InboxMate
Data Processing Agreement (Auftragsverarbeitungsvertrag)
Pursuant to Art. 28 GDPR
Last updated: March 19, 2026
1. Parties
Data Processor: psquared GmbH, Dametzstraße 2-4, 4020 Linz, Austria (FN 647249m, Landesgericht Linz) — hereinafter "Processor"
Data Controller: The customer who has accepted the InboxMate Terms of Service — hereinafter "Controller"
This Data Processing Agreement ("DPA") forms an integral part of the InboxMate Terms of Service and is automatically binding upon use of the Service.
2. Subject Matter and Duration
The Processor processes personal data on behalf of the Controller in connection with providing the InboxMate service (AI chatbot, email management, ticket system). Processing begins when the Controller starts using the Service and continues for the duration of the service agreement.
3. Nature and Purpose of Processing
The Processor processes personal data for the following purposes:
- Operating the AI chatbot on the Controller's website (receiving and responding to visitor messages)
- Storing and managing chat conversation history
- Processing visitor-provided contact information (if email collection is enabled)
- AI-powered response generation using the Controller's knowledge base
- Email channel management (receiving, drafting, and sending emails on the Controller's behalf)
- Ticket management and conversation routing
- Analytics and reporting on chatbot usage
4. Categories of Data Subjects
- Website visitors who interact with the Controller's InboxMate chatbot
- Individuals who send emails to the Controller's connected email inboxes
- The Controller's team members who use the InboxMate dashboard
5. Types of Personal Data
- Chat message content and timestamps
- Visitor metadata: browser language, referrer URL, session identifier
- IP addresses (in server logs, retained for 90 days)
- Email addresses (if voluntarily provided by visitors or via email channel)
- Names and contact details (if voluntarily provided)
- Team member names, email addresses, and access logs
6. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller (Art. 28(3)(a) GDPR), unless required by EU or Member State law
- Ensure that persons authorized to process the data have committed to confidentiality (Art. 28(3)(b) GDPR)
- Implement appropriate technical and organizational security measures (Art. 32 GDPR), including encryption in transit (TLS 1.2+) and at rest (AES-256), row-level database security, and role-based access control
- Not engage another processor without prior written authorization from the Controller (Art. 28(2) GDPR). The current list of sub-processors is available in the Privacy Policy. The Controller has 30 days to object to new sub-processors
- Assist the Controller in fulfilling data subject rights requests (Art. 28(3)(e) GDPR)
- Assist the Controller with DPIA obligations and prior consultation with supervisory authorities (Art. 28(3)(f) GDPR)
- Delete or return all personal data after the end of the service, at the Controller's choice (Art. 28(3)(g) GDPR). Upon request, provide written confirmation of deletion
- Make available to the Controller all information necessary to demonstrate compliance and allow for audits (Art. 28(3)(h) GDPR)
7. Sub-Processors
The Controller grants general authorization for the Processor to engage sub-processors, subject to the notification and objection mechanism described above. Current sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, auth, storage | EU (Frankfurt) |
| Stripe Inc. | Payment processing | EU (Ireland) |
| OpenAI Inc. | AI language model | EU (Sweden) |
| Amazon Web Services EMEA SARL | Email delivery (SES) | EU (Frankfurt) |
| Salesforce Inc. (Heroku) | Application hosting | EU (Ireland/Frankfurt) |
| Hetzner Online GmbH | Infrastructure & ancillary services | EU (Germany) |
| Tavily (AlphaAI Technologies Inc.) | Web search for AI tool calls | US (SCCs) |
All sub-processors are bound by data processing agreements ensuring equivalent data protection standards.
8. International Transfers
All primary data processing takes place within the EU. For sub-processors incorporated outside the EU (Supabase Inc., Stripe Inc., OpenAI Inc., Salesforce Inc./Heroku, AlphaAI Technologies Inc./Tavily), data processing is contractually restricted to EU infrastructure. Transfers are governed by:
- The EU-US Data Privacy Framework adequacy decision (where the sub-processor is DPF-certified), or
- Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR
9. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any case within 48 hours) after becoming aware of a personal data breach affecting the Controller's data. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
10. Audit Rights
The Controller may request an audit of the Processor's compliance with this DPA. Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's business operations. The Controller bears the costs of audits unless non-compliance is found.
11. Liability
Liability under this DPA is governed by the limitation of liability provisions in the InboxMate Terms of Service.
12. Governing Law
This DPA is governed by Austrian law. The competent courts in Linz, Austria have exclusive jurisdiction for B2B disputes. For consumers, the statutory jurisdiction rules apply.
13. Contact
For questions about this DPA or data processing:
psquared GmbH
Dametzstraße 2-4, 4020 Linz, Austria
Email: office@psquared.dev