Last updated: May 1, 2026
Our role
Inbox OSS acts as a Data Processor for the personal data you upload and the email events generated. You act as the Data Controller responsible for lawful basis, consent, and data subject rights.
Data Processing Agreement
A pre-signed DPA is available at /legal/dpa. It incorporates the EU Standard Contractual Clauses (SCCs) for transfers outside the EEA. Enterprise customers may execute a custom DPA on request.
Subprocessors
We publish a full subprocessor registry and notify customers 30 days before any addition. See /legal/subprocessors.
EU region
Customers requiring EU data residency can pin processing to our Frankfurt region. EU-region accounts have all data, logs, and backups stored exclusively in the EU.
Data subject rights
We provide self-serve tooling for access, rectification, and deletion of subscriber records. Bulk deletion via API is supported. We respond to controller-led DSAR requests within 30 days.
Security measures
See /legal/security for a full overview. Highlights: AES-256 at rest, TLS 1.3 in transit, SOC 2 Type II, annual penetration testing.
Breach notification
We notify customers of any confirmed personal data breach within 24 hours of detection, well within the 72-hour GDPR requirement.
DPO contact
Our Data Protection Officer can be reached at dpo@inbox.onesourcesoft.com.
