IB
Inboxr
Log in

Data Processing Addendum

Last updated: 29 April 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”, “Controller”) and Inboxr Pty Ltd (“Inboxr”, “Processor”). It governs Inboxr's processing of Customer Personal Data on Customer's behalf.

1. Definitions

“Personal Data”, “Processing”, “Controller”, “Processor”, and “Data Subject” have the meanings given to them in the GDPR (Regulation (EU) 2016/679).

2. Subject matter & duration

Inboxr processes Personal Data to provide the Service for the duration of the subscription, plus a wind-down period not exceeding 30 days after termination.

3. Nature & purpose

Inboxr receives, stores, and renders email messages addressed to Customer's disposable addresses, and exposes them via API and webhooks. Personal Data may include sender addresses, names, and message content.

4. Categories of Data Subjects

  • Customer's users and team members.
  • Senders who write to Customer's disposable addresses.
  • End users whose data is contained within received mail.

5. Sub-processors

Inboxr engages the following sub-processors:

  • Amazon Web Services (AU & US) — hosting and SES email relay.
  • Stripe Payments Australia Pty Ltd — payment processing.
  • Google Ireland Ltd / GitHub Inc. — OAuth identity (only if Customer enables).
  • Anthropic PBC — AI assistant (only when invoked by Customer's users).

Inboxr will give Customer at least 30 days' notice of any new or replacement sub-processor. Customer may object on reasonable grounds and, if the parties cannot resolve the objection, terminate the subscription.

6. Inboxr's obligations

  • Process Personal Data only on documented Customer instructions.
  • Ensure persons with access are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (Annex II).
  • Assist Customer with Data Subject requests, DPIAs, and notifications, taking into account the nature of processing.
  • Notify Customer without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data Breach.
  • On termination, delete or return all Personal Data, save to the extent retention is required by law.

7. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties enter into the EU Standard Contractual Clauses (Module Two: Controller to Processor) and the UK International Data Transfer Addendum, which are incorporated by reference.

Annex I — Subject matter

As described in §3 above. Retention: per Customer's plan setting (default 7 days, max 90 days).

Annex II — Security measures

  • TLS 1.2+ for all network communication.
  • AES-256 at rest for database and object storage.
  • Bcrypt password hashing; SHA-256 hashing for API keys.
  • Role-based access; production access audit-logged.
  • Multi-tenant isolation enforced at the application AND database (Postgres RLS) layer.
  • Backups encrypted, retained 30 days, restore tested quarterly.
  • Logging & monitoring with alerting on anomalies.

Signing

For signed copies, email legal@getinboxr.app. Acceptance of this DPA is automatic on creation of a paid account.

Questions? Email legal@getinboxr.app.