Data Processing Addendum

1. Scope

This Data Processing Addendum (“DPA”) supplements the Terms of Service and applies to the processing of personal data by Inbox Admin on your behalf. For the purposes of this DPA, you are the “Data Controller” and Inbox Admin is the “Data Processor.”

2. Types of Data Processed

The Service processes: email metadata (sender, recipient, subject, date) from connected Gmail accounts; email attachments including invoices, receipts, and other business documents; document content used for classification; and user account information (name, email address, organization details).

3. Processing Purposes

Personal data is processed solely for the purpose of providing the Service as described in the Terms of Service: receiving, classifying, and routing email attachments; syncing document data to connected accounting software; enforcing rules configured by the Data Controller; and maintaining audit logs for compliance.

4. Sub-Processors

Inbox Admin uses the following sub-processors to deliver the Service:

• Google Cloud Platform (United States) — application hosting (Cloud Run), object storage (Cloud Storage), managed Postgres database (Cloud SQL), key management (Cloud KMS), asynchronous messaging (Pub/Sub), document text extraction (Document AI), and generative document classification and rule assistance (Vertex AI, Gemini models). Covered by the Google Cloud Data Processing Addendum. Inputs submitted to Vertex AI are not used to train Google’s foundation models.
• Stripe (United States) — payment processing and subscription billing.
• Intuit QuickBooks (United States) — accounting data integration, only when the Data Controller connects a QuickBooks account.

We will notify you of any changes to sub-processors at least 30 days in advance. To subscribe to sub-processor change notifications, email subprocessors@inbox-admin.com.

5. Security Measures

We implement appropriate technical and organizational measures including: encryption of data at rest and in transit, access controls and authentication, audit logging of all data access, regular security reviews, and incident response procedures.

6. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, categories and approximate number of records affected, and measures taken to address the breach.

7. Data Deletion

Upon termination of the Service or at your request, we will delete or return all personal data processed on your behalf within 30 days, except where retention is required by law. You may also configure automatic data retention periods in your account settings.

9. AI and Model Providers

Document classification, rule suggestions, and the voice-based rule assistant are powered by Google’s Gemini family of models running on Vertex AI in the us-central1 region. Inbox Admin authenticates to Vertex AI with a Google Cloud service account; customer content is never sent to the consumer generativelanguage.googleapis.com endpoint. Per Google Cloud’s terms, prompts and responses submitted through Vertex AI are not used to train Google’s foundation models. For Google’s authoritative documentation on how Vertex AI handles customer data, see the Google Cloud Data Processing Addendum.

Document text extraction for low-confidence attachments additionally uses Google Document AI, which is governed by the same Google Cloud DPA. No other third-party AI or machine learning providers (including OpenAI, Anthropic, or the consumer Gemini API) receive customer content.

10. Contact

For DPA-related inquiries, contact us at dpa@inbox-admin.com.