Data Processing Agreement
Automatic acceptance
This DPA is automatically incorporated into the InboxPilot Terms of Service. By using our Service, you acknowledge and agree to be bound by its terms. No separate signature is required for the DPA to be effective.
If your organization requires a signed DPA for compliance purposes, follow these steps:
1. Download the DPA
Download the PDF version of the DPA document using the button above.
2. Complete required information
Fill in your organization's details including company name, address, and authorized signatory information.
3. Sign the document
Have an authorized signatory sign the completed DPA on behalf of your organization.
4. Send to InboxPilot
Email the signed DPA to support@inboxpilot.co. Upon receipt, it will supersede the automatically incorporated DPA and become the legally binding version for your organization.
This Data Processing Agreement ("Agreement") forms part of the InboxPilot Terms of Service ("Principal Agreement") between the Customer (the "Controller") and InboxPilot, Inc. (the "Processor"). In the event of a conflict between this Agreement and the Principal Agreement, the terms of this Agreement shall prevail with respect to the processing of personal data.
- Controller Personal Data — any personal data processed by Processor on behalf of Controller under the Services.
- Applicable Data Protection Laws — GDPR, CCPA/CPRA, and other applicable privacy laws.
This DPA applies to all Controller Personal Data processed under the Main Agreement. It terminates automatically upon termination of the Main Agreement.
Processor shall process Controller Personal Data only on Customer's documented instructions (including the Main Agreement and this DPA), unless required by law.
purpose
data subjects
personal data
retention
Generate AI email responses
Email recipients, support contacts
Names, email addresses, message content, IDs
Subscription term + 30 days
Train custom AI models
Users uploading data
FAQs, documents, sample emails
Until deletion or termination
Website chatbot
Site visitors
Chat logs, IP, browser
90 days (logs)
Aggregated analytics
All users
Anonymized usage data
Indefinite
Processor shall assist Customer by appropriate technical and organizational measures in responding to data subject requests. Processor shall forward any data subject request received directly to Customer without undue delay and shall not respond except on Customer's instruction.
Processor implements and maintains the security measures described in Annex II below. All personnel processing Controller Personal Data are subject to confidentiality obligations.
Customer grants general authorization to engage the sub-processors listed in Annex I. Processor shall inform Customer of any new sub-processor 30 days in advance via email. Customer may object on reasonable data protection grounds within 14 days. The Processor remains fully liable for sub-processor performance.
Processor shall notify Customer within 24 hours of becoming aware of a personal data breach, including all details required under GDPR Art. 33(3).
Processor shall make available all information necessary to demonstrate GDPR Art. 28 compliance. Customer may audit once per year with 30 days' notice, at Customer's cost unless material non-compliance is found. Processor may satisfy audits via SOC 2 Type II or equivalent certification.
Data is processed in the United States. The Standard Contractual Clauses (Module 2: Controller to Processor) in Annex III apply and are incorporated by reference.
SCC choices:
- Clause 7 (Docking): Applies
- Clause 9(a): Option 2 — 30 days
- Clause 17: Delaware law
- Clause 18(b): New Castle County, Delaware courts
TO BE CONTINUED
If you have questions, concerns, or complaints regarding Terms of Service or our data practices, please contact us:
Thank you for choosing InboxPilot. We are committed to ensuring your privacy and providing a secure platform.
