Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Inbox Insignia, Inc. ("Processor", "we", "us") and the customer ("Controller", "you") who has agreed to the Terms of Service. This DPA applies where and to the extent that we process Personal Data on your behalf in connection with the Inbox Insignia platform.

This DPA is intended to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under other applicable data protection laws. In the event of any conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to the processing of Personal Data.

2. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Any capitalized terms not defined in this DPA shall have the meanings assigned to them in the Terms of Service or in applicable Data Protection Laws.

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Controller is you, the customer.
• "Processor" means the natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, the Processor is Inbox Insignia, Inc.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to a name, email address, IP address, or any other identifier that can directly or indirectly identify a natural person.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the services provided under the Terms of Service.
• "Supervisory Authority" means an independent public authority established by an EU Member State, UK, or other relevant jurisdiction, tasked with monitoring the application of data protection laws (for example, a Data Protection Authority).
• "Data Protection Laws"means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to: the General Data Protection Regulation (EU) 2016/679 ("GDPR"); the United Kingdom General Data Protection Regulation as retained by the European Union (Withdrawal) Act 2018 ("UK GDPR") and the UK Data Protection Act 2018; the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"); the Australian Privacy Act 1988; and any other applicable national, state, or regional data protection or privacy legislation.

3. Scope and Purpose of Processing

We process Personal Data solely for the purpose of providing the Inbox Insignia email authentication compliance monitoring service as described in the Terms of Service and as further instructed by the Controller. The specific processing activities include:

• DNS record scanning and analysis for SPF, DKIM, DMARC, MTA-STS, and TLS-RPT configurations
• Ingestion, parsing, and analysis of DMARC aggregate reports received via webhook or email
• Compliance scoring and trend analysis for monitored domains
• Generation and delivery of alerting notifications when configuration drift or compliance issues are detected
• Production and delivery of scheduled compliance reports
• User authentication, workspace management, and access control
• Billing and subscription management through our payment processor
• Related platform functionality necessary to deliver the service

We shall not process Personal Data for any purpose other than those described above, or as otherwise documented in writing by the Controller, unless required to do so by applicable law. In such a case, we shall inform the Controller of that legal requirement before processing, unless the law prohibits such disclosure on important grounds of public interest.

4. Duration of Processing

Processing of Personal Data under this DPA shall commence when the Controller first adds data to the Inbox Insignia platform (for example, by creating a workspace, adding a domain, or inviting a team member) and shall continue for the duration of the Controller's active subscription.

Upon termination or expiration of the Controller's subscription, we shall retain the Controller's Personal Data for a period of thirty (30) days to allow the Controller to export their data. After this 30-day period, all Personal Data shall be permanently deleted from active systems in accordance with Section 13 of this DPA, unless retention is required by applicable law.

5. Types of Personal Data Processed

The categories of Personal Data processed under this DPA include, but are not limited to:

• Email addresses of workspace members, administrators, and invitees, used for authentication, notifications, and workspace collaboration
• Source IP addresses contained in DMARC aggregate reports, which identify mail servers that have sent email on behalf of monitored domains
• Domain names and DNS record configurations, including SPF, DKIM, DMARC, MTA-STS, and TLS-RPT records associated with monitored domains
• Login metadata, including IP addresses, user agent strings, and timestamps, collected for security auditing and session management purposes
• Billing contact information, including name, email address, and billing address, processed by our payment processor for subscription management
• API key usage metadata, including request timestamps, endpoints accessed, and associated workspace identifiers

6. Categories of Data Subjects

The Data Subjects whose Personal Data may be processed under this DPA include:

• Workspace members and administrators— individuals who have been granted access to the Controller's workspace on the Inbox Insignia platform, including owners, admins, members, and viewers
• Email senders identified via DMARC reports— source IP addresses appearing in DMARC aggregate reports typically represent mail servers and sending infrastructure rather than individual natural persons; however, in some cases, IP addresses may be attributable to individuals
• Billing contacts— individuals whose name, email address, and billing address are associated with the Controller's subscription for payment and invoicing purposes

