Data Processing Agreement

You are the data controller. Turetic is your data processor.

The current sub-processor list is published in the Privacy Policy and updated when changes occur. We give you 30 days’ notice before a new sub-processor begins processing.

TLS 1.2+ in transit. AES-256-GCM encryption of PII columns at rest. Filesystem encryption on the database volume. Per-tenant Postgres database isolation enforced and tested. SOC 2-equivalent self-assessment annually.

72 hours to controllers per GDPR.

Annual self-assessment report on request. Independent audit available to Enterprise customers under NDA.

On termination, data is exported on request and deleted within 90 days unless legal retention applies (financial records, audit logs).