This Data Processing Agreement (“DPA”) supplements and is incorporated by reference into the Shipturtle [Terms of Service / Master Services Agreement / Order Form] (the “Terms”). It applies automatically to all Customers who use the Services where Shipturtle processes Personal Data on the Customer’s behalf. In the event of any conflict between this DPA and the Terms, this DPA controls with respect to the Processing of Personal Data.
This DPA sets out the Parties’ obligations relating to Shipturtle’s Processing of Personal Data on behalf of Customer in connection with Customer’s use of the Services. Unless expressly stated otherwise, Customer acts as Controller and Shipturtle acts as Processor for Personal Data processed under this DPA.
Applicable Data Protection Laws: All data protection and privacy laws applicable to the Processing of Personal Data under the Terms (including GDPR, UK GDPR, Swiss FADP, and applicable U.S. state privacy laws).
Customer: Any individual or entity that uses or benefits from the Services and is a party to the Terms.
Personal Data: Any information relating to an identified or identifiable natural person, or as otherwise defined under Applicable Data Protection Laws.
Process(ing): Any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).
Sub-Processor: Any third party engaged by Shipturtle to Process Personal Data for the Services.
Services: The products and/or services provided by Shipturtle under the Terms.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
Subject Matter & Duration. Shipturtle Processes Personal Data solely to provide, secure, and support the Services, for the duration of the Terms.
Instructions. Shipturtle will Process Personal Data only on Customer’s documented instructions as set out in the Terms and this DPA, unless Processing is required by law.
Customer Responsibilities. Customer is responsible for the accuracy, quality, and lawfulness of Personal Data and for providing required notices and obtaining necessary permissions.
Processor Use. Shipturtle may process Personal Data to provide, maintain, and improve the Services; ensure security; prevent abuse; and comply with law.
Shipturtle will implement and maintain appropriate technical and organizational measures (“TOMs”) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthor ized disclosure, or access. Measures include least-privilege access, encryption in transit and at rest, monitoring, vulnerability management, and incident response.
Customer authorizes Shipturtle to engage Sub-Processors. Shipturtle will maintain a list of Sub-Processors and provide notice of changes. If Customer objects, Customer’s sole remedy is to terminate the Services. Shipturtle remains liable for its Sub-Processors.
Shipturtle will reasonably assist Customer with Data Subject Requests and regulatory obligations, to the extent Customer cannot fulfill requests directly via the Services. Shipturtle may charge Customer for material costs arising from such assistance.
Shipturtle will notify Customer without undue delay after becoming aware of a Personal Data Breach, and in any case within a timeframe allowing Customer to meet its legal obligations. Shipturtle will take steps to contain, investigate, and remediate.
To the extent Personal Data is transferred outside the EEA/UK/Switzerland to a country without adequacy, the EU Standard Contractual Clauses (2021/914) apply. Customer accepts the SCCs “as is.” Appendix B (TOMs) populates the Annexes. Where conflict exists, the SCCs prevail.
Upon termination or Customer request, Shipturtle will delete or anonymize Personal Data within a commercially reasonable period, not exceeding 90 days, unless retention is required by law. Backup media will be purged on their normal cycle.
Liability under this DPA is governed by the Terms, except as expressly modified herein. Each Party remains responsible for its own compliance with Applicable Data Protection Laws. Notwithstanding anything to the contrary, Shipturtle’s total aggregate liability under this DPA (including Sub-Processors) shall not exceed the total fees actually paid (excluding refunds/credits) by Client to Shipturtle in the twelve (12) months preceding the event. Shipturtle shall not be liable for indirect, incidental, special, or consequential damages. This limitation prevails over any inconsistent provision in the Terms.
Order of Precedence. This DPA controls data-processing matters; SCCs control if conflict arises.
Amendments. Shipturtle may update this DPA to reflect changes in law or industry standards by posting an updated version. Material changes will be notified as required. Customer’s sole remedy for objection is to terminate Services.
Severability. If any provision is invalid, the remainder stays in effect.
Data Subjects: End customers, account users, recipients, vendor/partner contacts.
Categories: Contact data, order/transaction data, account/usage data, support communications.
Special Categories: Not intended. If submitted, Customer is responsible for lawful basis.
Purpose: Provision and support of Services, synchronization, fraud prevention, security, analytics, legal compliance.
Retention: As per Section IX.
Shipturtle maintains appropriate TOMs including: role-based access, multi-factor authentication, encryption, network security, vulnerability management, secure development practices, penetration testing, logging/monitoring, incident response, backups with integrity checks, personnel training, vendor risk management, and data minimization.
Where U.S. state privacy laws apply, Shipturtle acts as Service Provider/Processor and will not sell or share Personal Data, and will assist with consumer requests as required.
For limited activities necessary to operate Shipturtle’s business (e.g., telemetry, security logs, fraud prevention, compliance, analytics), Shipturtle acts as an Independent Controller. For such Processing, Shipturtle’s Privacy Policy applies.