Data Processing Addendum

Last updated: May 15, 2026.

This Data Processing Addendum ("DPA") is incorporated into the Terms of Service or another written agreement between Inline and the customer using the Services ("Customer"). It applies when Inline processes Customer Personal Data on behalf of Customer and that processing is subject to Data Protection Laws.

If Customer has a separately signed data processing agreement with Inline, that signed agreement controls.

1. Definitions

"Customer Personal Data" means personal data contained in Customer content, workspace data, account records, integration data, or other information that Inline processes on behalf of Customer through the Services.

"Data Protection Laws" means applicable privacy and data protection laws, which may include GDPR, UK GDPR, Swiss data protection law, CCPA/CPRA, and similar laws.

"GDPR", "personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in applicable Data Protection Laws.

"Subprocessor" means a third party engaged by Inline to process Customer Personal Data to provide the Services.

2. Roles

Customer is the controller of Customer Personal Data. Inline is the processor of Customer Personal Data, except where Inline processes limited account, billing, security, or operational data as an independent controller as described in the Privacy Policy.

Customer is responsible for having a lawful basis and all required rights, notices, and consents for Inline to process Customer Personal Data as described in this DPA.

3. Processing Instructions

Inline will process Customer Personal Data only:

• to provide, secure, support, and improve the Services
• as instructed by Customer through product settings, API calls, integrations, bots, MCP grants, support requests, or written instructions
• as required by law
• as otherwise permitted by the agreement between Inline and Customer

If Inline believes an instruction violates Data Protection Laws, Inline may notify Customer and may suspend the affected processing until the issue is resolved.

4. Details of Processing

Subject matter

Inline provides work chat, sync, file sharing, search, notifications, APIs, SDKs, bots, MCP tools, and user-enabled integrations.

Duration

Inline processes Customer Personal Data for the term of Customer's use of the Services and for any additional period needed for backups, deletion, legal obligations, security, dispute resolution, and enforcement.

Nature and purpose

Processing includes hosting, storing, syncing, transmitting, encrypting, decrypting when needed to provide the Services, indexing, searching, displaying, backing up, logging, securing, debugging, notifying, and processing user-requested integration and AI-assisted workflows.

Categories of data subjects

Data subjects may include Customer's users, workspace members, invited users, message recipients, contacts shared by users, bot operators, support contacts, and people mentioned in Customer content.

Types of personal data

Customer Personal Data may include names, usernames, email addresses, phone numbers, profile photos, time zones, user IDs, workspace and chat membership, messages, files, media, reactions, integration metadata, device/session information, IP addresses, logs, and any other personal data Customer or its users submit to the Services.

5. Confidentiality

Inline will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and process Customer Personal Data only as needed to perform their duties.

6. Security Measures

Inline will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Current measures include:

• TLS for data in transit
• encryption at rest for sensitive server-side data
• encrypted storage for sensitive tokens, file paths, push credentials, and selected message fields
• signed media URLs and access checks for protected media
• hashed authentication tokens
• limited production access
• logging, monitoring, and incident response practices
• secure development practices and dependency review
• native app signing and notarization where applicable

Inline may update these measures over time as long as the overall level of security is not materially reduced.

7. Subprocessors

Customer authorizes Inline to use Subprocessors to provide the Services. Inline's current Subprocessor list is available at Subprocessors.

Inline will impose data protection obligations on Subprocessors that are designed to provide at least the same level of protection required by this DPA. Inline remains responsible for Subprocessors' processing of Customer Personal Data to the extent required by applicable law and the agreement with Customer.

If Inline adds or replaces a Subprocessor that materially processes Customer Personal Data, Inline will update the Subprocessor list. Customer may object on reasonable data protection grounds by contacting hey [at] inline.chat. If the parties cannot resolve the objection, Customer may stop using the affected Services.

8. Data Subject Requests

Inline will provide reasonable assistance, taking into account the nature of the Services and information available to Inline, to help Customer respond to data subject requests. Customer is responsible for responding to requests from data subjects unless Data Protection Laws require otherwise.

9. Personal Data Breaches

Inline will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include available information reasonably needed for Customer to meet its breach notification obligations. Inline will provide reasonable cooperation in investigating and remediating the breach.

10. Return and Deletion

Upon termination of the Services, Inline will delete or return Customer Personal Data according to product functionality, Customer instructions, and applicable law. Some data may remain for a limited period in backups, logs, security records, legal records, or where retention is required by law.

11. Audits and Information

Inline will make available reasonable information necessary to demonstrate compliance with this DPA. Audits must be reasonable in scope, scheduled with advance written notice, occur no more than once per year unless required by a regulator or after a confirmed breach, and avoid disrupting the Services or compromising other customers' data.

12. International Transfers

Inline and its Subprocessors may process Customer Personal Data in the United States, Europe, and other countries. Where Data Protection Laws require a transfer mechanism, Inline will rely on appropriate safeguards such as the Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or another lawful transfer mechanism.

13. CCPA and Similar Laws

Where CCPA/CPRA or similar US state privacy laws apply, Inline will not sell Customer Personal Data or share Customer Personal Data for cross-context behavioral advertising. Inline will process Customer Personal Data only for the business purposes described in this DPA, the agreement, and Customer's instructions.

14. Liability and Conflict

Each party's liability under this DPA is subject to the liability limits in the agreement between the parties, unless Data Protection Laws require otherwise.

If this DPA conflicts with the Terms of Service or another agreement, this DPA controls only for the processing of Customer Personal Data.

Annex A: Processing Details

Item	Details
Processor	Inline
Controller	Customer
Processing subject matter	Work chat, file sharing, sync, search, notifications, APIs, SDKs, bots, MCP tools, and integrations.
Processing frequency	Continuous while Customer uses the Services.
Processing duration	The term of Customer's use of the Services plus backup, deletion, legal, security, and dispute-resolution periods.
Data subject categories	Users, workspace members, invited users, message recipients, support contacts, bot operators, and people referenced in Customer content.
Personal data categories	Account data, profile data, chat content, files, media, metadata, integration data, device/session data, IP addresses, logs, and support data.

Annex B: Contact

Privacy and DPA requests can be sent to hey [at] inline.chat.