Data Processing Agreement
October 19th, 2024
Last updated: November 11th, 2025
DATA PROCESSING AGREEMENT
Effective Date: Date of Customer's acceptance of the InboxPilot Terms of Service
PARTIES
Processor
InboxPilot, Inc.
2810 N Church St PMB 16104
Wilmington, Delaware 19802-4447
United States
Email: support@inboxpilot.co
Controller
The legal entity or individual that accepts the InboxPilot Terms of Service (the "Customer")
RECITALS
(A) Customer uses the InboxPilot AI-powered email automation platform (the "Service") under the InboxPilot Terms of Service dated October 19, 2025 (the "Main Agreement").
(B) This Data Processing Agreement ("DPA") is incorporated into and forms part of the Main Agreement.
(C) The Parties enter into this DPA to ensure compliance with Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act (CCPA) as amended by the CPRA, and other applicable data protection laws ("Applicable Data Protection Law").
(D) In case of conflict between this DPA and the Main Agreement, this DPA prevails with respect to processing of personal data.
1. DEFINITIONS
1.1 Terms defined in the GDPR or Main Agreement have the same meaning here.
1.2 "Controller Personal Data" means any personal data processed by Processor on behalf of Customer under the Service.
2. SCOPE AND DURATION
2.1 This DPA applies to all Controller Personal Data processed under the Main Agreement.
2.2 This DPA terminates automatically upon termination of the Main Agreement.
3. PROCESSING INSTRUCTIONS
3.1 Processor shall process Controller Personal Data only on Customer's documented instructions (including the Main Agreement and this DPA), unless required by law.
3.2 Permitted Processing Activities
The following table outlines the permitted processing activities:
- Generate AI email responses: Processes email recipients and support contacts (names, email addresses, message content, IDs). Retention: Subscription term + 30 days
- Train custom AI models: Processes users uploading data (FAQs, documents, sample emails). Retention: Until deletion or termination
- Website chatbot: Processes site visitors (chat logs, IP, browser). Retention: 90 days (logs)
- Aggregated analytics: Processes all users (anonymized usage data). Retention: Indefinite
4. DATA SUBJECT RIGHTS & COOPERATION
4.1 Processor shall assist Customer (by appropriate technical/organizational measures) in responding to data subject requests.
4.2 Processor shall forward any data subject request received directly to Customer without undue delay and shall not respond except on Customer's instruction.
5. SECURITY OF PROCESSING
5.1 Processor implements and maintains the measures in Annex II.
5.2 All personnel processing Controller Personal Data are subject to confidentiality obligations.
6. SUB-PROCESSORS
6.1 Customer grants general authorization to engage Sub-processors listed in Annex I.
6.2 Processor shall inform Customer of any new Sub-processor 30 days in advance via email. Customer may object on reasonable data protection grounds within 14 days.
6.3 Processor remains fully liable for Sub-processor performance.
7. DATA BREACH
7.1 Processor shall notify Customer within 24 hours of becoming aware of a personal data breach, including all details required under GDPR Art. 33(3).
8. AUDITS & DPIA
8.1 Processor shall make available all information necessary to demonstrate GDPR Art. 28 compliance.
8.2 Customer may audit once per year with 30 days' notice, at Customer's cost (unless material non-compliance is found).
8.3 Processor may satisfy audits via SOC 2 Type II or equivalent certification.
9. INTERNATIONAL TRANSFERS
9.1 Data is processed in the United States.
9.2 The Standard Contractual Clauses (Module 2: Controller to Processor) in Annex III apply and are incorporated by reference.
SCC Choices:
- Clause 7 (Docking): Applies
- Clause 9(a): Option 2 – 30 days
- Clause 17: Delaware law
- Clause 18(b): New Castle County, Delaware courts
10. DELETION OR RETURN
10.1 Upon termination, Processor shall delete all Controller Personal Data within 30 days, unless Customer requests return in a standard format.
10.2 Legal retention requirements override deletion.
11. CCPA
11.1 Processor is a Service Provider.
11.2 Processor shall not sell, share, retain, use, or disclose Controller Personal Data except to provide the Service.
12. LIABILITY
12.1 Liability is subject to Section 7 of the Main Agreement.
12.2 Each Party is liable for direct damages and GDPR fines attributable to its breach.
13. GOVERNING LAW
13.1 Governed by the laws of the State of Delaware, USA.
13.2 Exclusive jurisdiction: courts in New Castle County, Delaware.
14. EXECUTION & ADOPTION
14.1 This DPA is automatically entered into when Customer accepts the InboxPilot Terms of Service.
14.2 No signature required. Continued use of the Service constitutes acceptance.
14.3 Effective Date: Date of Customer's acceptance of the Terms of Service.
ANNEX I – SUB-PROCESSORS
The following sub-processors are authorized to process Controller Personal Data:
- Amazon Web Services, Inc. - Cloud hosting (USA)
- Google LLC - Gmail/Outlook OAuth (USA)
- Stripe, Inc. - Payments (USA)
- Zendesk, Inc. - Support tickets, optional (USA)
Updated: October 1, 2025
ANNEX II – SECURITY MEASURES
Encryption: AES-256 at rest; TLS 1.3 in transit
Access Control: MFA, RBAC, least privilege
Logging & Monitoring: Real-time alerts, 90-day audit logs
Backups: Daily encrypted backups, 30-day retention
Incident Response: Less than 1 hour initial response, tested quarterly
Training: Annual security training for all staff
ANNEX III – STANDARD CONTRACTUAL CLAUSES
The Standard Contractual Clauses (Module 2: Controller to Processor) per Commission Decision (EU) 2021/914 are incorporated by reference.
The full text of the EU Standard Contractual Clauses is available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
Related Documents
Last Updated: October 1, 2025