Onbox processes your business email. We take that responsibility seriously. This page describes how we protect your data and what we can prove.
GDPR
Onbox is GDPR compliant. Our primary infrastructure runs in the EU, we publish a DPA covering all GDPR Art. 28 requirements, and we maintain a public sub-processor list. International transfers to US-based providers are covered by the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). See our Privacy Policy for full details.
Infrastructure
Primary infrastructure is hosted in the EU (AWS eu-west-1, Ireland). Some data is processed by US-based sub-processors under DPF and SCCs (see Sub-processors).
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ on all connections |
| Encryption at rest | AWS-managed encryption for database, storage, and search index |
| Credential encryption | OAuth tokens and API keys stored in an encrypted vault (AES-256-GCM) |
| Access control | Production access limited to two cofounders. MFA required on all systems. No shared accounts. |
| Infrastructure isolation | Private VPC subnets in eu-west-1. OpenSearch with node-to-node encryption. |
| Code execution sandboxing | Automation code runs in isolated E2B sandboxes with 5-minute time limits |
AI Processing
We use third-party AI model providers via their API services. No provider uses your data for model training. Providers may temporarily retain data (7–30 days) for abuse monitoring, after which it is deleted.
Current providers: Google (Gemini / Vertex AI), OpenAI, Anthropic, Groq, Mistral AI.
For international data transfers, we rely on the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).
Full details: Sub-processors
Incident Response
We have a documented incident response plan with defined severity levels and response times. Critical incidents are acknowledged within 30 minutes. Customers are notified within 24 hours.
Full details: Incident Response
Documents
| Document | Description |
|---|---|
| Privacy Policy | How we collect, use, and protect personal data |
| Terms of Service | Service agreement |
| Data Processing Agreement | GDPR Art. 28 DPA for customers |
| Sub-processors | Full list of third-party processors |
| Incident Response | How we handle security incidents |
Contact
Security questions or vulnerability reports: security@onbox.ing
Privacy and data protection requests: privacy@onbox.ing