October 21, 2021

Data Processing Addendum

This DPA forms part of the Terms of Service. We are engaged by you to Process Your Data in accordance with the Terms of Service.

You are the Responsible Party/ Controller and determine the proposes and means of Processing Your Data.

Turn.io as a Processor. The parties acknowledge and agree that with regard to the processing of Your Data, you may act either as a controller or processor and Turn.io is a processor. Turn.io will process Your Data in accordance with Your instructions.

Turn.io as a Controller of Your Account Data. The parties acknowledge that, with regard to the processing of Your Account Data, You are a controller and Turn.io is an independent controller, not a joint controller with You. Turn.io will process Your Account Data as a controller (a) in order to manage the relationship with You; (b) carry out our core business operations, such as accounting and filing taxes; (c) in order to detect, prevent, or investigate security incidents, fraud, and other abuse or misuse of the Services; (d) identity verification; (e) to comply with Turn.io’s legal or regulatory obligation to retain Your Data; and (f) as otherwise permitted under Applicable Data Protection Law and in accordance with this Addendum, the Terms of Service, and the Privacy Policy


  • Each of the parties will ensure that it complies with the Data Protection Laws when Processing Your Data under the Terms of Service and each of the parties will not (and will ensure that none of its Personnel may) do anything that would cause itself or the other or any or any other person to be in breach of the Data Protection Laws.
  • You are responsible for ensuring that (a) you have complied, and will continue to comply, with Applicable Data Protection Law in its use of the Services and Your own processing of personal data and (b) you have, and will continue to have, the right to transfer, or provide access to, personal data to Turn.io for processing in accordance with the terms of Terms of Service and this Addendum.


  1. Applicable Data Protection Laws (in this instance and with reference to Processing of You Data) refers to all laws and regulations applicable to Turn.io’s processing of personal data under the  Terms of Service and includes the  EU Directive 95/46/EC, including the GDPR the General Data Protection Regulation (EU) 2016/679 and laws implementing or supplementing the GDPR.
  2. Responsible Person, Controller or Processor, Data Subject, Personal Data and Processing each have the meanings given to them in the relevant Data Protection Laws and Process and Processed will be construed accordingly.
  3. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  4. Data Security Measures and Practices mean the technical and organisational security measures described in Security Measures and Practices for Turn.io (as may be improved upon from time to time by us) as being those required to be used by Turn.io and which have been approved by you as complying with the relevant Data Protection Laws when Processing Your Data.
  5. Data Transfer means a transfer of Your Data from You to Turn.io and the onward transfer of Your Data to a contracted Sub-processor.
  6. Personnel means any employee, officer, agent, consultant, auditor, subcontractor, Subprocessor or other third party acting on behalf of Turn.io in connection with the provision of the Services.
  7. Processing Requirements means your requirements for the Processing of Your Data by or on behalf of Turn.io in compliance with the Terms of Service or in accordance with your lawful instructions.
  8. Services means the services, software, licences and any other Services provided under the Terms of Service.
  9. Subprocessor means any third party engaged on a written agreement by Turn.io including any of its affiliates, subsidiaries and/or subcontractors or agents that may Process Your Data. Turn.io agrees to impose contractual data protection obligations, including appropriate technical and organizational measures to protect personal data, on any sub-processor it appoints that require such sub-processor to protect Your Data and Account Data to the standard required by the Applicable Data Protection Law.
  10. Your Data means all personal data relating to data subjects that are Processed in the course of using or providing the Services and includes any copies included in back-ups made by or on behalf of Turn.io.
  11. Your Account Data means personal data that relates to Your relationship with Turn.io, including the names or contact information of individuals authorized by You to access Your account and the billing information of individuals that You have associated with its account. Your Account Data also includes any data Turn.io may need to collect for the purpose of identity verification or as part of its legal obligation to retain records.
  12. Your Instructions means your instructions for the Processing of Your Data as described in this DPA and the Terms of Service, or as otherwise agreed by you with Turn.io.

Processing of Your Data

Turn.io will:

  • comply with all Applicable Data Protection Laws in the Processing of Your Data; and
  • not Process Your Data other than on Your Instructions.
  • You hereby instruct Turn.io to process Your Data in the provision of the Services. If Turn.io is unable, for any reason, to comply with Your Instructions, we will notify you promptly. If we believe any of Your Instructions infringes the Data Protection Law, we will notify you as soon reasonably practicable.
  • Processing limitations. Turn.io will not Process Your Data for any purpose beyond providing the Services and the scope of Your Instructions or, to the extent otherwise necessary, to comply with the Data Protection Laws.
  • You confirm that the Processing will continue for the term of the Terms of Service (as the same may be terminated and/or extended in accordance with those terms).
  • You further confirm that Your instructions comply with Applicable Data Protection Law. You acknowledge that Turn.io is neither responsible for determining which laws or regulations are applicable to Your business nor whether Our provision of the Services meets or will meet the requirements of such laws or regulations. You will ensure that Turn.io’s processing of Your Data, when done in accordance with Your instructions, will not cause Turn.io to violate any applicable law or regulation, including Applicable Data Protection Law.
  • Additional Instructions. Additional instructions outside the scope of the Terms of Service or this Addendum will be agreed to between the parties in writing, including any additional fees that may be payable by You to Turn.io for carrying out such additional instructions