7. Obligations of the Processor

With respect to the processing of Personal Data on behalf of the Controller, the Processor shall:

1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by applicable law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
2. Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in our Security Policy, including but not limited to: encryption of Personal Data in transit and at rest, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore the availability and access to Personal Data in a timely manner in the event of an incident, and a process for regularly testing, assessing, and evaluating the effectiveness of security measures.
4. Respect the conditions referred to in Section 9 for engaging another processor (Subprocessor), including obtaining the Controller's authorization and ensuring that equivalent data protection obligations are imposed on each Subprocessor.
5. Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights under applicable Data Protection Laws, including but not limited to: access, rectification, erasure, restriction, portability, and objection.
6. Assist the Controller in ensuring compliance with the obligations pursuant to breach notification requirements under applicable Data Protection Laws, taking into account the nature of processing and the information available to the Processor.
7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, as further described in Section 12.

The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes applicable Data Protection Laws. The Processor shall then be entitled to suspend the performance of the relevant instruction until the Controller confirms or modifies it.

8. Obligations of the Controller

The Controller shall:

• Ensure that there is a lawful basis for the processing of Personal Data under applicable Data Protection Laws before instructing the Processor to process such data, including obtaining any necessary consents from Data Subjects where required
• Provide the Processor with documented instructions regarding the processing of Personal Data, including with respect to any transfers of Personal Data to third countries, and promptly notify the Processor of any changes to such instructions
• Ensure that Data Subjects are informed about the processing of their Personal Data in accordance with applicable Data Protection Laws, including by providing appropriate privacy notices
• Respond to Data Subject requests for the exercise of their rights under applicable Data Protection Laws, with the Processor's assistance as needed and as described in Section 7
• Comply with all applicable Data Protection Laws with respect to the Personal Data processed under this DPA, including maintaining appropriate records of processing activities
• Ensure that only authorized individuals within the Controller's organization have access to the Inbox Insignia platform, and promptly revoke access for individuals who no longer require it

9. Subprocessors

The Controller acknowledges and agrees that the Processor may engage Subprocessors to assist in providing the services under the Terms of Service. The current list of Subprocessors is available at /subprocessors.

General Authorization

The Controller grants the Processor a general written authorization to engage the Subprocessors listed on the Subprocessors page at the time the Controller agrees to this DPA. The Controller may subscribe to notifications of changes to the Subprocessor list.

Notification of New Subprocessors

The Processor shall provide the Controller with at least thirty (30) days' advance written notice before engaging any new Subprocessor, including the name of the Subprocessor, the nature of the processing to be performed, and the location of processing. Notification shall be provided by updating the Subprocessors page and by email to the Controller's primary account contact.

Right to Object

The Controller may object in writing to the appointment of a new Subprocessor within thirty (30) days of receiving notice. The objection must be based on reasonable grounds relating to data protection. The Processor shall make reasonable efforts to address the Controller's objection, which may include proposing an alternative Subprocessor or modifying the processing arrangement. If the Processor is unable to resolve the objection to the Controller's reasonable satisfaction, the Controller may terminate the affected services by providing written notice, without penalty.

Subprocessor Obligations

The Processor shall ensure that each Subprocessor is bound by a written agreement that imposes data protection obligations no less protective than those set forth in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Subprocessor's obligations.

10. International Data Transfers

Personal Data processed under this DPA is primarily stored and processed in the United States. The Controller acknowledges that the use of the Inbox Insignia platform may involve the transfer of Personal Data to the United States and to other jurisdictions where our Subprocessors operate.

Transfers from the EEA and United Kingdom

For transfers of Personal Data from the European Economic Area (EEA) or the United Kingdom to the United States, we rely on the EU-U.S. Data Privacy Framework ("DPF") and the UK Extension to the EU-U.S. Data Privacy Framework, as applicable. Where the DPF does not apply or is invalidated, we shall rely on the Standard Contractual Clauses ("SCCs") as adopted by the European Commission (Module 2: Controller to Processor), supplemented by additional safeguards where required by a transfer impact assessment.

