For sellers subject to GDPR or CCPA / CPRA

Data Processing Addendum

Effective 2026-05-13

Effective Date: 2026-05-13 Last Updated: 2026-05-13

This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service & Seller Agreement (the "Agreement") between YK Global LLC, a Wyoming limited liability company doing business as PurpleTurret ("PurpleTurret," "we," "us," or "our"), and the Seller identified in the Agreement ("Seller," "you," or "your"). This DPA governs PurpleTurret's processing of Buyer personal data on Seller's behalf in connection with the Services.

This DPA is automatically incorporated into the Agreement for any Seller subject to Data Protection Laws (including the GDPR, UK GDPR, and CCPA/CPRA). If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Buyer personal data.

By using the Services to process Buyer personal data subject to Data Protection Laws, Seller is deemed to have entered into this DPA. No signature is required, but Seller may countersign by request to support@purpleturret.com.

1. Definitions

Capitalized terms not defined in this DPA have the meaning given in the Agreement. The following terms apply:

"Buyer Personal Data" means personal data relating to a Buyer that PurpleTurret processes on Seller's behalf in connection with the Services.
"Data Protection Laws" means all laws and regulations applicable to the processing of personal data, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable U.S. state privacy laws.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Buyer Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision 2021/914 of 4 June 2021.
"UK IDTA" means the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner's Office.
"Subprocessor" means any third party engaged by PurpleTurret to process Buyer Personal Data.
"Controller," "Processor," "Data Subject," "Process/Processing," "Service Provider," "Business," and "Contractor" have the meanings given in Data Protection Laws.

2. Roles and Scope

2.1 Roles

For Buyer Personal Data:

Seller is the Controller (or Business, under CCPA/CPRA). Seller determines the purposes and means of processing Buyer Personal Data.
PurpleTurret is the Processor (or Service Provider, under CCPA/CPRA). PurpleTurret processes Buyer Personal Data on Seller's documented instructions.
Stripe is an independent third-party payment processor with its own role under Data Protection Laws, governed by Stripe's own terms.

For data PurpleTurret processes for its own purposes (account administration, billing, security, fraud and risk monitoring, service improvement, and legal compliance), PurpleTurret acts as an independent Controller, as described in our Privacy Policy. This DPA does not apply to that processing.

2.2 Scope

This DPA applies only to PurpleTurret's processing of Buyer Personal Data as Processor on Seller's behalf. The categories of Buyer Personal Data processed, the categories of Data Subjects, the nature and purpose of processing, and the duration are set out in Annex I.

2.3 Compliance with Laws

Each party will comply with its obligations under applicable Data Protection Laws. Seller is responsible for ensuring that its instructions to PurpleTurret and its collection of Buyer Personal Data comply with Data Protection Laws, including establishing a lawful basis for processing and providing required notices to Buyers.

3. PurpleTurret's Obligations as Processor

3.1 Processing on Documented Instructions

PurpleTurret will process Buyer Personal Data only:

on Seller's documented instructions, including as set out in the Agreement, this DPA, and Seller's configuration of the Services; or
as required by applicable law, in which case PurpleTurret will inform Seller of the legal requirement before processing, unless prohibited by law.

If PurpleTurret believes that an instruction violates Data Protection Laws, it will inform Seller without undue delay.

3.2 Confidentiality

PurpleTurret will ensure that personnel authorized to process Buyer Personal Data are bound by confidentiality obligations (whether contractual or statutory) and have received appropriate training.

3.3 Security

PurpleTurret will implement and maintain appropriate technical and organizational measures designed to protect Buyer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as set out in Annex II.

3.4 Assistance with Data Subject Requests

PurpleTurret will, taking into account the nature of the processing, provide reasonable assistance to Seller (through appropriate technical and organizational measures, insofar as possible) to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If PurpleTurret receives a request directly from a Buyer relating to processing performed on Seller's behalf, PurpleTurret will, unless legally prohibited, promptly forward the request to Seller and will not respond to the Buyer except to direct them to Seller or to confirm receipt.

3.5 Assistance with Compliance Obligations

PurpleTurret will provide Seller with reasonable assistance, at Seller's request and at Seller's cost (except where the request arises from PurpleTurret's breach of this DPA), in:

conducting data protection impact assessments under Article 35 of the GDPR;
consulting with supervisory authorities under Article 36 of the GDPR;
demonstrating compliance with Article 28 of the GDPR; and
responding to inquiries from supervisory authorities, where the inquiry relates to PurpleTurret's processing under this DPA.

