Skip to content
Inbox OSS

Legal

GDPR Compliance

Inbox OSS is committed to GDPR compliance for our EU and UK customers and the data subjects you send email to.

Last updated: May 1, 2026

Our role

Inbox OSS acts as a Data Processor for the personal data you upload and the email events generated. You act as the Data Controller responsible for lawful basis, consent, and data subject rights.

Data Processing Agreement

A pre-signed DPA is available at /legal/dpa. It incorporates the EU Standard Contractual Clauses (SCCs) for transfers outside the EEA. Enterprise customers may execute a custom DPA on request.

Subprocessors

We publish a full subprocessor registry and notify customers 30 days before any addition. See /legal/subprocessors.

EU region

Customers requiring EU data residency can pin processing to our Frankfurt region. EU-region accounts have all data, logs, and backups stored exclusively in the EU.

Data subject rights

We provide self-serve tooling for access, rectification, and deletion of subscriber records. Bulk deletion via API is supported. We respond to controller-led DSAR requests within 30 days.

Security measures

See /legal/security for a full overview. Highlights: AES-256 at rest, TLS 1.3 in transit, SOC 2 Type II, annual penetration testing.

Breach notification

We notify customers of any confirmed personal data breach within 24 hours of detection, well within the 72-hour GDPR requirement.

DPO contact

Our Data Protection Officer can be reached at dpo@inbox.onesourcesoft.com.