Effective date: March 19, 2026
Last updated: March 19, 2026
This Data Processing Agreement (“DPA”) forms part of the service agreement between the Client identified in the signature block below (“Controller”) and TurtleTech ehf., Kennitala 6002251460, registered at Fornhaga 24, 107 Reykjavik, Iceland (“Processor”, “TurtleTech”).
This DPA is entered into pursuant to Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Icelandic Data Protection Act (personuverndarlog nr. 90/2018). It supplements the TurtleTech Terms of Service and Privacy Policy.
Where there is a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.
1. Definitions#
- Controller: The Client, being the natural or legal person that determines the purposes and means of Processing of Personal Data and engages the Processor to process Personal Data on its behalf.
- Processor: TurtleTech ehf., which processes Personal Data on behalf of the Controller.
- Data Subject: An identified or identifiable natural person whose Personal Data is processed under this DPA.
- Personal Data: Any information relating to a Data Subject, as defined in Article 4(1) of the GDPR.
- Processing: Any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR, including collection, recording, storage, retrieval, use, disclosure, erasure, and destruction.
- Sub-processor: A third party engaged by the Processor to carry out specific Processing activities on behalf of the Controller.
- Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
- Supervisory Authority: The Icelandic Data Protection Authority (Personuvernd), or any other competent data protection authority with jurisdiction over the Controller.
2. Scope and purpose of processing#
This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the services described in the Terms of Service, including:
- Shared hosting services (hosted application instances on TurtleTech-managed infrastructure)
- Dedicated hosting services (application instances on infrastructure provisioned exclusively for the Controller)
- TurtleTech Comments (hosted commenting widget)
- Zotero WebDAV Storage (managed file synchronization storage)
The Processor shall process Personal Data only to the extent necessary to provide the agreed services.
3. Duration#
This DPA takes effect on the date of the last signature below and remains in force for the duration of the service agreement between the parties. It terminates automatically when the Processor no longer processes Personal Data on behalf of the Controller, subject to Section 10 (Term and Termination).
4. Nature and purpose of processing#
The Processor processes Personal Data for the following purposes:
- Hosting and operating application instances for the Controller
- Storing and serving files uploaded by or on behalf of the Controller
- Performing automated backups and disaster recovery
- Performing system maintenance, updates, and security patching
- Debugging and incident response (with the Controller’s explicit consent)
- Delivering email notifications related to the services
- Providing technical support as requested by the Controller
The Processor does not access, analyze, sell, or share the Controller’s data except as necessary for service operation or as required by law.
5. Type of personal data and categories of data subjects#
The categories of Personal Data and Data Subjects depend on the services used by the Controller. Appendix A contains a detailed description of processing activities.
Types of Personal Data that may be processed:
- Names and email addresses
- Display names and user identifiers
- IP address hashes (SHA-256; raw IP addresses are not stored)
- User-generated content (comments, files, references)
- Authentication credentials (hashed passwords)
- Billing and correspondence data (invoices, support emails)
Categories of Data Subjects:
- The Controller’s employees, contractors, and agents
- The Controller’s end users and customers
- Visitors to the Controller’s websites (where TurtleTech Comments is deployed)
6. Obligations of the Processor#
6.1 Processing on documented instructions#
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Icelandic law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
6.2 Confidentiality#
The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require it for service delivery.
6.3 Security measures (Article 32)#
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Appendix B. These measures include, at a minimum:
- Encrypted connections (TLS) for all services and data in transit
- Podman container isolation on shared infrastructure
- Automated security updates for operating systems and applications
- Access controls and secret management (SSH key authentication, no password-based server access)
- Regular automated backup procedures with integrity verification
- Separation of client data in multi-tenant environments
The Processor shall regularly review and update these measures to address evolving risks.
6.4 Sub-processor management#
The Processor shall not engage another processor (Sub-processor) without prior written consent of the Controller. The Controller hereby provides general authorization for the Sub-processors listed in Appendix C.
The Processor shall:
- Maintain an up-to-date list of Sub-processors (Appendix C)
- Notify the Controller at least 30 days before adding or replacing a Sub-processor, providing the Controller an opportunity to object
- Impose data protection obligations on each Sub-processor by way of a contract that provides at least the same level of protection as this DPA
- Remain fully liable to the Controller for the performance of each Sub-processor’s obligations
If the Controller objects to a new Sub-processor, the parties shall discuss the objection in good faith. If no resolution is reached within 30 days, the Controller may terminate the affected service without penalty by providing written notice.