3.6 Return or Deletion

On termination or expiration of the Agreement, PurpleTurret will, at Seller's choice, delete or return Buyer Personal Data within ninety (90) days, except where applicable law requires PurpleTurret to retain it (in which case PurpleTurret will continue to protect the retained data in accordance with this DPA). Routine deletion from backups occurs through normal backup-rotation cycles.

4. Seller's Obligations as Controller

Seller will:

comply with Data Protection Laws applicable to its activities as Controller;
establish and maintain a lawful basis for the processing of Buyer Personal Data through the Services;
provide Buyers with all required privacy notices (including notice of PurpleTurret's role as Processor and Stripe's role as payment processor);
respond to Data Subject requests as the Controller, with PurpleTurret's reasonable assistance as set out above;
ensure its instructions to PurpleTurret comply with Data Protection Laws;
not provide PurpleTurret with special categories of personal data (Article 9 GDPR), criminal-conviction data (Article 10 GDPR), or sensitive personal information (CCPA/CPRA) unless PurpleTurret has expressly agreed in writing to process such data; and
promptly notify PurpleTurret of any change in applicable Data Protection Laws or Seller's processing activities that materially affects PurpleTurret's obligations under this DPA.

5. Subprocessors

5.1 General Authorization

Seller provides general written authorization for PurpleTurret to engage Subprocessors to process Buyer Personal Data, subject to this Section 5.

5.2 Current Subprocessors

The Subprocessors PurpleTurret currently engages are listed in Annex III, which is incorporated into this DPA. An up-to-date list is also available at https://purpleturret.com/subprocessors.

5.3 New Subprocessors

PurpleTurret will notify Seller of any intended addition or replacement of Subprocessors at least thirty (30) days in advance, by updating the Subprocessor list at the URL above or by email to the address Seller has on file (Seller may subscribe to update notifications at the URL).

5.4 Objection

Seller may object to a new Subprocessor on reasonable data-protection grounds by giving written notice to support@purpleturret.com within thirty (30) days of PurpleTurret's notification. The parties will work in good faith to resolve the objection. If the objection cannot be resolved, Seller may, as Seller's sole remedy, terminate the affected portion of the Services on thirty (30) days' written notice, without refund of prepaid Platform Fees beyond the date of termination.

5.5 Subprocessor Obligations

PurpleTurret will impose on each Subprocessor, by written contract, data-protection obligations no less protective than those in this DPA. PurpleTurret remains liable to Seller for any Subprocessor's failure to comply with those obligations, subject to the limitations of liability in Section 10.

6. International Data Transfers

6.1 Transfers Out of the EEA

Where Seller's transfer of Buyer Personal Data to PurpleTurret (or PurpleTurret's onward transfer to a Subprocessor) constitutes a restricted transfer under the GDPR, the parties agree that:

the EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated into this DPA by reference and govern that transfer;
Seller acts as data exporter; PurpleTurret acts as data importer;
the optional docking clause does not apply;
Clause 7 (docking clause) is omitted;
Clause 9(a) Option 2 (general written authorization) applies, with the notice period set out in Section 5.3;
Clause 11(a) optional language is omitted;
Clause 17 (governing law): the SCCs are governed by the law of Ireland;
Clause 18 (jurisdiction): disputes arising under the SCCs are resolved in the courts of Ireland;
Annexes I, II, and III to the SCCs are populated by Annexes I, II, and III to this DPA respectively.

6.2 Transfers Out of the UK

Where Seller's transfer of Buyer Personal Data to PurpleTurret (or its Subprocessors) is a restricted transfer under the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (UK IDTA) is incorporated by reference and supplements the SCCs with respect to the United Kingdom. Tables 1, 2, 3, and 4 of the UK IDTA are populated by reference to this DPA and its Annexes.

6.3 Transfers Out of Switzerland

For transfers subject to the Swiss Federal Act on Data Protection, the SCCs apply with the modifications set out in the Swiss Federal Data Protection and Information Commissioner's guidance, including treating references to GDPR as references to the Swiss FADP where applicable.

6.4 Onward Transfers

PurpleTurret will not engage in onward transfers of Buyer Personal Data except in accordance with this DPA and Data Protection Laws, including by using appropriate transfer mechanisms with Subprocessors.

7. Personal Data Breach

7.1 Notification to Seller

PurpleTurret will notify Seller of any Personal Data Breach affecting Buyer Personal Data without undue delay, and in any event within forty-eight (48) hours after PurpleTurret becomes aware of it.

