Skip to content

Version 1.1 · Last updated 13 May 2026

This document is provided as a plain-language draft and is pending legal review. If you spot an issue, email legal@inboxdesk.ai.

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer and InboxDesk for the provision of the InboxDesk service (the "Agreement"). It governs the processing of Personal Data carried out by InboxDesk on the Customer's behalf and reflects the requirements of Article 28 of the UK GDPR and, where applicable, the EU GDPR.

1. Parties and roles

  • Customer ("Controller") — the person or organisation identified in the InboxDesk account.
  • InboxDesk ("Processor") — operated by Rohan Ellis, a sole trader based in the United Kingdom, trading as InboxDesk. InboxDesk may transition to a UK limited company in the future, in which case the limited company will succeed to this DPA without further action.

The Customer is the Controller of the Personal Data contained within the customer-support emails it forwards to the service and within any tenant configuration it uploads. InboxDesk is the Processor of that Personal Data, acting on the Controller's documented instructions.

This DPA does not govern Personal Data for which InboxDesk is itself the Controller — for example, the Customer's account-holder details and product telemetry. The Privacy Policy (/privacy) covers that data.

2. Definitions

Capitalised terms not defined here have the meaning given in the UK GDPR / EU GDPR. In particular, "Personal Data", "Process / Processing", "Data Subject", "Controller", "Processor", "Sub-processor" and "Personal Data Breach" have their UK GDPR meanings.

"Customer Personal Data" means Personal Data that the Customer or the Customer's customers submit to the service in connection with the Customer's use of it — including the body of forwarded emails, knowledge-base content, and rule configuration.

"Service" means the InboxDesk software-as-a-service product as described in the Agreement.

3. Subject matter, duration, nature and purpose

| Item | Detail | |---|---| | Subject matter | Processing of Customer Personal Data in connection with InboxDesk's provision of the Service to the Customer | | Duration | The term of the Agreement, plus any post-termination period in Section 11 | | Nature of processing | Storage, classification, draft generation, semantic retrieval, transmission to and reception from third-party AI / email providers acting as Sub-processors | | Purpose | To draft suggested replies to inbound customer-support emails on the Customer's behalf and to operate the supporting features of the Service (rules, knowledge base, voice profile, audit log) | | Categories of Data Subjects | The Customer's end-customers and any other individual whose data appears in messages forwarded to the Service or in tenant configuration uploaded by the Customer | | Categories of Personal Data | Email content (body, subject, headers); names and contact details contained in messages; identifiers such as order references; IP addresses if present in headers; any other personal data the Customer chooses to upload | | Special-category data | Not intended. The Service is not designed to process special-category data under Article 9 of the UK GDPR. The Customer should not forward emails that primarily concern an individual's health, sexual orientation, religious or philosophical beliefs, political opinions, biometric data, criminal-offence data, or other special categories without first agreeing additional safeguards with InboxDesk in writing. |

4. Customer instructions

InboxDesk will Process Customer Personal Data only on documented instructions from the Customer. The Agreement, this DPA, the Privacy Policy and the Customer's use of the Service in line with the documentation collectively constitute the Customer's documented instructions.

If InboxDesk reasonably believes a Customer instruction breaches the UK GDPR, the EU GDPR or other applicable data-protection law, it will inform the Customer without undue delay and may pause performance of that instruction.

5. Confidentiality

InboxDesk will ensure that personnel authorised to access Customer Personal Data are bound by appropriate confidentiality obligations (whether by contract or by statute) and have received guidance on their data-protection obligations.

The number of personnel with access to live Customer Personal Data is kept to the minimum necessary.

6. Security

InboxDesk will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, taking into account the state of the art, the nature of the processing and the risks. The current measures are described in Schedule 2.

InboxDesk will keep these measures under review and may update them. Any changes will not materially weaken the overall level of protection.

7. Sub-processors

The Customer authorises InboxDesk to engage Sub-processors to deliver the Service. The current list of Sub-processors, the Personal Data each Processes and the location of Processing is set out in Schedule 1.

