Data Processing Addendum

What this is

This Data Processing Addendum ("DPA") applies when your organization uses Tiny Inbox to process personal data of individuals — typically your employees or teammates — under laws like the EU GDPR, UK GDPR, or similar. It describes how we process that data on your behalf, the commitments we make as your processor, and how we handle data-subject rights and security.

The DPA is incorporated into our Terms of Service when those laws apply to your use. You don't need to sign it separately; your agreement to the Terms incorporates it.

In this document, "you" and "your" mean your organization (the data controller). "We" and "our" mean Tiny Inbox (the data processor).

Subject matter, nature, and purpose

We process personal data to provide the Tiny Inbox service to you. That means:

• Storing and retrieving items your users capture
• Delivering transactional email (account verification, password reset)
• Generating AI suggestions for captured items (see our Privacy Policy for details; you can opt out for your account)
• Forwarding items to third-party destinations you've connected (Todoist, Google Tasks)
• Sending items captured via the integrations you've connected (Slack, Discord, browser extension, email forwarding)

Duration

This DPA applies for as long as we process personal data on your behalf — typically the duration of your Tiny Inbox subscription, plus any retention windows described in our Privacy Policy.

Types of personal data and data subjects

Data subjects: your employees, teammates, or other individuals whose accounts or captured items are stored in Tiny Inbox on your behalf.

Personal data: account identifiers (email, display name), OAuth identifiers from connected providers, content of captured items (which may contain personal data depending on what users capture), AI-generated suggestions for those items, integration credentials (access and refresh tokens for connected services), and audit records of account activity. Full detail in our Privacy Policy.

Our commitments as processor

• We process personal data only on your documented instructions. Using the service in accordance with the Terms counts as your documented instructions; any further instruction should be emailed to hello@tinyinbox.app.
• Personnel with access to personal data on our side are bound by confidentiality obligations.
• We maintain technical and organizational security measures appropriate to the risks of processing (see "Security" below).
• We provide reasonable assistance in helping you respond to data-subject requests (access, deletion, correction, portability). Most of these are covered by the self-service export and deletion tools in the Tiny Inbox Settings page; for anything more complex, email us.
• We provide reasonable assistance with your own obligations around security, breach notification, data protection impact assessments, and regulator consultations, to the extent applicable law requires.
• At the end of our relationship, we delete or return personal data in line with the retention windows in our Privacy Policy, unless we're required by law to retain specific records longer.
• We make available, on reasonable request, the information reasonably necessary to demonstrate compliance with this DPA.

Sub-processors

We engage the following sub-processors to deliver the service, and we have Data Processing Agreements in place with each of them — automatically incorporated through their Terms of Service (Cloudflare, Neon, Resend, OpenAI) or via a separately executed agreement (Fly.io). Onward transfers of personal data to these sub-processors are governed by their respective DPAs:

• Fly.io — application hosting (United States). DPA executed via Fly.io's counter-signed process; see Fly.io compliance documents for their current DPA.
• Neon — managed Postgres database (United States). Neon DPA
• Cloudflare — static site hosting, inbound email routing, and privacy-first traffic analytics (global edge network). Cloudflare DPA
• Resend — transactional email delivery (United States). Resend DPA
• OpenAI — AI suggestions for captured items (United States). OpenAI DPA

We are responsible for our sub-processors' compliance with this DPA, as required by Article 28(4) of the GDPR and equivalent provisions in UK and Swiss law. If we add or change a sub-processor in a way that materially affects how your data is processed, we'll update this page at least 30 days before the change takes effect. Email us to subscribe to change notifications or to raise an objection to a new sub-processor.

International data transfers

Tiny Inbox is operated from the United States, and most of our sub-processors are US-based. Where personal data originates outside the United States, the following transfer mechanisms apply:

• EEA: the European Commission's 2021 Standard Contractual Clauses (Module 2: controller-to-processor) serve as our transfer mechanism.
• United Kingdom: the UK Information Commissioner's Office International Data Transfer Addendum to the EU SCCs — or, where more appropriate, the UK International Data Transfer Agreement (IDTA) — applies.
• Switzerland: the EU SCCs with Swiss-required adaptations apply (references to EU law read as references to Swiss law; the Swiss Federal Data Protection and Information Commissioner is the relevant supervisory authority).

Onward transfers from us to our sub-processors are governed by those sub-processors' own transfer terms, referenced in the "Sub-processors" section above.

Security

We maintain technical and organizational measures appropriate to the risks of processing personal data, including:

• TLS encryption for data in transit
• Passwords stored as salted hashes; authentication tokens stored as HMAC-SHA256 hashes
• Database access scoped through application-layer authorization; multi-tenant isolation enforced at the query layer
• Audit logging of account-level actions and administrative access to user records, retained for up to one year
• Short-lived access tokens (15 minutes), session refresh tokens bound to a single browser
• Principle of least privilege for internal access to production systems

Breach notification

If we become aware of a personal-data breach affecting your data, we'll notify you without undue delay and in any case within 72 hours of our awareness. The notification will include, to the extent the information is then available, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we've taken or propose to take. We'll continue to update you as additional information becomes available.

Data-subject requests

Most data-subject rights can be exercised self-service by the affected user through the Tiny Inbox Settings page: download a copy of their data, delete their account, revoke API tokens, or disconnect connected integrations. For requests that can't be satisfied self-service, or for requests you receive as the controller and need our assistance with, email hello@tinyinbox.app. We'll respond within 30 days, consistent with our Privacy Policy.

Audit

You can verify our compliance with this DPA by reviewing our Privacy Policy, our Terms, this DPA, the public documentation of our sub-processors, and any third-party security attestations we publish. If those aren't sufficient for your purposes, email us to arrange a reasonable audit — typically a written questionnaire or call rather than an on-site visit, with reasonable costs borne by the requesting customer.

End of service

When your use of Tiny Inbox ends, you can export your data through the Settings page or ask us to do so. After an account is deleted, retention and erasure follow the windows described in our Privacy Policy (items retained until deletion; soft-deleted accounts permanently purged 30 days later; a minimal purge trace retained for accountability for up to one year).

Governing law

This DPA is governed by the laws of the State of New Mexico and the United States of America, consistent with our Terms of Service. Nothing in this DPA limits any rights you or your users have under the GDPR, UK GDPR, or other applicable data-protection law.

Contact

hello@tinyinbox.app

Tiny Inbox is operated as a sole proprietorship by Mark Nelson, based in New Mexico, United States.