Legal
Data Processing Agreement
Last updated: May 16, 2026
This DPA is incorporated by reference into the Inboxer Terms of Service and applies when our processing of Customer Personal Data is subject to the GDPR or UK GDPR. By using Inboxer in connection with personal data, you accept these terms. If your organisation requires a counter-signed copy or bespoke wording, contact legal@inboxer.so.
1. Definitions
Terms in CAPITAL letters not defined here have the meaning given in the GDPR. “Customer” means the entity that subscribes to Inboxer and acts as the controller of Customer Personal Data. “Inboxer” or “we” acts as processor. “Customer Personal Data” means personal data processed by Inboxer on behalf of Customer under the Terms of Service.
2. Subject matter, duration, nature, and purpose
- Subject matter: processing of Customer Personal Data to provide the Inboxer service.
- Duration: the term of the Terms of Service plus any additional period required for deletion or return of Customer Personal Data.
- Nature and purpose: email and calendar synchronisation, AI classification, draft generation, task extraction, meeting brief generation, retrieval over indexed Customer content, billing, support, and security operations.
- Categories of data subjects: Customer’s personnel and their correspondents.
- Categories of personal data: account identifiers, mailbox content, calendar entries, meeting transcripts, AI-generated drafts, audit logs, authentication metadata.
3. Processor obligations (Art. 28(3) GDPR)
Inboxer will:
- process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to a third country, unless required to do so by Union or Member State law;
- ensure that persons authorised to process Customer Personal Data are under an obligation of confidentiality;
- implement appropriate technical and organisational measures described in Annex I to ensure a level of security appropriate to the risk;
- engage sub-processors only on the conditions in Section 5 below;
- taking into account the nature of the processing, assist Customer in fulfilling its obligation to respond to requests for exercising data subject rights (Arts. 15-22);
- assist Customer in ensuring compliance with the obligations under Arts. 32 to 36, taking into account the nature of processing and the information available;
- at Customer’s choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law;
- make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits (see Section 7).
4. Controller obligations
Customer warrants that it has a valid legal basis for the processing it instructs Inboxer to perform, has provided all required notices to data subjects, and has the right to share Customer Personal Data with Inboxer. Customer is responsible for the accuracy, quality, and legality of Customer Personal Data.
5. Sub-processors
Customer grants general written authorisation to Inboxer’s engagement of the sub-processors listed in Annex II and at /api/v1/sub-processors. Inboxer will provide at least 30 days’ prior notice of any intended addition or replacement of a sub-processor by updating this page and the JSON feed. Customer may object on reasonable grounds, in which case the parties will work in good faith to find a workable solution; if none is reached, Customer may terminate the Terms of Service for the affected service.
Inboxer remains liable for the acts and omissions of its sub-processors as if they were its own.
6. International transfers
Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland to a country not benefiting from a UK / EU adequacy decision, the parties incorporate the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) by reference. The relevant Module (typically Module 2: controller-to-processor or Module 3: processor-to-processor) applies based on the parties’ respective roles. UK transfers rely on the UK International Data Transfer Addendum to the SCCs. Swiss transfers rely on the SCCs as adapted by the FDPIC.
7. Audit rights
Inboxer will, on reasonable written request and at most once per twelve-month period (unless required more frequently by a supervisory authority or following a Personal Data Breach), make available to Customer (a) its then-current third-party security audit reports (e.g. SOC 2, ISO 27001) under NDA, and (b) responses to a reasonable security questionnaire. Where these do not reasonably satisfy Customer’s audit obligations, the parties will discuss in good faith an on-site audit on mutually agreed terms, conducted at Customer’s cost during normal business hours and without disrupting Inboxer’s operations or the privacy of other customers.
8. Personal Data Breach notification
Inboxer will notify Customer without undue delay, and where feasible within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information required by Art. 33(3) GDPR to the extent available, and will be updated as further information becomes known.
9. Deletion and return of data
On termination of the Terms of Service, or earlier on Customer’s written request, Inboxer will delete Customer Personal Data within 30 days, save for copies retained where required by law (in which case Inboxer will continue to protect the data under this DPA and limit further processing to the purpose of that legal obligation). Customer can self-serve export and deletion from Settings → Your data.
10. Liability and order of precedence
Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service in respect of the processing of Customer Personal Data, this DPA prevails.
Annex I — Technical and organisational measures
Inboxer implements the measures described on our Security page, including: OAuth-based access to provider mailboxes, TLS in transit, encryption at rest, encrypted storage of connection tokens, role-based access controls with MFA on production systems, structured audit logging of security-relevant events, approval-first outbound actions, and a documented incident response procedure.
Annex II — Sub-processors
List last updated: 2026-05-16. The machine-readable feed is at /api/v1/sub-processors.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Clerk | Authentication, session management, organisation membership. | United States | SCCs (EU Commission 2021/914) + DPA |
| Stripe | Billing, subscription management, payment processing. | United States, Ireland | SCCs + DPA |
| OpenAI | AI classification, drafting, summarisation, embeddings. | United States | SCCs + DPA |
| Anthropic | AI classification, drafting, summarisation. | United States | SCCs + DPA |
| Recall.ai | Meeting bot ingest of transcripts. | United States | SCCs + DPA |
| Inngest | Background job orchestration. Event payloads carry only IDs. | United States | SCCs + DPA |
| PostHog | Product analytics, in-app event tracking. | United States or European Union (region-pinned per visitor) | SCCs + DPA (US region only) |
| Google (Gmail, Calendar) | Mailbox and calendar access via OAuth, at user direction. | United States | SCCs + DPA |
| Microsoft (Graph, Outlook, Microsoft 365) | Mailbox and calendar access via OAuth, at user direction. | United States, European Union | SCCs + DPA |
11. Contact
For legal questions and DPA negotiation: legal@inboxer.so. For privacy and data subject requests: privacy@inboxer.so.