6.5 Data subject rights#
The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under the GDPR, including the rights of:
- Access (Article 15)
- Rectification (Article 16)
- Erasure (Article 17)
- Restriction of processing (Article 18)
- Data portability (Article 20)
- Objection (Article 21)
The Processor shall promptly forward to the Controller any Data Subject request received directly by the Processor. The Processor shall not respond to a Data Subject request independently unless authorized by the Controller.
The Processor shall provide reasonable technical assistance to enable the Controller to respond to Data Subject requests within the GDPR timeframe of 30 days.
6.6 Data breach notification#
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting the Controller’s Personal Data.
The notification shall include:
- A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of the Processor’s data protection contact
- A description of the likely consequences of the Data Breach
- A description of the measures taken or proposed to address the Data Breach
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
6.7 Data protection impact assessments#
The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, to the extent that the Processor’s processing activities are relevant to such assessments.
6.8 Deletion or return of data on termination#
Upon termination of the service agreement, the Processor shall, at the Controller’s choice:
- Return all Personal Data to the Controller in a structured, machine-readable format; or
- Delete all Personal Data and confirm deletion in writing
For shared services, the Controller’s data remains available for export for 30 days after termination, after which it is permanently deleted.
For dedicated services, TurtleTech removes its administrative access. The Controller retains the server and all data.
The Processor may retain Personal Data to the extent required by applicable law (for example, invoicing records retained for 7 years under Icelandic accounting law). Any retained data remains subject to this DPA.
6.9 Audit rights#
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA.
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Controller shall:
- Provide at least 30 days written notice of an audit
- Conduct the audit during normal business hours
- Ensure that the audit does not unreasonably disrupt the Processor’s operations
- Bear the costs of the audit
The Processor may satisfy audit obligations by providing relevant third-party certifications, audit reports, or attestations where available.
7. Sub-processors#
The current list of approved Sub-processors is provided in Appendix C. The Processor uses the following Sub-processors as of the effective date:
| Sub-processor | Purpose | Location |
|---|---|---|
| NetCup GmbH | Server hosting | Nuremberg, Germany |
| Cloudflare Inc | CDN, DDoS protection, DNS | Global (EU processing) |
| Backblaze Inc | Zotero WebDAV file storage | Amsterdam, Netherlands |
| Revolut Business | Payment processing | Vilnius, Lithuania |
| Amazon Web Services | Email delivery (SES) | Dublin, Ireland |
All Sub-processors are bound by data processing agreements that impose obligations equivalent to those set out in this DPA.
8. International transfers#
All Personal Data processed under this DPA is stored within the EU/EEA. The Processor does not transfer Personal Data to countries outside the EEA unless:
- The Controller explicitly requests such a transfer for dedicated hosting (in which case the Controller determines the data center location and is responsible for ensuring an adequate legal basis for the transfer); or
- A Sub-processor processes data in a country that the European Commission has determined provides an adequate level of data protection; or
- Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission
Cloudflare Inc processes certain traffic data (CDN caching, DDoS protection) at global edge locations. Cloudflare is certified under the EU-US Data Privacy Framework and processes EU personal data in accordance with its GDPR-compliant data processing addendum.
The Processor shall inform the Controller before making any changes to international transfer mechanisms.
9. Liability#
Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
The Processor shall be liable for damage caused by Processing that does not comply with the obligations of this DPA or the GDPR specifically directed to the Processor, or where the Processor has acted outside of or contrary to the Controller’s lawful instructions, in accordance with Article 82 of the GDPR.
Nothing in this DPA limits either party’s liability for: (a) fraud or fraudulent misrepresentation; (b) liability that cannot be excluded or limited under applicable law, including GDPR obligations; or (c) obligations to Data Subjects under the GDPR.
10. Term and termination#
This DPA takes effect on the date of the last signature below and remains in force until:
- The Processor ceases to process Personal Data on behalf of the Controller; or
- The underlying service agreement between the parties is terminated
Sections that by their nature should survive termination shall survive, including Section 6.2 (Confidentiality), Section 6.8 (Deletion or return of data), and Section 6.9 (Audit rights).
