Data Processing Addendum
Last updated: May 1, 2026
This Data Processing Addendum (the "DPA") forms part of the Terms of Service between you (the "Controller") and Liisberg Consulting ApS ("DoneBox" or the "Processor") and governs the processing of personal data contained in mailboxes you connect to the DoneBox service. It is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR").
1. Definitions
Terms not defined here have the meaning given in the GDPR. "Customer Data" means the personal data contained in email messages, headers, attachments, and metadata of the mailboxes you connect to DoneBox, together with any AI-derived outputs such as summaries, suggested replies, suggested tasks, and extracted links. "Subprocessor" means a third party engaged by DoneBox to process Customer Data on the Controller's behalf.
2. Roles of the parties
You are the Controller of the Customer Data. DoneBox is the Processor and processes Customer Data only on your documented instructions, as set out in this DPA, the Terms of Service, and your interactions with the DoneBox application (such as connecting a mailbox, approving an action, or deleting your account).
DoneBox is the controller — not the processor — of data described in our Privacy Policy, including account, billing, and application usage data. That data is governed by the Privacy Policy and not by this DPA.
3. Subject matter, duration, nature, and purpose
- Subject matter: processing of Customer Data to provide the DoneBox email triage and dispatch service.
- Duration: for as long as you maintain a DoneBox account with at least one connected mailbox, until you delete the connection or your account, plus a brief technical wind-down period as described in Section 11.
- Nature of processing: retrieval, storage, transmission, AI-assisted analysis, and (with your explicit per-message approval) deletion or relabeling of email messages on your connected mailboxes via IMAP.
- Purpose: to provide the DoneBox service to you, including triage, summarization, suggested replies and tasks, action recommendations, archiving, and deletion of messages.
4. Categories of personal data and data subjects
Categories of personal data:
- email addresses, names, and other contact details of senders, recipients, and persons mentioned;
- email subject lines, message bodies (plain text and HTML), and attachments;
- email metadata: timestamps, message IDs, thread IDs, IMAP UIDs, mailbox/folder names, Gmail labels;
- raw RFC 822 source of received messages, retained to enable accurate processing and re-extraction;
- AI-derived outputs: summaries, classifications, priority assessments, suggested replies, suggested tasks, extracted call-to-action and unsubscribe URLs, and reasoning text;
- any other personal data that may be contained in the body of email messages, which is outside DoneBox's control.
Categories of data subjects:
- senders and recipients of emails in the connected mailbox;
- persons named or otherwise identified in the body, subject, headers, or attachments of those emails;
- any other natural persons whose personal data appears in the connected mailbox.
5. Processor obligations
DoneBox shall:
- process Customer Data only on documented instructions from the Controller, including any transfer of Customer Data outside the EEA, unless required to do otherwise by EU or Member State law;
- ensure that personnel authorized to process Customer Data are subject to confidentiality obligations;
- implement appropriate technical and organizational measures pursuant to Article 32 GDPR (see Section 8);
- respect the conditions on Subprocessors set out in Section 7;
- assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to data subject requests under Chapter III of the GDPR;
- assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to DoneBox;
- at the Controller's choice, delete or return all Customer Data after the end of the provision of services, as set out in Section 11;
- make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
6. Controller obligations
You confirm that:
- you have a lawful basis under the GDPR (or other applicable law) to process the personal data of senders, recipients, and persons referenced in your connected mailboxes;
- you have provided required information to data subjects regarding your processing, including, where relevant, the use of an AI-assisted email tool;
- your instructions to DoneBox — including connecting a mailbox, approving actions, and otherwise using the service — are lawful;
- you will not use DoneBox to process special categories of personal data (Article 9 GDPR) where doing so would lack a lawful basis under Article 9(2);
- you are responsible for the security of the credentials you use to connect mailboxes (such as IMAP app passwords) and for promptly revoking them if compromised.
7. Subprocessors
The Controller authorizes DoneBox to engage Subprocessors to process Customer Data, subject to this Section 7. DoneBox enters into written agreements with each Subprocessor that impose data-protection obligations no less protective than those in this DPA.