InboxDesk:

  • Imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA;
  • Remains liable to the Customer for the Sub-processor's performance;
  • Will give the Customer at least 14 days' notice (by email and/or in-app announcement) before adding or replacing a Sub-processor that Processes Customer Personal Data. If the Customer reasonably objects on data-protection grounds within that notice period, the Customer may terminate the affected portion of the Service for convenience; refunds (if any) follow the Agreement.

8. International transfers

Where InboxDesk transfers Customer Personal Data outside the United Kingdom or the European Economic Area, it will rely on:

  • The UK International Data Transfer Addendum (IDTA) where transfers leave the UK;
  • The EU Standard Contractual Clauses (SCCs) (Module 2 or 3 as appropriate) where transfers leave the EEA; and/or
  • Another lawful transfer mechanism in force at the time.

Schedule 1 identifies which Sub-processors involve non-UK / non-EEA transfers and lists the safeguards in place.

By signing the Agreement (which incorporates this DPA), the parties agree that the relevant transfer mechanism is incorporated by reference for the relevant transfer, with the parties' particulars taken from the Agreement and Schedule 1.

9. Data Subject rights

The Service provides self-service tools that help the Customer respond to Data Subject rights requests — most relevantly, the Settings → Export feature, which produces a JSON archive of all Customer Personal Data held by the Service for the Customer's tenant.

To the extent the self-service tools don't cover a particular request, InboxDesk will provide reasonable assistance to the Customer in responding, taking into account the nature of the Processing and the information available to InboxDesk.

If a Data Subject contacts InboxDesk directly with a request relating to Customer Personal Data, InboxDesk will (without undue delay) refer the Data Subject to the Customer.

10. Personal Data Breach

If InboxDesk becomes aware of a Personal Data Breach affecting Customer Personal Data, it will notify the Customer without undue delay and in any event within 72 hours of becoming aware. The notification will include, to the extent then known:

  • The nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
  • The likely consequences;
  • The measures taken or proposed to address the breach and mitigate harm;
  • A contact at InboxDesk for follow-up.

InboxDesk will provide reasonable assistance to enable the Customer to make any required notifications to its supervisory authority and affected Data Subjects.

11. Return or deletion at end of service

On termination of the Agreement, the Customer may request — within 30 days of termination — that InboxDesk return Customer Personal Data in a structured, commonly-used and machine-readable format (the JSON export covers this). After 30 days, or at the Customer's earlier request, InboxDesk will delete Customer Personal Data from live systems within 30 days of the request.

Backups will age out within a further 7 days. Until they do, the data on backup systems is not used for any purpose other than disaster recovery and remains subject to the security measures in Schedule 2.

InboxDesk may retain Customer Personal Data to the extent it is required to do so by law (for example, billing records), and only for the period and the purposes required by that law.

12. Audit

InboxDesk will make available to the Customer the information necessary to demonstrate compliance with this DPA. Specifically, InboxDesk will respond in good faith to reasonable written audit questions from the Customer, no more than once per 12-month period (or more frequently if a Personal Data Breach has occurred or a supervisory authority requires it).

For Customers who reasonably require an on-site audit (because their own regulators or contractual obligations require it), InboxDesk and the Customer will agree the scope, timing and conduct of the audit in advance. The Customer will bear its own costs and InboxDesk's reasonable costs unless the audit reveals a material breach of this DPA, in which case InboxDesk will bear its own costs.

13. Liability

The liability of each party under this DPA is governed by, and is subject to, the limitations and exclusions set out in the Agreement (in particular, Section 14 of the Terms of Service). Nothing in this DPA increases either party's liability beyond what is set out in the Agreement.

14. Term, termination and order of precedence

This DPA takes effect on the effective date of the Agreement and remains in force for as long as InboxDesk Processes Customer Personal Data on behalf of the Customer.

If there is a conflict between this DPA, the Terms of Service, and the Privacy Policy in relation to the Processing of Customer Personal Data on the Customer's behalf, this DPA prevails.

15. Updates to this DPA

InboxDesk may update this DPA where reasonably necessary to reflect changes in law, in Sub-processors, in security measures, or to clarify wording. Updates that materially change either party's substantive obligations or rights take effect 30 days after publication on this page; other updates take effect when published.

