Data Processing Addendum (DPA)

This DPA forms part of the Inbox Ledger Terms of Service for customers acting as data controllers under GDPR Article 28.

1. Roles

The customer is the data controller. Inbox Ledger is the data processor.

2. Subject Matter

Processing of personal data submitted to the Service for invoice extraction, reconciliation, and accounting integration.

3. Sub-processors

A current list of sub-processors engaged by Inbox Ledger is maintained in our internal sub-processor register and is available to Customers upon written request to privacy@inboxledger.app. We will give the Customer at least 30 days' advance notice via email before adding or replacing a sub-processor; the Customer may object in writing during that period.

4. Security Measures

• TLS 1.2+ encryption for all data in transit.
• Encryption of credentials and OAuth tokens at rest in our secrets management system.
• Postgres Row-Level Security for tenant isolation.
• Working toward CASA Tier 2 verification.
• Audit logging of administrative events.

5. Data Subject Rights

We will assist the customer in responding to data-subject requests (access, rectification, erasure, portability) within 30 days of receipt.

6. Breach Notification

We will notify the customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal-data breach affecting their data.

7. International Transfers

For transfers outside the EEA/UK, we rely on EU Standard Contractual Clauses (Module 2 — controller to processor).

8. Termination

Upon termination, the customer may request deletion or return of all personal data. We will purge backups within 30 days.

9. Liability

Liability under this DPA is subject to the limitations set in the main Terms of Service.

10. Contact

For DPA questions: privacy@inboxledger.app.