Data Processing Agreement

Last updated: April 2026

1. Scope and Purpose

This Data Processing Agreement (“DPA”) supplements the Terms of Service and governs the processing of personal data by InboxWeave (“Processor”) on behalf of the organization using the Service (“Controller”).

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person, including customer phone numbers, names, message content, and email addresses processed through the Service
  • Processing: any operation performed on personal data, including collection, storage, retrieval, AI analysis, and deletion
  • Sub-processor: any third party engaged by the Processor to process personal data

3. Processing Details

Subject matter
Customer messaging and AI-assisted support
Duration
For the term of the Service agreement
Categories of data
Names, phone numbers, email addresses, message content, platform IDs
Data subjects
End users who message the Controller's connected channels

4. Obligations of the Processor

InboxWeave shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (encryption at rest, RLS, TLS, webhook signature verification)
  • Assist the Controller in responding to data subject requests (via the GDPR tools)
  • Delete or return all personal data upon termination of the Service
  • Make available all information necessary to demonstrate compliance

5. Sub-processors

The following sub-processors are authorized:

Supabase Inc.
Database, auth, storage, realtime
US / EU
OpenAI
AI inference (via Controller's BYOK key)
US
Meta Platforms
WhatsApp, Instagram, Messenger delivery
US / EU
Twilio Inc.
SMS delivery (if configured)
US
Vercel Inc.
Application hosting
US / EU

The Controller will be notified of any changes to the sub-processor list. The Controller may object to a new sub-processor within 14 days of notification.

6. International Transfers

Where personal data is transferred outside the EU/EEA, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) with each sub-processor. The Controller's choice of Supabase region determines the primary data storage location.

7. Security Measures

  • AES-256-GCM encryption for API keys and access tokens at rest
  • Optional per-conversation AES-256-GCM encryption for message content
  • Row Level Security isolating each organization's data
  • HMAC-SHA256 webhook signature verification
  • TLS 1.2+ for all data in transit
  • Access logging via the audit_logs table
  • Principle of least privilege: service-role access only in server-side code

8. Data Breach Notification

In the event of a personal data breach, InboxWeave will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing details of the nature, scope, and recommended mitigation measures.

9. Audits

The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor will cooperate and provide necessary access to information and systems.

10. Term and Termination

This DPA remains in effect for the duration of the Service agreement. Upon termination, all personal data will be deleted within 30 days unless retention is required by law. The Controller may request a data export before termination.