The currently engaged Subprocessors are:
| Subprocessor | Role |
|---|---|
| Hetzner Online GmbH (Germany, EU) | Hosting of application servers, databases, and stored email data |
| Mistral AI (France, EU) | AI processing of email content for triage, summarization, and suggestion generation |
The connected email providers you authorize (for example, Gmail, Fastmail, iCloud, or other IMAP servers) are not Subprocessors of DoneBox; they are independent controllers or processors with whom you have a separate relationship.
DoneBox will inform the Controller of any intended changes concerning the addition or replacement of Subprocessors with at least 30 days' prior notice, giving the Controller the opportunity to object. If the Controller objects on reasonable data-protection grounds, DoneBox will work with the Controller in good faith to find a workable solution; if none can be found, the Controller may terminate its DoneBox account, and DoneBox will delete or return Customer Data per Section 11.
8. Security measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, DoneBox implements technical and organizational measures to ensure a level of security appropriate to the risk, including:
- TLS encryption of data in transit between DoneBox and email providers, AI providers, and the Controller's browser;
- encryption-at-rest of sensitive credentials (such as IMAP app passwords) using Rails encrypted attributes with keys stored in encrypted credentials, separately from the database;
- access controls limiting administrative access to a minimum necessary set of personnel;
- audit logging of administrative actions and security-relevant events;
- periodic review of access permissions, dependencies, and security configuration;
- secure software development practices including code review and automated testing;
- backup and recovery procedures that preserve confidentiality.
9. Data subject requests
Taking into account the nature of the processing, DoneBox shall assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising data subjects' rights under Articles 15 to 22 of the GDPR.
Where a data subject contacts DoneBox directly with a request relating to Customer Data — for example, a sender or recipient of an email processed through your DoneBox account — DoneBox will, without undue delay, refer the request to the Controller and will not respond substantively unless instructed by the Controller to do so.
10. Personal data breaches
DoneBox shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Data, and in any case within 72 hours where feasible. Such notification will include, to the extent available, the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.
11. Return or deletion of Customer Data
On termination of the service, on the Controller's request, or when the Controller deletes their DoneBox account, DoneBox will delete all Customer Data within a reasonable period. In practice:
- Live database records — connected mailbox records, email messages, AI triage results, drafts, and extracted links — are removed at request time;
- Stored email files (raw RFC 822 source, attachments) are queued for asynchronous deletion and typically removed within minutes;
- Backup snapshots are overwritten on the rolling schedule described in the Privacy Policy (currently up to 30 days), after which Customer Data is no longer recoverable;
- Logs mentioning Customer Data are retained for the shorter of 90 days or the period required by applicable law, after which they are rotated.
On the Controller's prior written request and at the Controller's expense, DoneBox can instead provide a structured export of Customer Data before deletion. Absent such a request, DoneBox will not retain copies after deletion except as required by law.
12. International transfers
DoneBox processes Customer Data within the European Union (Hetzner, Germany; Mistral, France). Where Customer Data is transferred outside the EEA — for example, in the course of operating subprocessors — DoneBox relies on appropriate safeguards such as adequacy decisions, the EU-US Data Privacy Framework, Standard Contractual Clauses, or equivalent legal mechanisms.
13. Audits
DoneBox will make available, on reasonable request, the information necessary to demonstrate compliance with this DPA. Where the Controller reasonably requires further audit, the parties will agree in advance on scope, timing, and confidentiality. Audits must not unreasonably interfere with DoneBox's normal operations and must respect the confidentiality of other DoneBox customers.
14. Liability and precedence
Liability under this DPA is governed by the limitation-of-liability terms in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service or the Privacy Policy regarding the processing of Customer Data, this DPA prevails.
15. Governing law
This DPA is governed by the laws of Denmark, to the extent compatible with mandatory provisions of the GDPR and applicable Member State law.
16. Contact
Questions about this DPA can be sent to privacy@donebox.eu.