This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between Onbox Labs, Inc., a Delaware corporation ("Onbox", "Processor"), and the entity agreeing to the Agreement ("Customer", "Controller"). By using Onbox's services, Customer agrees to this DPA.
If there is a conflict between this DPA and the Agreement, this DPA governs for data protection matters.
1. Definitions
- "Customer Data" means any personal data that Customer submits to, or that is collected through, the Onbox platform on Customer's behalf.
- "Data Protection Laws" means the GDPR (Regulation 2016/679), the UK GDPR, the Swiss FDPA, and any other applicable data protection legislation.
- "GDPR" means the EU General Data Protection Regulation 2016/679.
- "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings given in the GDPR.
- "SCCs" means the Standard Contractual Clauses approved by European Commission Decision 2021/914.
- "Sub-processor" means any third party engaged by Onbox to process Customer Data.
2. Roles and Scope
Customer is the Controller. Onbox is the Processor. Onbox processes Customer Data solely to provide the services described in the Agreement.
Customer is responsible for ensuring that Customer Data is collected and transferred to Onbox in compliance with Data Protection Laws. Customer will indemnify Onbox from any claims arising from Customer's failure to do so.
The categories of data, data subjects, and processing purposes are described in Annex A.
3. Processing Instructions
Onbox will process Customer Data only on Customer's documented instructions, including as described in the Agreement and this DPA. If Onbox is required by law to process Customer Data for another purpose, Onbox will inform Customer before doing so, unless the law prohibits this.
If Onbox believes an instruction from Customer violates Data Protection Laws, Onbox will notify Customer.
4. Confidentiality
All persons authorized to process Customer Data are bound by confidentiality obligations, whether by contract or by statute.
5. Security
Onbox implements appropriate technical and organizational measures to protect Customer Data, as described in Annex C. These measures include encryption, access controls, and monitoring, and are designed to ensure the ongoing confidentiality, integrity, and availability of Customer Data.
Onbox regularly tests and evaluates the effectiveness of these measures.
6. Sub-processors
6.1 General Authorization
Customer grants Onbox general written authorization to engage Sub-processors to process Customer Data. The current list of Sub-processors is in Annex B.
6.2 Notification of Changes
Before engaging a new Sub-processor not listed in Annex B, Onbox will notify Customer at least 15 days in advance by email or through the platform.
6.3 Objection Rights
Customer may object to a new Sub-processor by notifying Onbox in writing within 10 days of receipt of the notification, provided the objection is based on reasonable data protection grounds.
If Onbox cannot provide a commercially reasonable alternative, Customer may terminate the affected services without penalty.
6.4 Sub-processor Obligations
Onbox imposes the same data protection obligations on each Sub-processor as set out in this DPA. Onbox remains liable for the acts and omissions of its Sub-processors.
7. Data Subject Rights
Onbox will assist Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, objection). Onbox will promptly notify Customer if it receives a request directly from a Data Subject.
8. Breach Notification
Onbox will notify Customer of a Personal Data Breach without undue delay, and in any event within 72 hours of becoming aware of it. The notification will include the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address it.
9. Assistance with Compliance
Onbox will assist Customer with:
- Data protection impact assessments, where the processing is likely to result in a high risk to Data Subjects
- Prior consultation with supervisory authorities, where required
- Compliance with security obligations under Article 32 of the GDPR
10. Data Deletion
Upon termination of the Agreement, Onbox will delete all Customer Data within 30 days, unless applicable law requires retention. Upon Customer's request, Onbox will certify in writing that deletion has been completed.
During the deletion period, Onbox will not process Customer Data for any purpose other than storage and deletion, unless required by law.
11. Audits
11.1 Reports
Onbox will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. This includes security certifications, audit reports, and the trust center documentation at onbox.ing/security.
11.2 On-Site Audits
If the information in Section 11.1 is insufficient, Customer may conduct an audit of Onbox's data processing activities, subject to the following conditions:
- Maximum once per calendar year
- 30 days prior written notice
- During business hours only
- Conducted in a manner that does not unreasonably disrupt Onbox's operations
- At Customer's expense, including reasonable reimbursement for Onbox's time
12. International Transfers
Where Customer Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, Onbox relies on the EU-US Data Privacy Framework (DPF) and the SCCs (Module Two: Controller to Processor) as transfer mechanisms.
The details required by the SCCs are set out in Annex A (processing details) and Annex C (security measures).
If these transfer mechanisms are invalidated or supplemented by a new mechanism, Onbox will implement the replacement and notify Customer.
13. Governing Law
This DPA is governed by the laws of the State of Delaware, USA. The SCCs are governed by the law of the EU Member State in which Customer is established.
14. Term
This DPA takes effect when Customer accepts the Agreement and remains in effect for as long as Onbox processes Customer Data on Customer's behalf.
Sections that by their nature should survive termination (including Sections 4, 8, 10, and 11) will survive.
Annex A: Processing Details
| Detail | Description |
|---|---|
| Data Subjects | Customer's employees, contractors, and their email correspondents |
| Categories of Personal Data | Email addresses, names, email content (subject, body, attachments), skill definitions, agent execution traces, IP addresses, browser metadata |
| Special Categories | None intentionally processed. Email content may incidentally contain sensitive data, which Onbox does not target or extract. |
| Processing Purposes | Providing the Onbox email platform: email synchronization, search indexing, AI-powered analysis and automation (including autonomous agent execution of organization-defined skills), and customer support |
| Processing Duration | For the term of the Agreement, plus up to 30 days for deletion |
| Retention | Customer Data is retained for the duration of the Agreement. Job queue logs are retained for 1–30 days depending on priority. Upon termination, all Customer Data is deleted within 30 days. |
Annex B: Sub-processors
The current list of Sub-processors is maintained at onbox.ing/subprocessors.
For Sub-processors located outside the EEA, transfers are covered by the EU-US Data Privacy Framework (DPF) and/or the SCCs referenced in Section 12.
Customer-Initiated Integrations. When Customer connects third-party services through the Onbox platform (e.g., CRM, database, or productivity tools), those integrations are authorized by Customer and processed under Customer's documented instructions. Customer is responsible for ensuring those third-party services meet their own data protection requirements. These customer-connected services are not listed as Sub-processors.
Annex C: Technical and Organizational Security Measures
The current description of technical and organizational security measures is maintained at onbox.ing/security. This includes encryption, access control, infrastructure isolation, monitoring, incident response, and data deletion practices.
For questions about this DPA, contact privacy@onbox.ing.