Back to home

Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TuraText ("Processor") and you ("Controller") and governs the processing of personal data in connection with the TuraText communication services.

TuraText is part of the Tura Cloud platform. This Data Processing Agreement applies specifically to TuraText's communication services. For the Tura Cloud platform policy, visit turacloud.com/legal/dpa.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Subject" means the individual to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by TuraText to process Personal Data.
  • "Data Protection Laws" means GDPR, CCPA, and other applicable data protection legislation.

2. Scope and Roles

2.1 Controller Responsibilities

As the Controller, you are responsible for:

  • Determining the purposes and means of processing Personal Data
  • Ensuring a lawful basis for processing under applicable Data Protection Laws
  • Providing required notices to Data Subjects
  • Responding to Data Subject requests

2.2 Processor Responsibilities

As the Processor, TuraText will:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination of services

3. Data Processing Details

3.1 Categories of Data Subjects

  • Your employees and administrators
  • End users of your applications

3.2 Types of Personal Data

  • Email addresses
  • IP addresses
  • User agent information
  • Authentication timestamps
  • Geolocation data (country/city level)

3.3 Processing Activities

  • Delivering messages, emails, or notifications
  • Tracking delivery status and engagement metrics
  • Logging message events for debugging and analytics
  • Managing subscriber and recipient lists

3.4 Duration of Processing

Personal Data will be processed for the duration of the service agreement and retained according to our data retention policies unless otherwise instructed.

4. Security Measures

TuraText implements the following security measures:

  • Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest
  • Access Control: Role-based access, multi-factor authentication for internal systems
  • Monitoring: Continuous security monitoring and logging
  • Incident Response: Documented incident response procedures
  • Employee Training: Regular security awareness training
  • Vulnerability Management: Regular security assessments and patching

5. Sub-processors

5.1 Authorized Sub-processors

The Controller authorizes the use of the following sub-processors:

Sub-processorPurposeLocation
NeonDatabase hostingUnited States
ResendEmail deliveryUnited States
VercelApplication hostingUnited States

5.2 Sub-processor Changes

We will notify you of any intended changes to sub-processors at least 30 days in advance. You may object to the change by notifying us within 14 days.

6. Data Subject Rights

TuraText will assist the Controller in responding to Data Subject requests including:

  • Access to Personal Data
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten")
  • Data portability
  • Restriction of processing
  • Objection to processing

7. Data Breach Notification

In the event of a Personal Data breach, TuraText will:

  • Notify the Controller without undue delay (within 72 hours of becoming aware)
  • Provide details of the breach including categories and volume of data affected
  • Describe likely consequences and mitigation measures
  • Cooperate with the Controller's investigation and notification obligations

8. International Transfers

When Personal Data is transferred outside the European Economic Area, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfer to countries with adequate data protection (adequacy decisions)
  • Binding Corporate Rules where applicable

9. Audits and Inspections

Upon reasonable notice, TuraText will:

  • Make available information necessary to demonstrate compliance
  • Allow for and contribute to audits conducted by the Controller or an auditor
  • Provide copies of relevant third-party audit reports upon request

10. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination:

  • TuraText will delete or return all Personal Data within 30 days
  • Provide certification of deletion upon request
  • Retained data for legal compliance will be securely isolated

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Neither party excludes liability for gross negligence or willful misconduct.

12. Contact

For questions about this DPA or to exercise rights under it, contact:

  • Email: dpa@turatext.com
  • Data Protection Officer: dpo@turatext.com