7.2 Information Provided

The notification will include, to the extent known and as the information becomes available:

a description of the nature of the Personal Data Breach;
the categories and approximate number of Data Subjects and Buyer Personal Data records affected;
the likely consequences;
the measures taken or proposed to address the Personal Data Breach and mitigate harm; and
a contact point for further information.

7.3 Cooperation

PurpleTurret will reasonably cooperate with Seller in Seller's investigation, mitigation, and notifications related to the Personal Data Breach. Seller, as Controller, is responsible for any notifications to supervisory authorities and Data Subjects required by Data Protection Laws.

7.4 Not an Admission

PurpleTurret's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.

8. CCPA / CPRA Service Provider Terms

To the extent PurpleTurret processes personal information of California residents on Seller's behalf, the following applies, and PurpleTurret acts as a Service Provider or Contractor to Seller as those terms are defined under CCPA/CPRA:

PurpleTurret will process the personal information only for the limited and specified purpose of providing the Services to Seller, as described in the Agreement and Annex I.
PurpleTurret will not sell or share the personal information as those terms are defined under CCPA/CPRA.
PurpleTurret will not retain, use, or disclose the personal information outside the direct business relationship with Seller, or for any purpose other than the specific purpose of performing the Services, except as permitted by CCPA/CPRA.
PurpleTurret will not combine the personal information it receives from Seller with personal information from other sources, except as permitted by 11 CCR § 7050(b).
PurpleTurret will comply with applicable obligations under CCPA/CPRA and provide the same level of privacy protection as required of Seller as a Business.
PurpleTurret will notify Seller if it determines it can no longer meet its obligations under CCPA/CPRA.
Seller may, on notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

PurpleTurret certifies that it understands these restrictions and will comply with them.

9. Audits and Information Rights

9.1 Self-Service Documentation

PurpleTurret will make available to Seller, on reasonable request and no more than once every twelve (12) months, a written summary of the technical and organizational measures it implements to protect Buyer Personal Data, including the information in Annex II and, when available, third-party security certifications or attestations (such as SOC 2 reports). One request per Seller per twelve-month period is included without charge; additional requests may be subject to reasonable fees.

9.2 Additional Audits

Where Data Protection Laws require an audit beyond what Section 9.1 provides, the parties will cooperate in good faith. Any such audit:

requires at least sixty (60) days' prior written notice except where the law requires shorter notice;
must be conducted during business hours, in a manner that does not unreasonably interfere with PurpleTurret's business, no more than once every twelve months (except in response to a documented Personal Data Breach or as required by a supervisory authority);
must be conducted by an independent, reputable auditor bound by appropriate confidentiality obligations and not a competitor of PurpleTurret;
excludes access to PurpleTurret's other customers' data, internal pricing, source code, or non-public proprietary information;
is at Seller's sole cost, except where the audit reveals material non-compliance attributable to PurpleTurret; and
will not include on-site inspection of PurpleTurret's premises unless specifically required by a competent supervisory authority.

9.3 Supervisory Authority Requests

If a supervisory authority directly requires PurpleTurret to demonstrate compliance, PurpleTurret will cooperate as required by law and may share information relevant to that request with the supervisory authority.

10. Liability

10.1 Liability Cap

Each party's aggregate liability arising out of or related to this DPA — whether in contract, tort, statute, or otherwise — is subject to the limitation of liability in the Agreement, except as modified in Sections 10.2 and 10.3 below.

10.2 Modified Cap for Data Protection Breaches

For claims arising specifically from breach by a party of this DPA or its obligations under Data Protection Laws with respect to Buyer Personal Data, each party's aggregate liability is capped at the greater of:

two (2) times the Platform Fees paid or payable by Seller to PurpleTurret in the twelve (12) months immediately preceding the event giving rise to the claim; or
one thousand U.S. dollars (US$1,000),

provided that in no event will any party's aggregate liability under this Section 10.2 exceed fifty thousand U.S. dollars (US$50,000), regardless of the number or nature of claims.

10.3 Indirect Damages Excluded

In no event will either party be liable to the other for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of profits, revenue, goodwill, data, or business opportunity, arising out of or related to this DPA, even if advised of the possibility.

10.4 Apportionment Among Joint Controllers / Article 82

Where Article 82 GDPR (or an analogous provision of Data Protection Laws) applies, each party will be liable only for damage caused by processing that infringes Data Protection Laws and that is attributable to that party's acts or omissions. If a party has paid full compensation for damage suffered by a Data Subject, that party is entitled to claim back from the other party the part of the compensation corresponding to the other party's responsibility, subject to the caps in Sections 10.1 and 10.2.

10.5 No Limitation Where Prohibited

Nothing in this Section 10 limits liability that cannot be limited under applicable law, including liability for fraud or willful misconduct.

