuity and Disaster Recovery. Turtl ensures that Disaster Recovery Plans are maintained to ensure availability of critical systems and data, as well as any Customer Data that may be processed in Turtl’s systems. Disaster Recovery Plans are tested to ensure data is promptly restored for the continuation of operations. Business Continuity Plans, incl. Business Impact Assessments, are reviewed at least annually and updated as necessary. More information can be found here: https://turtl.co/about/legal/incident-management
• Data Subject Rights.  Turtl maintains procedures for guarantying data subject rights pertaining to personal data and promptly responding to any requests by the data subjects as required by applicable law.
• Maintenance of Sufficient Security Levels.  Turtl shall re-evaluate their security controls on an ongoing basis to ensure that adequate levels of security, consistent with the highest industry and legal standards, are always maintained over all personal data.
• Security Incident Management.  Turtl ensures Security Incident response planning and notification procedures are implemented to monitor, react to, notify, and investigate any incident.
• Security Incident Notification. In case of any Security Incident and in accordance with all legal and/or contractual obligations, Turtl shall notify Customer without undue delay on becoming aware of the occurrence of the Security Incident.