Data Processing Agreement

This Data Processing Agreement ("DPA") supplements TurnkeyERP's Terms of Service and applies wherever TurnkeyERP processes personal data on behalf of a Customer in the course of providing the Services. This is a published reference DPA. The signed, executable version is exchanged with Customer's legal team during procurement.

1. Roles and definitions

Customer is the data controller. TurnkeyERP is the data processor (and, for sub-processed services like AI generation and managed hosting, the relevant providers act as sub-processors as listed below).

Personal Data means any data relating to an identified or identifiable natural person processed by TurnkeyERP on behalf of the Customer in connection with the Services.

2. Subject matter and duration

Subject matter: TurnkeyERP processes Personal Data to provide the AI Delivery Chain, the FORGE methodology workspace, the skills marketplace, managed services, and related operational features. Duration: for the term of the underlying agreement plus the retention windows specified in Section 7.

3. Categories of data subjects and data

• Customer's employees, contractors, and stakeholders engaged in the engagement.
• End-user contact data submitted via website forms (name, email, phone, company, message, IP address hash, user-agent, page provenance).
• Engagement artifacts produced by the AI Delivery Chain (BRD, Solution Design, Proposal, scripts) where they reference Customer personnel or systems.

4. Security measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Row-level security (RLS) on all multi-tenant tables. Public-anon writes (e.g., contact submissions) are write-only; reads require service role.
• Server-side input validation, rate limiting, and captcha on public form endpoints.
• Hashed IP address storage on contact submissions for moderation context. raw IP not stored.
• Audit log of every approval, every chain run, every artifact version.
• Access controls scoped to engagement, role, and explicit AM-vs-buyer-vs-consultant boundaries.

5. Sub-processors

TurnkeyERP engages sub-processors across the following categories to deliver the service. Customer will be notified of material changes in advance, and the current named list is provided to Customer under NDA on request.

• Cloud infrastructure (database, authentication, storage, hosting, content delivery, region-specific compute).
• AI generation providers used by the AI Delivery Chain. Customer data sent to these providers is governed by their respective DPAs and is not used to train third-party models.
• Captcha and abuse-prevention services on public form endpoints.
• Payment and payout processors for Account Manager wallet funding and consultant royalty disbursement.
• Transactional email and notification services for engagement and confirmation emails.

For the current named list of sub-processors and their roles, contact security@turnkeyerp.com. We do not publish vendor names on public pages.

6. International transfers

Personal Data may be transferred to and processed in the United States and other jurisdictions where our sub-processors operate. Transfers are governed by Standard Contractual Clauses or equivalent safeguards where required.

7. Data retention and deletion

• Public contact submissions are retained for the duration of the active follow-up plus a reasonable archive period for sales records.
• Engagement artifacts are retained for the term of the engagement plus the contractual retention specified in the SOW.
• On Customer's written request, TurnkeyERP will delete or return Personal Data within 30 days, subject to legal retention obligations.

8. Data subject rights

TurnkeyERP will assist Customer in responding to requests from data subjects to exercise their rights under applicable data protection laws (access, rectification, erasure, restriction, portability, objection).

9. Breach notification

TurnkeyERP will notify Customer without undue delay (and within 72 hours where required by law) after becoming aware of a personal data breach, providing the information required for Customer to comply with its own notification obligations.

10. Audit

Customer may, no more than once per year and on reasonable advance notice, audit TurnkeyERP's compliance with this DPA, including by reviewing security documentation and certifications. Where TurnkeyERP holds an industry-standard certification (e.g., SOC 2), provision of the audit report shall satisfy this obligation.

11. Security disclosure contact

If you believe you have discovered a security vulnerability, please email security@turnkeyerp.com with details. We acknowledge reports within one business day. Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and remediate.

12. Contact for DPA execution

To execute this DPA in signed form, contact legal@turnkeyerp.com. We accept Customer-supplied DPAs that meet the minimum standard above.