Data processing addendum

Inboxd acts as a Processor (UK/EU GDPR) or Service Provider(CCPA/CPRA) when processing personal data on the Client's behalf. The Client is the Controller (UK/EU) or Business (CCPA/CPRA) and remains responsible for the lawfulness of the underlying processing instruction. Where Inboxd collects data directly via its own website, it acts as a Controller in its own right - that processing is covered by the Privacy Policy, not this DPA.

Inboxd processes personal data only as instructed by the Client in writing (including via a Scope of Work or campaign brief). Processing activities covered by this DPA include:

• Importing and segmenting subscriber or contact lists
• Sending email, SMS, WhatsApp, RCS and social channel communications
• Reporting on engagement metrics (opens, clicks, conversions)
• Managing suppression lists and unsubscribes
• Configuring and operating marketing automation workflows

Inboxd will not process personal data for any purpose beyond the documented instruction without the Client's prior written consent.

Where the Client is subject to UK GDPR or EU GDPR, Inboxd agrees to:

• Process personal data only on documented instructions from the Client
• Ensure that persons authorised to process the data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (Article 32 UK/EU GDPR), including encryption in transit, access controls, and regular security reviews
• Notify the Client without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach likely to result in risk to data subjects
• Assist the Client in responding to data subject requests under Articles 15-22 (access, rectification, erasure, restriction, portability, objection) within a timeframe that allows the Client to meet its statutory deadlines
• Assist the Client in carrying out data protection impact assessments (DPIAs) where required
• Delete or return all personal data on termination of the engagement, as directed by the Client, and certify deletion in writing within 30 days
• Make available all information reasonably necessary to demonstrate compliance with Article 28

Inboxd uses the following categories of sub-processors to deliver its services. The Client grants general authorisation for their use. Inboxd will notify the Client at least 14 days before adding a new sub-processor that processes Client personal data.

• Cloud hosting and infrastructure (Microsoft Azure, EU West region)
• Email service providers (as specified in the Scope of Work)
• Analytics and reporting tools (as specified in the Scope of Work)
• Communication platforms for WhatsApp, SMS, and RCS delivery

Sub-processors are bound by data processing agreements that impose obligations no less protective than those set out in this DPA.

Inboxd's primary infrastructure is hosted in Microsoft Azure West Europe. Where personal data of UK or EEA data subjects is transferred to South Africa, such transfers are made under the EU Standard Contractual Clauses (Module 2 - Controller to Processor) as incorporated into UK law by the International Data Transfer Agreement (IDTA) and EU law by Commission Implementing Decision (EU) 2021/914. Copies of the applicable transfer mechanism are available on request.

Where the Client is a Business subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA), Inboxd agrees to:

• Process personal information only for the Business Purpose(s) specified in the MSA and this DPA, and not for any other commercial purpose
• Not sell or share (as defined by CPRA § 1798.140) any personal information provided by the Client
• Not retain, use, or disclose personal information outside the direct business relationship with the Client
• Assist the Client in responding to consumer requests (to know, delete, correct, opt out, limit sensitive PI use) within timeframes that allow the Client to meet its statutory obligations
• Delete or return all personal information on termination of the engagement, as directed by the Client, and certify deletion in writing within 30 days
• Notify the Client promptly upon receiving a consumer request directed to Inboxd that relates to Client personal information
• Grant the Client the right to audit Inboxd's processing activities on reasonable notice to verify compliance

Inboxd maintains the following baseline security controls:

• Encryption of personal data in transit (TLS 1.2 or higher)
• Role-based access control - data is accessible only to personnel who require it
• Multi-factor authentication on all systems that store or access personal data
• Annual security review of internal systems and sub-processors
• Incident response procedure with documented breach notification workflow

Inboxd retains personal data for as long as required to deliver the services specified in the Scope of Work, plus any statutory retention period applicable to financial records (generally 5 years under SA law). Analytics data is retained for a maximum of 13 months. On termination of the engagement, Inboxd will delete or return all Client personal data within 30 days and provide written certification of deletion on request.

Questions about this DPA or requests to exercise data subject rights should be directed to legal@inboxd.agency. Inboxd will acknowledge all requests within 5 Business Days.