Data Processing Agreement
Last updated: January 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Turalogin ("Processor") and you ("Controller") and governs the processing of personal data in connection with the Turalogin authentication services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
- "Data Subject" means the individual to whom the Personal Data relates.
- "Sub-processor" means any third party engaged by Turalogin to process Personal Data.
- "Data Protection Laws" means GDPR, CCPA, and other applicable data protection legislation.
2. Scope and Roles
2.1 Controller Responsibilities
As the Controller, you are responsible for:
- Determining the purposes and means of processing Personal Data
- Ensuring a lawful basis for processing under applicable Data Protection Laws
- Providing required notices to Data Subjects
- Responding to Data Subject requests
2.2 Processor Responsibilities
As the Processor, Turalogin will:
- Process Personal Data only on documented instructions from the Controller
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Delete or return Personal Data upon termination of services
3. Data Processing Details
3.1 Categories of Data Subjects
- Your employees and administrators
- End users of your applications
3.2 Types of Personal Data
- Email addresses
- IP addresses
- User agent information
- Authentication timestamps
- Geolocation data (country/city level)
3.3 Processing Activities
- Sending verification emails
- Generating and validating authentication tokens
- Logging authentication requests for security and debugging
- Providing usage analytics
3.4 Duration of Processing
Personal Data will be processed for the duration of the service agreement and retained according to our data retention policies unless otherwise instructed.
4. Security Measures
Turalogin implements the following security measures:
- Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
- Access Control: Role-based access, multi-factor authentication for internal systems
- Monitoring: Continuous security monitoring and logging
- Incident Response: Documented incident response procedures
- Employee Training: Regular security awareness training
- Vulnerability Management: Regular security assessments and patching
5. Sub-processors
5.1 Authorized Sub-processors
The Controller authorizes the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon | Database hosting | United States |
| Resend | Email delivery | United States |
| Vercel | Application hosting | United States |
5.2 Sub-processor Changes
We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to the change by notifying us within 14 days.
6. Data Subject Rights
Turalogin will assist the Controller in responding to Data Subject requests including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Data portability
- Restriction of processing
- Objection to processing
7. Data Breach Notification
In the event of a Personal Data breach, Turalogin will:
- Notify the Controller without undue delay (within 72 hours of becoming aware)
- Provide details of the breach including categories and volume of data affected
- Describe likely consequences and mitigation measures
- Cooperate with the Controller's investigation and notification obligations
8. International Transfers
When Personal Data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Transfer to countries with adequate data protection (adequacy decisions)
- Binding Corporate Rules where applicable
9. Audits and Inspections
Upon reasonable notice, Turalogin will:
- Make available information necessary to demonstrate compliance
- Allow for and contribute to audits conducted by the Controller or an auditor
- Provide copies of relevant third-party audit reports upon request
10. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination:
- Turalogin will delete or return all Personal Data within 30 days
- Provide certification of deletion upon request
- Retained data for legal compliance will be securely isolated
11. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Neither party excludes liability for gross negligence or willful misconduct.
12. Contact
For questions about this DPA or to exercise rights under it, contact:
- Email: dpa@turalogin.com
- Data Protection Officer: dpo@turalogin.com