Termination of this DPA does not relieve either party of obligations that accrued prior to termination.
11. Governing law and jurisdiction#
This DPA is governed by the laws of Iceland. Any disputes arising from or in connection with this DPA shall be resolved by the Reykjavik District Court (Herad) as the court of first instance.
12. Signatures#
This DPA may be executed electronically via Documenso (sign.turtletech.us). Electronic signatures have the same legal effect as handwritten signatures.
Processor: TurtleTech ehf.
| Name | Rohit Goswami |
| Title | Director |
| Date | |
| Signature |
Controller:
| Company name | |
| Name | |
| Title | |
| Date | |
| Signature |
Appendix A: Description of Processing#
| Item | Description |
|---|---|
| Subject matter | Hosting, storage, and maintenance of application instances and data on behalf of the Controller |
| Duration | Duration of the service agreement between Controller and Processor |
| Nature of processing | Storage, retrieval, backup, transmission, and deletion of Personal Data as part of hosted application operation |
| Purpose of processing | Providing shared hosting, dedicated hosting, Zotero WebDAV storage, and/or TurtleTech Comments services as described in the Terms of Service |
| Categories of Data Subjects | Controller’s employees, contractors, agents, end users, customers, and website visitors |
| Types of Personal Data | Names, email addresses, display names, user identifiers, hashed IP addresses, user-generated content (comments, files, references), authentication credentials (hashed), billing data, support correspondence |
| Special categories of data | None. The Processor does not knowingly process special categories of Personal Data (Article 9 GDPR) unless the Controller stores such data in hosted applications, in which case the Controller is responsible for ensuring a lawful basis. |
Appendix B: Technical and Organizational Measures#
The Processor implements the following measures pursuant to Article 32 of the GDPR:
Encryption
- TLS encryption for all data in transit (HTTPS, encrypted SMTP)
- Encrypted backups at rest (where supported by the storage provider)
Access control
- SSH key-based authentication for all server access (no password-based server login)
- Principle of least privilege for administrative access
- Unique credentials for each authorized person
- Multi-factor authentication for hosting provider accounts
Isolation
- Podman container isolation for all applications on shared infrastructure
- Separate containers, networks, and storage volumes per client application
- Dedicated infrastructure for dedicated hosting clients (no shared tenancy)
Availability and resilience
- Automated daily backups with integrity verification
- Geographically separate backup storage (Backblaze B2, Amsterdam)
- Automated monitoring and alerting for service availability
- Documented incident response procedures
Patch management
- Automated security updates for operating systems
- Regular application updates and security patching
- Quarterly infrastructure review for dedicated hosting clients
Organizational measures
- Confidentiality obligations for all personnel with access to Personal Data
- Documented procedures for data subject request handling
- Documented procedures for data breach detection and notification
- Regular review and testing of technical and organizational measures
Appendix C: Approved Sub-processors#
The Controller hereby authorizes the Processor to engage the following Sub-processors:
| Sub-processor | Registered address | Processing activity | Data location | Legal basis for transfer |
|---|---|---|---|---|
| NetCup GmbH | Daimlerstr. 25, 76185 Karlsruhe, Germany | Server hosting and infrastructure | Nuremberg, Germany | EU/EEA – no transfer |
| Cloudflare Inc | 101 Townsend St, San Francisco, CA 94107, USA | CDN, DDoS protection, DNS resolution | Global edge network | EU-US Data Privacy Framework |
| Backblaze Inc | 500 Ben Franklin Ct, San Mateo, CA 94401, USA | Object storage for Zotero WebDAV files | Amsterdam, Netherlands | EU-US Data Privacy Framework; data stored in EU |
| Revolut Business (Revolut Payments UAB) | Konstitucijos ave. 21B, Vilnius, Lithuania | Payment processing | Vilnius, Lithuania | EU/EEA – no transfer |
| Amazon Web Services EMEA SARL | 38 Avenue John F. Kennedy, L-1855 Luxembourg | Email delivery (Amazon SES) | Dublin, Ireland | EU/EEA – no transfer |
The Processor shall notify the Controller at least 30 days before adding or replacing any Sub-processor on this list.
Contact for data protection matters:
Rohit Goswami
TurtleTech ehf.
Fornhaga 24, 107 Reykjavik, Iceland
Email: info@turtletech.us
Phone: +354 788 8264