Onbox Labs, Inc. ("Onbox") uses the following sub-processors to provide its services. All sub-processors act under Data Processing Agreements or equivalent contractual terms requiring them to process data solely on our behalf and in accordance with our instructions.
We notify customers at least 15 days before engaging a new sub-processor (see DPA Section 6).
Infrastructure & Storage
All customer data (emails, contacts, search indexes, and credentials) is stored on Amazon Web Services (AWS) in the EU (Ireland). This includes compute, database, object storage, and search.
Email Synchronization
Onbox connects to your email provider via OAuth to synchronize messages. Email content and metadata flow through Google (Gmail API) (US).
AI Processing & Automation
Onbox uses AI models to analyze incoming email, draft replies, and execute automations on behalf of users. Organizations define what the AI agent should do through a skill library (e.g. write a draft, update a deal in a CRM, search for information, or link an email to an external resource). The agent performs these tasks autonomously based on those instructions.
Email content and relevant context are sent to the model providers below via their API services. None of these providers use API inputs or outputs to train their models.
| Sub-processor | Location |
|---|---|
| Google (Gemini / Vertex AI) | US |
| OpenAI | US |
| Anthropic | US |
| Groq | US |
| Mistral AI | EU (France) |
Automation code generated by the agent runs in isolated sandboxes provided by E2B (EU).
Observability & Operations
We use third-party services to monitor errors, trace AI agent execution, persist agent workflow state, and track product usage. Agent tracing services (LangSmith) receive the full context the agent sees, which includes email content. Traces are retained for 14 days. Agent orchestration (LangGraph Cloud) persists graph state — including email content, conversation history, and user context — as checkpoints for workflow resumption. Error tracking and analytics services receive error context and usage events.
| Sub-processor | Location |
|---|---|
| LangSmith (LangChain) | EU |
| LangGraph Cloud (LangChain) | EU |
| Sentry | US |
| PostHog | EU (Frankfurt) |
| Linear | US |
Other Services
| Sub-processor | Purpose | Location |
|---|---|---|
| Resend | Transactional emails (invitations, notifications) | US |
| Infisical | Encrypted credential storage | EU |
| Vercel | Landing page hosting (no customer data) | US |
| Supabase | Waitlist database | US |
Customer-Initiated Integrations
When you connect third-party services through the Onbox platform (e.g., CRM, database, or productivity tools), those integrations are authorized by you and processed under your documented instructions. You are responsible for ensuring those third-party services meet your own data protection requirements. Customer-connected services are not listed as sub-processors above.
International Transfers
For transfers of personal data from the EEA to sub-processors located outside the EU, we rely on the EU-US Data Privacy Framework (DPF) and/or Standard Contractual Clauses (SCCs) approved by the European Commission. See our DPA for details.
For questions, contact privacy@onbox.ing.