Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and Ikigai Infotech LLP, operating as TrulyInbox (the "Processor"). This DPA governs how we process personal data on your behalf when you use our email warmup and deliverability services.

1. Definitions

For the purposes of this DPA:

• Controller means you, the customer using TrulyInbox services to improve email deliverability.
• Processor means Ikigai Infotech LLP (TrulyInbox).
• Personal Data means any information relating to an identified or identifiable natural person processed through TrulyInbox.
• Processing means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
• Sub-processor means any third party engaged by TrulyInbox to process Personal Data.
• Data Subject means the individual to whom Personal Data relates.
• Data Protection Laws means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other regional regulations.

2. Scope and Purpose of Processing

TrulyInbox processes Personal Data solely to provide email warmup and deliverability services as described in our Terms of Service. The processing includes:

• Connecting to your email accounts via OAuth authentication
• Sending and receiving warmup emails to build sender reputation
• Monitoring email deliverability metrics and inbox placement
• Analyzing email performance data to optimize deliverability
• Providing technical support and service improvements

We process Personal Data only on your documented instructions and do not use it for our own purposes beyond providing the service.

3. Types of Personal Data Processed

TrulyInbox may process the following categories of Personal Data:

• Email addresses: Sender and recipient email addresses involved in warmup activities
• OAuth tokens: Authentication credentials to access email accounts (Gmail, Outlook, etc.)
• Email metadata: Subject lines, timestamps, delivery status, inbox placement data
• Email content: Warmup email messages generated and sent through our service
• Account information: User names, company names, billing information
• Usage data: Service usage patterns, IP addresses, browser information
• Support data: Communications with our support team

We do not access, read, or process the content of your regular business emails beyond the warmup emails generated by our service.

4. Processor Obligations

TrulyInbox commits to the following obligations:

• Security measures: We implement industry-standard technical and organizational security measures to protect Personal Data, including encryption at rest and in transit, access controls, regular security audits, and staff training.
• Confidentiality: All personnel who access Personal Data are bound by confidentiality obligations.
• Processing instructions: We process Personal Data only according to your documented instructions unless required by law.
• Data protection by design: We build privacy and security into our product development lifecycle.
• Incident response: We maintain procedures to detect, respond to, and notify you of any data breaches.
• Compliance assistance: We will reasonably assist you in meeting your obligations under Data Protection Laws.

5. Sub-processors

TrulyInbox engages the following categories of sub-processors to deliver our services:

• Cloud infrastructure providers: For hosting services and data storage
• Email service providers: For sending and receiving warmup emails
• Analytics providers: For service monitoring and improvement
• Payment processors: For billing and subscription management

We maintain a list of current sub-processors on our website. We will notify you of any changes to sub-processors with at least 30 days' notice, giving you the opportunity to object. All sub-processors are bound by data protection obligations substantially similar to those in this DPA.

6. Data Subject Rights

As a Processor, we will assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

If we receive a request directly from a Data Subject, we will promptly forward it to you. We will provide reasonable assistance in responding to such requests within the timeframes required by applicable law.

7. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) where our sub-processors operate. When we transfer Personal Data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions recognizing equivalent data protection standards
• Other legally recognized transfer mechanisms under GDPR Article 46

We will provide you with information about transfer mechanisms upon request.

8. Data Breach Notification

In the event of a Personal Data breach, TrulyInbox will:

• Notify you without undue delay after becoming aware of the breach
• Provide details of the nature of the breach, categories and approximate number of affected Data Subjects, and likely consequences
• Describe measures taken or proposed to address the breach and mitigate potential harm
• Provide regular updates as the investigation progresses
• Cooperate with you in meeting notification obligations to supervisory authorities and Data Subjects

We maintain documented incident response procedures and conduct regular security training for our team.

9. Audit Rights

Upon reasonable written notice and subject to confidentiality obligations, we will:

• Make available information necessary to demonstrate compliance with this DPA
• Allow for and contribute to audits or inspections by you or an independent auditor
• Provide evidence of certifications, security reports, or third-party audit results

Audits must be conducted during regular business hours with minimal disruption to our operations. You are responsible for costs associated with audits, including reasonable fees for our time.

10. Term and Termination

This DPA remains in effect for as long as we process Personal Data on your behalf. Upon termination of the Terms of Service:

• We will cease processing Personal Data for the purposes described in this DPA
• You may request return or deletion of Personal Data within 30 days of termination
• We will securely delete or return all Personal Data as instructed, except where retention is required by law
• Certification of deletion will be provided upon request

11. Return or Deletion of Personal Data

Upon your written request or termination of services, we will:

• Provide you with a copy of Personal Data in a commonly used, machine-readable format
• Securely delete all Personal Data from our systems and those of our sub-processors
• Provide written certification that Personal Data has been returned or deleted

We may retain Personal Data to the extent required by applicable law, with such data remaining subject to confidentiality obligations and used only for legal compliance purposes.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. We will indemnify you against claims arising from our breach of this DPA, except where such breach results from your instructions or your failure to comply with Data Protection Laws.

13. Amendments

We may update this DPA from time to time to reflect changes in Data Protection Laws, business practices, or regulatory requirements. Material changes will be notified to you at least 30 days in advance via email or through the TrulyInbox dashboard.