Data Processing Agreement (DPA)

This Data Processing Agreement (“DPA”) forms part of the Terms and Conditions (“Terms”) governing the use of the InboxParse service (the “Service”).

This DPA applies when personal data is processed by the Service in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR).

The Service is provided by:

Timerise sp. z o.o.
ul. Księcia Witolda 49/15
50-202 Wrocław
Poland

NIP: 8971890756
VAT ID: PL8971890756
KRS: 0000895019

Email: hello@inboxparse.com

1. Definitions

For the purposes of this DPA:

Controller
The entity that determines the purposes and means of processing personal data.

Processor
The entity that processes personal data on behalf of the Controller.

Customer
The user or organization using the InboxParse Service.

Customer Data
Any personal data submitted, stored, or processed through the Service.

Data Protection Laws
Applicable privacy and data protection laws, including the GDPR.

Sub-processor
A third party engaged by the Processor to process personal data.

2. Roles of the Parties

For the purposes of GDPR:

• Customer acts as the Data Controller
• Timerise sp. z o.o. acts as the Data Processor

Timerise processes personal data only on behalf of the Customer and in accordance with the Customer’s instructions.

3. Subject Matter of Processing

Timerise provides the InboxParse platform, which processes email data and related metadata in order to transform emails into structured information.

Processing may include:

• ingestion of email data
• parsing email messages
• extracting structured data
• generating summaries or classifications
• storing processed results
• delivering data via API or dashboard

4. Duration of Processing

Processing of personal data will continue:

• for the duration of the Customer’s use of the Service
• until Customer Data is deleted
• or until termination of the service agreement

Upon termination, Customer Data will be deleted or returned in accordance with the Terms and the Customer’s instructions.

5. Categories of Data Processed

Depending on the Customer’s usage of the Service, the following data may be processed:

Email Content

• sender and recipient email addresses
• subject lines
• message body
• attachments
• email headers

Metadata

• timestamps
• message identifiers
• labels or categories
• extracted structured data

Account Information

• user email addresses
• authentication identifiers
• workspace or organization data

6. Categories of Data Subjects

Personal data processed through the Service may relate to:

• Customer employees
• Customer users
• email correspondents
• business contacts
• end users of Customer systems

7. Processor Obligations

Timerise agrees to:

Process Data Only on Instructions

Process Customer Data only on documented instructions from the Customer unless required by law.

Confidentiality

Ensure that personnel authorized to process personal data are bound by confidentiality obligations.

Security

Implement appropriate technical and organizational measures to ensure the security of personal data.

Assistance

Assist the Customer in fulfilling obligations regarding:

• data subject rights
• security incidents
• impact assessments
• regulatory compliance

Data Breach Notification

Notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.

Data Deletion or Return

Upon termination of the Service, delete or return Customer Data unless retention is required by law.

8. Security Measures

Timerise implements technical and organizational security measures including:

• encrypted network connections (TLS/HTTPS)
• access control and authentication mechanisms
• infrastructure security controls
• logging and monitoring systems
• secure cloud infrastructure
• principle of least privilege

Security measures are periodically reviewed and updated.

9. Sub-processors

Timerise may engage Sub-processors to provide parts of the Service, including:

• cloud infrastructure providers
• analytics providers
• monitoring and logging providers
• authentication providers
• payment processors

Timerise ensures that Sub-processors are bound by data protection obligations equivalent to those in this DPA. A list of Sub-processors may be provided upon request.

10. International Data Transfers

Personal data may be transferred outside the European Economic Area (EEA).

Where such transfers occur, Timerise ensures appropriate safeguards including:

• Standard Contractual Clauses (SCCs)
• adequate data protection frameworks
• contractual and technical safeguards

11. Data Subject Rights

Timerise will assist the Customer, where reasonably possible, in responding to requests from data subjects exercising rights under GDPR, including:

• access
• rectification
• erasure
• restriction of processing
• data portability
• objection to processing

Where Timerise receives such requests directly, it will inform the Customer where legally permitted.

12. Audits

Timerise will make available information reasonably necessary to demonstrate compliance with this DPA. Where required, the Customer may request reasonable documentation regarding security and compliance measures.

13. Liability

Liability related to personal data processing shall be governed by the limitations set forth in the Terms and Conditions.

14. Governing Law

This DPA shall be governed by the laws of Poland, unless mandatory data protection laws require otherwise.

15. Contact

For questions related to data protection, please contact:

Timerise sp. z o.o.
ul. Księcia Witolda 49/15
50-202 Wrocław
Poland

Email: hello@timerise.io

Annex I – Description of Processing

Controller: Customer using the InboxParse Service

Processor: Timerise sp. z o.o.

Nature of Processing:

• ingestion of email data
• parsing and transformation
• AI-assisted classification
• structured data extraction
• storage and retrieval

Purpose of Processing: Providing the InboxParse platform and related services.

Annex II – Security Measures (Summary)

Timerise implements security measures including:

• encrypted communication (TLS)
• role-based access control
• secure authentication
• infrastructure monitoring
• logging and anomaly detection
• regular software updates
• restricted employee access to production systems