Turn.io will only appoint Subprocessors in connection with the Processing of Your Data where:

  • the Subprocessor has provided sufficient guarantees to ensure the Data Security Measures are met or exceeded; and
  • the Subprocessor is appointed under a written agreement that complies with the Data Protection Laws.

Turn.io will remain liable for the defaults of its Subprocessors as if it carried out the actions of the Subprocessors itself.

You can find our current Sub-processors listed here. You may object to Turn.io’s appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercial reasonable alternative solutions in good faith. If the parties cannot reach a resolution within ninety (90) days from the date of Turn.io’s receipt of Your written objection, You may discontinue the use of the affected Services by providing written notice to us. Such discontinuation will be without prejudice to any fees incurred by You prior to the discontinuation of the affected Services. If no objection has been raised prior to Turn.io replacing or appointing a new sub-processor, you will be deemed to have authorized the new sub-processor.

Data Subjects Rights

We shall, to the extent legally permissible, promptly notify You if we receive any requests from a Data subject to exercise Data subjects rights afforded under the Data Protection Laws in relation to Personal Data, including the right to access, rectification, restriction of Processing, the right to be forgotten, object to the Processing.

You and your users have full access to Your Data through the Services and, as such, it is your responsibility to comply with the rights of data subjects under the Data Protection Laws. If, for any reason you need the help of Turn.io to comply, we will assist you but reserve the right to charge for the assistance at our then prevailing rate.

General Terms

  1. Intellectual property rights. All intellectual property rights in and to Your Data will be and will remain vested in you.
  2. Specific requirements and permitted Processing. Turn.io will ensure that, when it Processes Your Data, it will use the Security Measures and Practices for Turn.io. The Security Measures and Practices for Turn.io are specifically incorporated in this DPA and can be accessed at www.turn.io/legal. These include Data Breach protocols, Data protection impact assessments and audit rights. You have determined that compliance with these Security Measures when Processing Your Data by or on behalf of Turn.io is satisfactory to comply with the Data Protection Laws. If you require a change to our standard Data Security Measures, we reserve the right to charge for implementing, maintaining and operating as you require.
  3. Data transfers. Should Your Data be processed within the EU Economic Area, Turn.io will not transfer or allow any other person to transfer Your Data internationally or outside the EU without your prior written approval.
  • If personal data processed within the EU Economic Area under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
  • Acknowledgement. You acknowledge and accept that access and use of the Services by your authorised users may occur outside the European Economic Area and, in such circumstances, Your Data may be viewed outside the European Economic Area by the relevant user. Turn.io will not be in breach of these General Terms in such circumstances. This is further confirmed in the Terms of Service.
  • Personnel. Turn.io will:
  • take reasonable steps to ensure the reliability of Personnel that may have access to Your Data;
  • carry out appropriate checks of its Personnel before allowing them to Process Your Data; and
  • ensure the Personnel are appropriately trained in the handling and secure Processing of Your Data.
  • Deletion or return of Your Data: Turn.io will promptly and in any event within 10 business days of the date of cessation of the Services, delete and procure the deletion of all copies of Your Data. Turn.io will provide written certification to You that it has fully complied with this requirement within 10 business days of the Cessation Date.
  • Confidentiality. Turn.io will ensure that: (i) any Personnel authorised by or on behalf of Turn.io to Process Your Data are bound by obligations to maintain the confidentiality of Your Data; and (ii) its disclosure of Your Data will be limited to the extent necessary to provide the Services or as otherwise permitted under the Contract, by you or by applicable Data Protection Law.
  • Regulator and other third-party correspondence. If we receive a communication from a regulator, other competent authority or any other competent and authorised person in respect of Your Data we will, unless we are prohibited by applicable laws, forward it to you for you to address and reserve the right to notify the competent that we have done so. If Turn.io is required to respond to the communication directly, we will do so.
  • Demonstration of compliance. Turn.io may appoint an independent third party to carry out an annual assessment to verify Turn.io’s compliance with the terms of this DPA. Turn.io will provide you with a copy of the latest report produced on request.
  • Audit. If a court or regulatory body requires us to give you access to our premises or systems, we will do so but will require you comply with our prevailing security and health and safety requirements.
  • Limitation of Liability. Turn.io’s limitation under this DPA is subject to the “Limitation of Liability” section of the Contract and any reference to liability is limited to the aggregate liability of Turn.io under the Terms of Service.

19 October 2021