Version: 11/12/2025

This DPA is incorporated into the Inbaqs Platform Access Agreement (“Agreement”). Capitalized terms not defined here have the meanings in the Agreement.

1) Scope

This DPA applies when a Customer uses Inbaqs to process Customer Personal Information (“CPI”). Parties agree this DPA reflects US service provider/contractor terms under applicable state privacy laws (e.g., CPRA, CO/CT/VA/UT/TX, etc.). It is not a GDPR addendum; an EU/UK annex may be added if Customer processes EU/UK data.

2) Roles & Instructions

Customer is the business/controller and gives documented instructions via the Agreement, this DPA, the Services UI, and written requests.

Inbaqs is Customer’s service provider/processor and will process CPI only per Customer’s instructions and this DPA.

3) Nature, Purpose, Duration, Types of Data

Nature/Purpose: Provide, secure, maintain, and improve the Services (email ingestion, thread stitching, search, tasking, file storage/sharing, analytics for service operations).

Data Types: Email addresses, names, headers/metadata, message content/attachments (as enabled by Customer), user account/profile data, audit logs, derived data (e.g., classifications).

Data Subjects: Customer end users, Customer personnel, and individuals referenced in email/content.

Duration: Term of the Agreement plus deletion period in §10.

4) Service-Provider/Contractor Certification (CPRA-style)

Inbaqs:

a) Does not sell or share CPI for cross-context behavioral advertising;

b) Uses CPI only for permitted business purposes and to provide the Services;

c) Will not combine CPI with personal info from other sources except as permitted for service operations or as instructed by Customer;

d) Ensures any sub-processors provide the same level of protection and use limits;

e) Notifies Customer if Inbaqs determines it can no longer meet these obligations.

5) Confidentiality

Inbaqs ensures personnel accessing CPI are under confidentiality obligations and trained in security/privacy; access is least-privilege and logged.

6) Security (TOMs)

Inbaqs maintains appropriate technical and organizational measures described in Annex A (encryption in transit/at rest, IAM, logging/monitoring, vulnerability mgmt, BCP/DR, secure SDLC, etc.). Upon request, Inbaqs will provide a security whitepaper and, if available, a SOC 2 Type II report under NDA. **(Customers may request a copy of the current SOC 2 audit by emailing ▢security@inbaqs.com.)**

7) Sub-processors

Customer authorizes Inbaqs to use sub-processors listed on [inbaqs.com/legal/subprocessors] (the “Subprocessor Page”). Inbaqs will:

a) Flow-down materially equivalent obligations;

b) Post updates to the Subprocessor Page and provide advance notice (target 10 business days) before materially new sub-processors begin processing CPI;

c) Allow Customer to object for reasonable data-protection grounds; if unresolved, parties will work in good faith to modify processing; if not feasible, Customer may suspend the affected feature or terminate the impacted order with a pro-rated refund.

8) Assistance (DSRs, Security, Assessments)

Inbaqs will reasonably assist Customer with:

Data Subject Requests (access, deletion, correction, portability) as directed by Customer, via product features or Support. Target response: within 15 business days of Customer request.

Security obligations (e.g., incident information, TOMs, responses to reasonable security questionnaires).

Data Protection Assessments required by state laws (where applicable to Customer).

9) Security Incidents

Inbaqs will notify Customer without undue delay and no later than 48 hours after confirmation of a Security Incident involving CPI. Notice will include known facts, scope, likely impact, and mitigation. Inbaqs will cooperate with Customer’s investigation and notifications. (See also your Incident Response Plan and state breach laws.)

10) Return & Deletion

Upon termination/expiration or on Customer request, Inbaqs will return or delete CPI. Unless legally required to retain, Inbaqs will delete remaining copies (including backups) within 90 days. Deletion certificates are available upon request.

11) Audits & Information Rights

Inbaqs will make available information reasonably necessary to demonstrate compliance (e.g., whitepaper, SOC 2 report under NDA, pen-test summary). If additional verification is required, Customer may conduct a scoped audit no more than once in 12 months (or following a material incident), on 30 days’ notice, during business hours, subject to confidentiality and a mutually agreed scope; Customer bears its audit costs.

12) Government & Law-Enforcement Requests

Inbaqs will disclose CPI only pursuant to valid legal process and will notify Customer (where lawful) before disclosure, and challenge overbroad or unlawful requests. **(See the Law-Enforcement Request Policy for the specific legal instrument requirements and detailed notification procedures.)**

13) Data Location & Transfers

Inbaqs hosts and processes CPI in the United States. If Customer later requires cross-border transfers, parties will implement appropriate safeguards (e.g., SCCs/UK addendum) in an addendum.

14) Precedence & Changes

If there’s a conflict between this DPA and the Agreement, this DPA controls for CPI processing. Inbaqs may update this DPA to reflect legal or operational changes; material changes will be posted with advance notice.

Contact for privacy/security: ▢privacy@inbaqs.com (or) ▢security@inbaqs.com