Skip to content
Inbox OSS

Legal

Data Processing Agreement

This DPA forms part of the Terms of Service between Inbox OSS (Processor) and the Customer (Controller).

Last updated: May 1, 2026

Scope

This DPA applies to all processing of personal data that we perform on behalf of the Controller in connection with the services.

Roles

The Controller determines the purposes and means of processing. The Processor processes data only on the Controller’s documented instructions, which are deemed to be the Terms and the use of the services.

Subprocessors

The Controller authorizes the use of subprocessors listed in our public registry. The Processor will notify the Controller 30 days before adding a new subprocessor; the Controller may object on reasonable grounds.

International transfers

Transfers outside the EEA rely on the EU Standard Contractual Clauses (Module 2 for Controller-to-Processor, Module 3 for Processor-to-Processor). The SCCs are incorporated by reference.

Security

The Processor will implement and maintain appropriate technical and organizational measures, as described in our Security Overview at /legal/security.

Personal data breach

The Processor will notify the Controller without undue delay and in any event within 24 hours of becoming aware of a personal data breach affecting the Controller’s personal data.

Data subject rights

The Processor will provide reasonable assistance with data subject rights requests, including access, rectification, erasure, and portability.

Audit rights

The Controller may audit the Processor’s compliance once per year on 30 days notice, or more frequently following a personal data breach. Audits may rely on our SOC 2 report and other certifications.

Return and deletion

On termination, the Processor will delete or return all personal data within 90 days, except where retention is required by law.

Order of precedence

In case of conflict between this DPA and the Terms, this DPA prevails for matters of data protection.