10.6 Sole Liability Provision

Section 10 sets out the full liability of the parties with respect to this DPA, and any conflicting provisions in the Agreement (including any liability cap) are superseded by this Section 10 solely with respect to claims under this DPA.

11. Term and Termination

This DPA takes effect when Seller begins using the Services to process Buyer Personal Data subject to Data Protection Laws and remains in effect for the duration of the Agreement. Sections 3.6 (Return or Deletion), 6 (International Data Transfers, with respect to any retained data), 7 (Personal Data Breach, with respect to events that occurred during the term), 8 (CCPA Service Provider Terms, with respect to retained data), 10 (Liability), and 12 (General) survive termination.

12. General

12.1 Order of Precedence

In case of conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Buyer Personal Data. The SCCs and UK IDTA, where incorporated, control over conflicting terms in this DPA.

12.2 Governing Law

This DPA is governed by the laws of the State of Wyoming, United States, except where the SCCs, UK IDTA, or Data Protection Laws require otherwise.

12.3 Amendments

PurpleTurret may update this DPA from time to time to reflect changes in Data Protection Laws, Subprocessors, or security practices. Material changes will be communicated by reasonable means in advance of taking effect.

12.4 Severability

If any provision of this DPA is held unenforceable, the remaining provisions remain in full force.

12.5 Notices

Notices under this DPA may be given to support@purpleturret.com for PurpleTurret, or to the email address Seller has on file for Seller.

12.6 Signatures

This DPA is incorporated into the Agreement by reference and does not require separate signature. Seller may request a countersigned copy at support@purpleturret.com.

Annex I — Description of Processing

A. List of Parties

Data Exporter (Controller): The Seller identified in the Agreement, using the Services to operate Checkout Experiences and sell Seller Products.

Name: As provided in the Seller's PurpleTurret account.
Address: As provided in the Seller's PurpleTurret account.
Contact: As provided in the Seller's PurpleTurret account.
Activities relevant to data transferred: Selling goods and services to Buyers through Checkout Experiences powered by PurpleTurret.
Role: Controller / Business.

Data Importer (Processor): YK Global LLC d/b/a PurpleTurret.

Name: YK Global LLC, doing business as PurpleTurret.
Address: 1021 E Lincolnway, Suite 6574, Cheyenne, Wyoming 82001, United States
Contact: support@purpleturret.com
Activities relevant to data transferred: Providing the Services, including checkout-page creation, hosting, order processing, payment-session creation through Stripe, dashboards, and security and risk monitoring on the Seller's behalf.
Role: Processor / Service Provider / Contractor.

B. Description of Transfer

Categories of Data Subjects:

Buyers who interact with Checkout Experiences operated by Seller.

Categories of Personal Data:

Identification and contact data: name, email address, billing/shipping address (if collected by Seller), phone number (if collected by Seller).
Transaction data: product/offer purchased, Seller identity, price, currency, quantity, checkout/session identifier, timestamps, order status.
Subscription data (if Seller uses recurring billing): subscription status, trial-conversion date, cancellation status, consent and disclosure evidence.
Payment metadata received from Stripe: payment status, payment method type, last four digits of card and card brand (where available), transaction identifiers, refund and dispute status. Full card numbers and CVVs are not collected, processed, or stored by PurpleTurret; these are handled by Stripe.
Device, browser, and technical data: IP address, device identifiers, browser type, operating system, session data, security and fraud logs.
Communications: receipts, support correspondence, cancellation and dispute communications.

Special Categories of Data: None processed on Seller's behalf. Seller is prohibited from providing special-category data without PurpleTurret's prior written approval.

Frequency of Transfer: Continuous, for the duration of the Agreement.

Nature of Processing: Collection, recording, organization, structuring, storage, retrieval, consultation, use, disclosure by transmission to Stripe and other authorized recipients, restriction, erasure, and destruction, as needed to provide the Services.

Purpose of Processing: Provision of the Services, including operating Checkout Experiences, creating payment sessions through Stripe, recording orders and transactions, providing dashboards and reports to Seller, supporting Buyers on Seller's behalf where applicable, and security and risk monitoring on Seller's behalf.

Duration of Processing / Retention:

Order and transaction records: retained while the Agreement is in effect and for the period required by applicable law, payment-network rules, and Stripe requirements.
Subscription consent and disclosure logs: at least three (3) years from the end of the subscription, or longer where required by law.
Security and access logs: retained for a defined period as reasonably necessary for security, fraud prevention, and investigation.
On termination of the Agreement, Buyer Personal Data is deleted or returned in accordance with Section 3.6, except where law requires retention.