Transfers from Other Jurisdictions

For transfers of Personal Data from jurisdictions outside the EEA and UK, we shall comply with applicable local transfer mechanisms as required by the relevant Data Protection Laws, including adequacy decisions, binding corporate rules, or other approved transfer instruments.

11. Data Breach Notification

In the event of a Personal Data breach (any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data), the Processor shall:

1. Notify the Controller without undue delay and in any event within forty-eight (48) hours of becoming aware of the breach, via the email address associated with the Controller's account and, where feasible, through in-platform notification.
2. Provide the Controller with the following information, to the extent available at the time of notification (with further details provided as they become available):
   • A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and Personal Data records concerned
   • The name and contact details of the Processor's data protection contact point
   • A description of the likely consequences of the breach
   • A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects
3. Cooperate with the Controller and take all reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach, including preserving relevant evidence and logs.
4. Not inform any third party of the breach without first obtaining the Controller's prior written consent, unless notification is required by applicable law, in which case the Processor shall, to the extent permitted by law, inform the Controller of the legal requirement before making such notification.

12. Audit Rights

The Processor shall make available to the Controller, upon written request, an annual summary audit report demonstrating compliance with the obligations set forth in this DPA. Such report may include relevant third-party certifications, audit results, or compliance attestations.

In addition to the annual summary report, the Controller (or an independent third-party auditor appointed by the Controller) may conduct an audit of the Processor's processing activities and facilities, subject to the following conditions:

• The Controller shall provide at least thirty (30) days' written notice before conducting any audit
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's business operations or the services provided to other customers
• The Controller and any third-party auditor shall be bound by reasonable confidentiality obligations with respect to any information accessed during the audit
• The scope of the audit shall be limited to the Processor's processing of Personal Data on behalf of the Controller under this DPA
• Where multiple Controllers request audits covering the same processing activities, the Processor may, at its discretion, provide a consolidated audit report or arrange for a joint audit to minimize disruption
• The Controller shall bear the costs of any audit it initiates, except where the audit reveals a material breach of this DPA by the Processor, in which case the Processor shall bear the reasonable costs of the audit

13. Return and Deletion of Data

Upon termination or expiration of the Controller's subscription:

1. The Controller may export their data using the platform's built-in export functionality during the thirty (30) day post-termination period. The Processor shall maintain the Controller's data in an accessible state during this period.
2. After the expiration of the 30-day post-termination period, the Processor shall permanently delete all Personal Data from active production systems. The Processor shall provide written confirmation of deletion upon the Controller's request.
3. Copies of Personal Data that exist in automated backup systems shall be deleted within ninety (90) days of termination, in accordance with the Processor's standard backup rotation schedule.
4. The Processor may retain Personal Data beyond the periods specified above only to the extent required by applicable law (for example, tax or accounting obligations). Any such retained data shall be isolated, protected by appropriate technical and organizational safeguards, and processed only for the purpose required by the applicable law.

14. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set forth in the Terms of Service. This DPA does not limit either party's liability with respect to any claims by Data Subjects or penalties imposed by a Supervisory Authority to the extent that such limitation is not permitted by applicable Data Protection Laws.

15. Governing Law

This DPA shall be governed by and construed in accordance with the same governing law provisions as the Terms of Service, except to the extent that a different governing law is mandated by applicable Data Protection Laws. For the avoidance of doubt, where the GDPR applies, the provisions of this DPA relating to the protection of Personal Data shall be interpreted in accordance with EU data protection law. Where the UK GDPR applies, the relevant provisions shall be interpreted in accordance with UK data protection law.

16. Contact

For questions, requests, or inquiries related to this Data Processing Agreement, please contact us at:

• Data Protection Inquiries: privacy@inboxinsignia.com
• Signed DPA Requests: To request or execute a countersigned copy of this DPA, contact legal@inboxinsignia.com

This DPA is provided for transparency and is effective upon acceptance of the Terms of Service. If you require a countersigned copy for your records, please contact legal@inboxinsignia.com.