16. Contact

  • Legal: legal@inboxdesk.ai
  • Security: security@inboxdesk.ai
  • Privacy: privacy@inboxdesk.ai

Schedule 1 — Sub-processors

The Customer authorises the following Sub-processors. Where Processing involves a transfer outside the UK / EEA, the listed safeguard applies.

| Sub-processor | Service provided | Personal Data processed | Location | Transfer safeguard | |---|---|---|---|---| | Supabase, Inc. | Database, authentication, file storage | All Customer Personal Data at rest | EU (eu-west-2) | N/A — within EEA | | Vercel, Inc. | Application hosting and edge network | Customer Personal Data in transit; minimal cached data | EU + US | UK IDTA / EU SCCs for US edge | | Anthropic, PBC | AI model provider for classification, drafting, rule-suggestion and voice-distillation | Email content, rules, knowledge-base context relevant to a request | US | UK IDTA / EU SCCs | | Voyage AI Innovations, Inc. | Embeddings for knowledge-base retrieval | Knowledge-base text submitted for embedding | US | UK IDTA / EU SCCs | | Resend Technologies, Inc. | Inbound and outbound transactional email | Email metadata and body | EU + US | UK IDTA / EU SCCs | | Stripe Payments Europe Ltd | Subscription billing | Customer billing identifier; not Customer Personal Data as defined here | UK / EU | N/A for the data covered by this DPA | | Functional Software, Inc. (Sentry) | Error monitoring | Error stack traces; minimal request metadata; explicitly scrubbed of message bodies | US (EU residency where configured) | UK IDTA / EU SCCs | | PostHog, Inc. | Product analytics (server-side and client-side) | Pseudonymous user identifiers and event metadata; not customer email content | EU (eu.i.posthog.com) | N/A — within EEA |

InboxDesk maintains the up-to-date version of this list at /dpa. Material additions trigger the notice obligation in Section 7.

Schedule 2 — Security measures

InboxDesk implements the following technical and organisational measures, kept under review and updated as the Service evolves.

Encryption

  • TLS 1.2+ for all connections to and from the Service.
  • Encryption at rest for the database, file storage and OAuth refresh tokens (provider-managed AES-256 or equivalent).

Access control

  • Multi-factor authentication on all administrator accounts that can reach production systems.
  • Role-Based Access Control: tenant data is segregated using Row-Level Security policies in the primary database, scoped to the tenant of the requesting user.
  • The number of human accounts with production database access is kept to a minimum and reviewed periodically.
  • Privileged access is logged and audited.

Network and perimeter

  • The application is fronted by a managed edge network with TLS termination, DDoS protection and basic abuse detection.
  • The database is not exposed to the public internet for direct connections; only the application service-role accesses it.

Application security

  • Inbound webhook endpoints validate cryptographic signatures from the upstream service before accepting payloads.
  • Application authentication uses Supabase Auth with secure HTTP-only cookies.
  • Standard protections against CSRF, XSS and SQL injection are implemented.
  • Dependencies are continuously monitored for known vulnerabilities; security-relevant updates are prioritised.

Operational

  • Source code is held in a private version-control system. Changes are deployed through automated pipelines that run tests and basic security checks.
  • Production secrets (API keys, database credentials, encryption keys) are stored in a secret manager and never checked into source control.
  • Application audit-log events are retained in the database for the life of the customer's account, subject to the deletion provisions in Section 11.
  • Backups are taken daily and retained for a rolling 7-day window.

People

  • InboxDesk currently operates as a sole trader; only the owner has access to Customer Personal Data. If additional personnel are engaged in future, they will be bound by appropriate confidentiality obligations and will receive guidance on data-protection responsibilities.
  • Access is removed promptly when no longer required.

Incident response

  • A documented procedure exists for triaging and responding to Personal Data Breaches. The 72-hour notification commitment in Section 10 reflects this.
  • Sentry-monitored exceptions and PostHog-tracked product events feed an incident-detection and retrospective-triage workflow.

Sub-processor management

  • New Sub-processors that handle Customer Personal Data are reviewed for suitable contractual terms (including UK IDTA / EU SCCs where required), security posture and necessity before being added.

InboxDesk will update Schedule 2 from time to time to reflect changes in the underlying measures. Any update must not materially weaken the overall level of protection.