New

Email Actions: Automate your inbox workflow

Data Processing Agreement

October 19th, 2024

Last updated: December 5th, 2025

DATA PROCESSING AGREEMENT

Effective Date: Date of Customer's acceptance of the InboxPilot Terms of Service

PARTIES

Processor

InboxPilot, Inc.
2810 N Church St PMB 16104
Wilmington, Delaware 19802-4447
United States
Email: support@inboxpilot.co

Controller

The legal entity or individual that accepts the InboxPilot Terms of Service (the "Customer")

RECITALS

(A) Customer uses the InboxPilot AI-powered email automation platform (the "Service") under the InboxPilot Terms of Service dated October 19, 2025 (the "Main Agreement").

(B) This Data Processing Agreement ("DPA") is incorporated into and forms part of the Main Agreement.

(C) The Parties enter into this DPA to ensure compliance with Regulation (EU) 2016/679 (GDPR), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018 (DPA 2018), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable data protection laws ("Applicable Data Protection Law").

(D) In case of conflict between this DPA and the Main Agreement, this DPA prevails with respect to processing of personal data.

1. DEFINITIONS

1.1 Terms defined in the GDPR or Main Agreement have the same meaning here.

1.2 "Controller Personal Data" means any personal data processed by Processor on behalf of Customer under the Service.

2. SCOPE AND DURATION

2.1 This DPA applies to all Controller Personal Data processed under the Main Agreement.

2.2 This DPA terminates automatically upon termination of the Main Agreement.

3. PROCESSING INSTRUCTIONS

3.1 Processor shall process Controller Personal Data only on Customer's documented instructions (including the Main Agreement and this DPA), unless required by law.

3.2 If Processor believes that any instruction from Customer violates Applicable Data Protection Law, Processor shall inform Customer without undue delay and shall not be required to comply with such instruction until it has been confirmed or modified by Customer.

3.3 Permitted Processing Activities

The following table outlines the permitted processing activities:

  • Generate AI email responses: Processes email recipients and support contacts (names, email addresses, message content, IDs). Retention: Subscription term + 30 days
  • Train custom AI models: Processes users uploading data (FAQs, documents, sample emails). Retention: Until deletion or termination
  • Email Actions: Processes email automation workflows. Retention: 90 days (logs)
  • Aggregated analytics: Processes all users (anonymized usage data). Retention: Indefinite

4. DATA SUBJECT RIGHTS & COOPERATION

4.1 Processor shall assist Customer (by appropriate technical/organizational measures) in responding to data subject requests.

4.2 Processor shall forward any data subject request received directly to Customer without undue delay and shall not respond except on Customer's instruction.

5. SECURITY OF PROCESSING

5.1 Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to the measures specified in Annex II. Processor shall apply appropriate technical and organizational security measures to protect Controller Personal Data against unauthorized access, alteration, disclosure, or destruction. Processor shall apply industry-standard security practices and maintain security measures that meet or exceed the requirements of Applicable Data Protection Law.

5.2 Processor shall ensure that all personnel processing Controller Personal Data are subject to confidentiality obligations and have received appropriate training on data protection and security.

5.3 Processor shall regularly test, assess, and evaluate the effectiveness of technical and organizational measures for ensuring the security of processing.

6. SUB-PROCESSORS

6.1 Customer grants general authorization to engage Sub-processors listed in Annex I.

6.2 Processor shall inform Customer of any new Sub-processor 30 days in advance via email. Customer may object on reasonable data protection grounds within 14 days.

6.3 Processor shall ensure that all Sub-processors are bound by the same data protection obligations as set out in this DPA, including but not limited to the same level of data protection and security measures. Processor shall enter into written agreements with all Sub-processors that impose equivalent obligations to those contained in this DPA.

6.4 Processor remains fully liable for Sub-processor performance and compliance with this DPA.

7. DATA BREACH

7.1 Processor shall notify Customer without undue delay and in any event within 24 hours of becoming aware of a personal data breach, including all details required under GDPR Art. 33(3) and UK GDPR equivalent provisions.

7.2 Processor shall provide reasonable assistance to Customer in connection with any personal data breach, including:

  • (a) Assisting Customer in notifying relevant supervisory authorities and data subjects where required;
  • (b) Providing all information reasonably necessary to enable Customer to comply with its obligations under Applicable Data Protection Law;
  • (c) Taking reasonable steps to contain and mitigate the breach and prevent further unauthorized access or disclosure.