Transfers to Subprocessors: Buyer Personal Data may be transferred to the Subprocessors listed in Annex III for the purposes and durations described above.

C. Competent Supervisory Authority

For SCCs purposes, the competent supervisory authority is determined under Clause 13 of the SCCs based on Seller's establishment or, if Seller is not established in the EEA, the supervisory authority of the EU Member State where the Data Subjects are predominantly located.

Annex II — Technical and Organizational Measures

PurpleTurret implements and maintains the following technical and organizational measures designed to protect Buyer Personal Data. PurpleTurret may update these measures from time to time provided that the overall level of protection is not decreased.

A. Encryption

All data in transit between Buyers, Sellers, Stripe, and PurpleTurret systems is encrypted using TLS 1.2 or higher.
Buyer Personal Data at rest in PurpleTurret's primary data stores is encrypted using industry-standard encryption.
Payment-card data is not transmitted to or stored on PurpleTurret servers; it is collected, transmitted, and stored by Stripe under Stripe's PCI-DSS-compliant infrastructure.

B. Access Control

Access to systems and data containing Buyer Personal Data is restricted to personnel whose role requires it.
Administrative access to production systems requires multi-factor authentication.
Access is granted on the principle of least privilege and is revoked promptly upon role change or termination.
Access events are logged and reviewable.

C. Authentication

User account access to the Seller dashboard requires authentication using credentials or supported authentication methods.
PurpleTurret supports and encourages multi-factor authentication for Seller accounts.

D. Logging and Monitoring

PurpleTurret maintains audit logs of administrative access, security-relevant events, and system events.
Error monitoring is provided by Sentry; product analytics by PostHog and Vercel Analytics; website analytics by Google Analytics.
PurpleTurret monitors for unauthorized access, anomalous behavior, and indicators of compromise.

E. Backup and Recovery

Buyer Personal Data is backed up on a routine basis.
Backups are protected by access controls equivalent to those applied to production data.
Recovery procedures are tested periodically.

F. Incident Response

PurpleTurret maintains an incident response procedure covering identification, containment, eradication, recovery, and post-incident review.
Identified Personal Data Breaches affecting Buyer Personal Data are reported to Seller in accordance with Section 7 of this DPA.

G. Personnel

Personnel with access to Buyer Personal Data are bound by written confidentiality obligations.
Personnel receive guidance on data-protection responsibilities appropriate to their role.

H. Subprocessor Management

Subprocessors with access to Buyer Personal Data are bound by written contracts containing data-protection obligations no less protective than those in this DPA.
Subprocessor compliance is reviewed periodically.

I. Physical and Environmental Security

Production systems are hosted in third-party data centers (operated by Subprocessors) that maintain industry-standard physical and environmental controls, including 24/7 facility security, access controls, fire suppression, and redundant power.

J. Vulnerability Management

PurpleTurret applies security patches to its systems and dependencies on a regular basis.
Production code is reviewed before deployment.
Security issues identified are tracked and remediated based on severity.

K. Secure Development

Development uses version control with code review.
Sensitive credentials are stored using secrets-management practices, not in source code.
Production access by non-administrators is restricted.

L. Business Continuity

PurpleTurret's hosting providers maintain redundancy and failover capabilities consistent with their published service-level commitments.
Backups support restoration in the event of data loss.

Annex III — Subprocessors

PurpleTurret engages the following Subprocessors to process Buyer Personal Data on Seller's behalf. An up-to-date list is available at https://purpleturret.com/subprocessors.

Subprocessor	Purpose	Location of Processing
Vercel Inc.	Application hosting and edge delivery; website analytics	United States
Convex, Inc.	Database and backend services	United States
Resend, Inc.	Transactional email delivery	United States
Google LLC	Customer support email (Google Workspace); website analytics (Google Analytics)	United States
PostHog, Inc.	Product analytics	United States
Functional Software, Inc. (Sentry)	Error monitoring and application performance	United States
Stripe, Inc.	Payment processing (operates as independent third-party payment processor under Stripe's own terms; included here for transparency)	United States (with global payment infrastructure)

PurpleTurret may engage additional Subprocessors in accordance with Section 5. Updates will be reflected at the URL above and communicated to Sellers who have subscribed to update notifications.

PurpleTurret is checkout software for independent sellers. Sellers — not PurpleTurret — sell their products and are the merchant of record. Payments are processed by Stripe. This Data Processing Addendum governs PurpleTurret's processing of Buyer personal data on the Seller's behalf.