Book a demo
Book a demo

DATA PROCESSING ADDENDUM

Effective Date: March 31, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between:

Processor:
MasterInbox LLC
6515 Old Dominion Dr
McLean, VA 22101
United States
Contact: [email protected]

and

Customer:
The entity identified in the applicable Order Form or subscription agreement (“Customer”).

This DPA applies to the extent that MasterInbox LLC processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Terms such as “personal data,” “processing,” “controller,” “processor,” “data subject,” and “supervisory authority” have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

Customer Data” means personal data processed by Processor on behalf of Customer in connection with the Services.

Services” means the Master Inbox platform and related support services.

2. Roles of the Parties

Customer is the Controller of Customer Data.
MasterInbox LLC is the Processor of Customer Data.

3. Processor Obligations (Article 28 GDPR)

Processor shall:

a) Process Customer Data only on documented instructions from Customer, including as necessary to provide the Services.
b) Ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c) Implement appropriate technical and organizational measures as described in Schedule 3 (Technical and Organizational Measures).
d) Not engage sub-processors except in accordance with Section 5.
e) Assist Customer in fulfilling obligations relating to data subject rights, security, DPIAs, and supervisory authority consultations, taking into account the nature of processing.
f) At Customer’s choice, delete or return Customer Data upon termination of the Services in accordance with Section 9.
g) Make available information reasonably necessary to demonstrate compliance with this DPA.

4. Nature and Purpose of Processing

Processor provides a centralized reply management and orchestration platform for outbound sales and marketing activities.

Processing activities include:

  • Collecting inbound replies
  • Storing message threads
  • AI-based classification and labeling (opt-in only)
  • Synchronizing data with CRMs and sequencers
  • Notifications via email or Slack
  • Analytics and reporting

Further details are provided in Schedule 1.

5. Sub-processors

Customer provides general authorization for Processor to engage sub-processors in connection with the Services.

Processor may add or replace sub-processors from time to time. Notification of material changes may be provided by updating the Processor’s sub-processor documentation or website. A current list of subprocessors is maintained at: https://masterinbox.com/subprocessors

Customer may object to a new sub-processor only on reasonable data protection grounds. Processor shall not be required to obtain Customer’s prior approval or delay operational changes.

6. International Data Transfers

Where Customer Data is transferred outside the EEA, such transfers shall be governed by the Standard Contractual Clauses attached as Schedule 4, unless an alternative lawful transfer mechanism applies.

AI processing is performed only when explicitly enabled and consented to by Customer at the workspace level.

7. Security Incidents

Processor shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data and will provide relevant information to assist Customer in meeting its legal obligations.

Notifications will be sent to the Customer’s designated contact email.

8. Data Subject Requests

Processor shall assist Customer in responding to data subject requests, taking into account the nature of processing and available information.

9. Deletion and Return of Data

Upon termination of the Services or upon Customer’s written request:

  • Customer Data will be deleted from active production databases and object storage within 7 business days
  • Logs are excluded from deletion unless explicitly requested, as such logs are maintained for security, abuse prevention, and system integrity purposes
  • Backups are retained for up to 6 months and will be deleted earlier upon Customer request where technically feasible

10. Audits

Customer may conduct an audit no more than once annually, subject to reasonable advance notice, scope limitations, and confidentiality obligations.

Audits shall be limited to document-based reviews of information made available by Processor and shall not include penetration testing reports, vulnerability scan results, source code review, on-site inspections, or access to production systems, except where required by applicable law.

11. EU Representative

Processor has not appointed an EU representative under Article 27 GDPR. Where required by applicable law, Processor shall appoint an EU representative upon reasonable request by Customer.

12. Governing Terms

This DPA supplements the main agreement. In case of conflict, this DPA governs with respect to data protection obligations.

13. Force Majeure

Processor shall not be liable for failure to comply with this DPA where such failure results from events beyond Processor’s reasonable control, provided Processor takes reasonable steps to mitigate the effects.

Schedule 1 Details of Processing

Subject Matter of Processing
Processing of personal data in connection with Master Inbox services.

Duration
For the duration of the Services and until deletion per Section 9.

Nature of Processing

  • Collection of communications
  • Storage and organization of messages
  • AI classification (if enabled)
  • Data syncing with third-party tools
  • Notifications and analytics

Purpose

  • Centralized inbox management
  • Communication handling and tracking
  • Workflow automation and efficiency
  • Performance analytics

Types of Personal Data

  • Name, email, LinkedIn data
  • Message content and attachments
  • Metadata (timestamps, labels)
  • Technical data (IP, device info where applicable)

Data Subjects

  • Prospects
  • Customers
  • Employees
  • Other individuals in communications

Schedule 3 Technical and Organisational Measures

Access Control

  • Role-based access
  • Least privilege enforcement

Security

  • TLS encryption in transit
  • Encryption at rest

Infrastructure

  • Secure hosting (Hetzner)
  • Cloudflare protection

Operations

  • Logging and monitoring
  • Incident response procedures

Data Isolation

  • Logical separation per workspace

Subprocessors

  • Due diligence + contracts

Retention

  • 7-day deletion from production
  • Backups up to 6 months

Personnel

  • Confidentiality obligations
  • Restricted production access

Schedule 4 Standard Contractual Clauses (SCCs)

Where Customer Data is transferred outside the EEA, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) apply.

  • Module: Controller to Processor
  • Exporter: Customer
  • Importer: MasterInbox LLC
  • Governing Law: Ireland

Annex I & II: Defined in Schedule 1 and 3
Annex III: Subprocessors at https://masterinbox.com/subprocessors

Unify replies. Scale your revenue. Close more deals.

Master Inbox helps agencies and sales teams handle high volumes of replies without dropping the ball.
 The inbox built for outbound at scale.
Book a demo
Book a demo

Product

How it works Pricing Book a demo

Contact

Contact the founder? Linkedin

Legal

Privacy policy Terms of service DPA

Alternatives

Masterinbox Alternative Front Alternative Missive Alternative