8. AUDITS & DPIA

8.1 Processor shall make available all information necessary to demonstrate compliance with GDPR Art. 28, UK GDPR equivalent provisions, and other Applicable Data Protection Law.

8.2 Customer may audit once per year with 30 days' notice, at Customer's cost (unless material non-compliance is found).

8.3 Processor may satisfy audits via SOC 2 Type II or equivalent certification.

8.4 Processor shall provide reasonable assistance to Customer in connection with:

  • (a) Data Protection Impact Assessments (DPIAs) required under GDPR Art. 35, UK GDPR equivalent provisions, or other Applicable Data Protection Law;
  • (b) Prior consultations with supervisory authorities (including the UK Information Commissioner's Office (ICO)) where required;
  • (c) Any other obligations relating to data security, privacy by design, and privacy by default under Applicable Data Protection Law.

9. INTERNATIONAL TRANSFERS

9.1 Data is processed in the United States.

9.2 For transfers of Personal Data from the European Economic Area (EEA) to the United States, the Standard Contractual Clauses (Module 2: Controller to Processor) in Annex III apply and are incorporated by reference.

9.3 For transfers of Personal Data from the United Kingdom to the United States, the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU Standard Contractual Clauses (as applicable) in Annex IV apply and are incorporated by reference.

SCC Choices (for EU transfers):

  • Clause 7 (Docking): Applies
  • Clause 9(a): Option 2 – 30 days
  • Clause 17: Delaware law
  • Clause 18(b): New Castle County, Delaware courts

9.4 Processor shall notify Customer without undue delay if Processor receives a request from a government authority, law enforcement agency, or court order requiring disclosure of Controller Personal Data, unless such notification is prohibited by law. Where notification is prohibited, Processor shall use reasonable efforts to obtain a waiver of the prohibition to enable it to communicate as much information as possible and as soon as possible.

10. DELETION OR RETURN

10.1 Upon termination, Processor shall delete all Controller Personal Data within 30 days, unless Customer requests return in a standard format.

10.2 Legal retention requirements override deletion.

11. CCPA

11.1 Processor is a Service Provider.

11.2 Processor shall not sell, share, retain, use, or disclose Controller Personal Data except to provide the Service.

12. LIABILITY

12.1 Liability is subject to Section 7 of the Main Agreement.

12.2 Each Party is liable for direct damages and GDPR fines attributable to its breach.

13. GOVERNING LAW

13.1 Governed by the laws of the State of Delaware, USA.

13.2 Exclusive jurisdiction: courts in New Castle County, Delaware.

14. EXECUTION & ADOPTION

14.1 This DPA is incorporated by reference into the Main Agreement and becomes effective upon Customer's acceptance of the InboxPilot Terms of Service.

14.2 By using the Service, Customer acknowledges and agrees to be bound by the terms of this DPA. No separate signature is required for this DPA to be effective.

14.3 If Customer requires a signed DPA for compliance purposes, Customer may download the PDF version, complete the required information, sign it, and return it to support@inboxpilot.co. Upon receipt of a signed DPA, the signed version will supersede this automatically incorporated DPA.

ANNEX I – SUB-PROCESSORS

The following sub-processors are authorized to process Controller Personal Data:

  • Amazon Web Services, Inc. - Cloud hosting (USA)
  • Google LLC - Gmail/Outlook OAuth (USA)
  • OpenAI, LLC - AI services (USA)
  • Stripe, Inc. - Payments (USA)
  • Zendesk, Inc. - Support tickets, optional (USA)

Updated: October 1, 2025

ANNEX II – SECURITY MEASURES

Encryption: AES-256 at rest; TLS 1.3 in transit

Access Control: MFA, RBAC, least privilege

Logging & Monitoring: Real-time alerts, 90-day audit logs

Backups: Daily encrypted backups, 30-day retention

Incident Response: Less than 1 hour initial response, tested quarterly

Training: Annual security training for all staff

ANNEX III – STANDARD CONTRACTUAL CLAUSES (EU)

The Standard Contractual Clauses (Module 2: Controller to Processor) per Commission Decision (EU) 2021/914 are incorporated by reference.

The full text of the EU Standard Contractual Clauses is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

ANNEX IV – UK INTERNATIONAL DATA TRANSFER AGREEMENT / ADDENDUM

For transfers of Personal Data from the United Kingdom to the United States, the UK International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the EU Standard Contractual Clauses (as applicable) are incorporated by reference.