DPA — Article 28 GDPR.

This Data Processing Agreement ("DPA") forms part of the Inbox Assistant Terms of Service and applies whenever Cardim IT AB (org. nr. 559278-1453, VAT SE559278145301, Göteborg, Sweden) ("Processor") processes Personal Data on behalf of the customer ("Controller"). By using the business plan, the Controller is deemed to have accepted this DPA. A countersigned PDF version is available on request from cardimattos@gmail.com.

1. Subject matter and duration

Processor processes Personal Data — primarily email content forwarded by the Controller's authorized users — for the duration of the underlying subscription, plus a 30-day return/deletion window upon termination.

2. Nature and purpose

Ingestion, classification, summarization, prioritization, automation, and delivery of email-related notifications, as configured by the Controller's authorized users.

3. Categories of data subjects

• The Controller's employees and contractors using the service
• Senders and recipients of email forwarded into the service
• Persons mentioned in the body of forwarded emails

4. Categories of Personal Data

• Identification: name, email address, phone
• Communication content: email body, subject, attachments metadata
• Derived data: AI summaries, tags, embeddings, action items
• Usage data: timestamps, IP, user agent

The Controller must not route special-category data (Art. 9) through the service unless explicitly configured and contracted for.

5. Processor's obligations

• Process Personal Data only on documented instructions from the Controller (the Terms, settings, and support tickets).
• Ensure persons authorized to process are bound by confidentiality.
• Implement appropriate technical and organizational measures (Annex II).
• Engage sub-processors only with prior general authorization (Annex III) and a 30-day objection window.
• Assist the Controller with data-subject requests, DPIAs, and prior consultations.
• Notify the Controller without undue delay (and within 72 hours) of a Personal Data breach.
• Return or delete all Personal Data within 30 days of termination.
• Make available all information necessary to demonstrate compliance and allow audits (1× per year, 30 days notice).

6. Sub-processors (Annex III)

• AWS EMEA SARL — hosting (Frankfurt, Stockholm)
• OpenAI Ireland Ltd — LLM inference, zero-retention
• Anthropic PBC — LLM inference, zero-retention
• Stripe Payments Europe Ltd — billing
• Twilio Ireland Ltd — SMS
• Wildbit (Postmark) — transactional email

7. International transfers

Where transfers outside the EEA are necessary, they are governed by the EU Standard Contractual Clauses (Commission Decision 2021/914) Module 3 (processor-to-processor), with supplementary measures including encryption, zero-retention configurations, and pseudonymization.

8. Liability

Liability under this DPA is subject to the limitations in the Terms of Service, except where mandatory law (incl. Art. 82 GDPR) provides otherwise.

Annex II — Technical & organizational measures

• AES-256 encryption at rest, TLS 1.3 in transit
• Per-tenant key isolation, customer-managed keys (Enterprise)
• Hardware MFA on all production access
• Least-privilege RBAC; production access logged and reviewed
• Annual penetration testing by an independent firm
• Incident response runbook with 72-hour breach notification
• Background checks on all engineering staff
• Yearly security training