Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the customer using SignalBox ("Customer") and TenDigits Software Inc. ("TenDigits", "SignalBox", "we", "us", or "our"). It applies when SignalBox processes Customer Personal Data on Customer's behalf while providing the SignalBox service.

SignalBox is built for sensitive business communications. The service connects to customer-authorized email, CRM, and relationship data sources, classifies relationship signals, prepares draft replies when enabled, and syncs selected activity into HubSpot. This DPA explains the processor commitments that support that work.

1. Definitions

Customer Personal Data means personal data, personal information, or personally identifiable information that Customer submits to SignalBox or instructs SignalBox to process through the service.

Customer Data means Customer Personal Data and all other non-public data Customer submits to SignalBox, including email metadata, CRM records, draft replies, settings, and integration credentials.

Data Protection Laws means privacy and data protection laws that apply to the processing, including PIPEDA, GDPR, UK GDPR, Swiss FADP, applicable U.S. state privacy laws, and successor laws.

Controller, Processor, Data Subject, Personal Data Breach, and Processing have the meanings given under applicable Data Protection Laws.

Subprocessor means a third party engaged by TenDigits to process Customer Personal Data on behalf of TenDigits in order to provide SignalBox.

Integrated Service means a third-party service that Customer connects or instructs SignalBox to access, such as Google Workspace, Microsoft 365, or HubSpot.

2. Roles

Customer is the controller of Customer Personal Data. TenDigits processes Customer Personal Data as a processor only to provide, secure, support, and improve SignalBox in accordance with Customer's documented instructions, the agreement, this DPA, and applicable law.

TenDigits is an independent controller for limited business operations data, such as account administration, billing, website analytics, security records, support communications, and legal compliance records. That controller processing is described in the Privacy Policy.

3. Customer Instructions

Customer instructs TenDigits to process Customer Personal Data to:

• connect Customer-authorized email, CRM, and relationship systems;
• sync selected email activity and relationship signals into HubSpot;
• classify messages and relationship activity;
• extract entities, summaries, signals, and action items;
• prepare draft replies when AI-assisted drafting is enabled;
• support notifications, account administration, security, abuse prevention, troubleshooting, and service reliability;
• delete, export, or return Customer Data as requested by Customer or required by law.

Customer is responsible for having a lawful basis to connect mailboxes, CRM systems, and other Integrated Services to SignalBox, and for providing any notices or consents required for its own users, customers, prospects, employees, contractors, or other data subjects.

4. Categories of Data

SignalBox may process the following categories of Customer Personal Data, depending on the features Customer enables:

• account and user data, including names, email addresses, roles, preferences, organization membership, and authentication identifiers;
• email metadata, including sender, recipient, subject, timestamp, thread identifiers, message identifiers, mailbox identifiers, and attachment metadata;
• email body content, only where needed for AI classification, relationship signals, voice capture, or AI-assisted drafting;
• AI-generated outputs, including classifications, summaries, extracted entities, action items, sentiment, risk/relevance scores, signals, and draft replies;
• HubSpot CRM data, including contacts, companies, deals, owners, timeline events, associations, and CRM identifiers;
• LinkedIn-related relationship data, where enabled, including monitored entities, connection information, conversation metadata, message snapshots, enrichment results, and generated LinkedIn draft replies;
• integration credentials, OAuth tokens, API keys, refresh tokens, IMAP credentials, session credentials, and customer-managed encryption key configuration;
• audit, usage, error, and security event records.

Data subjects may include Customer's users, employees, contractors, customers, prospects, partners, email senders and recipients, LinkedIn contacts, CRM contacts, and individuals mentioned in connected communications or CRM records.

5. Email Body Retention

SignalBox does not keep full email bodies as mailbox history. Message body content may be temporarily stored in encrypted form while the AI pipeline classifies a message. After processing, SignalBox purges body fields unless the message requires AI-assisted drafting or another enabled feature needs the content.

For AI-assisted drafting, SignalBox may retain the minimum encrypted content needed to generate, review, deposit, reconcile, and delete the draft under Customer's configured retention settings. SignalBox-generated drafts may also exist in the user's Gmail or Microsoft 365 Drafts folder until the user sends, edits, deletes, or disconnects them.

This section does not control Customer-owned systems. Email content, synced engagements, attachments, or CRM activity may remain in Google, Microsoft, HubSpot, or another Integrated Service according to Customer's configuration and that provider's terms.

6. Confidentiality

TenDigits restricts access to Customer Personal Data to personnel and contractors who need access to provide or support SignalBox. Personnel with access to Customer Personal Data are subject to confidentiality obligations. TenDigits will not disclose Customer Personal Data except as permitted by the agreement, this DPA, Customer's instructions, or applicable law.

7. Security Measures

TenDigits maintains technical and organizational measures designed to protect Customer Personal Data against unauthorized access, disclosure, alteration, loss, and destruction. Current measures include:

• encryption in transit using HTTPS/TLS;
• managed database encryption at rest;
• application-level envelope encryption for high-value email personal data where implemented;
• encrypted vault storage for OAuth tokens, refresh tokens, API keys, and other secrets;
• organization-scoped authorization controls and database row-level security;
• role-based access controls for administrative actions;
• audit logging for security-relevant and data lifecycle events;
• least-privilege OAuth scope design where provider APIs allow it;
• provider token revocation and credential deletion during disconnect or account deletion flows;
• customer-managed key controls for eligible enterprise configurations, including external KMS integrations where configured;
• input validation, rate limiting, security headers, and service monitoring.

The Security, Subprocessors & Integrated Services schedule provides more detail about current controls and providers.

8. Subprocessors and Integrated Services

Customer authorizes TenDigits to use subprocessors listed in the Security, Subprocessors & Integrated Services schedule. TenDigits remains responsible for subprocessors' processing of Customer Personal Data and requires subprocessors to protect Customer Personal Data under written terms appropriate to the nature of the service they provide.

TenDigits may update subprocessors as SignalBox evolves. For material new subprocessors that process Customer Personal Data, TenDigits will provide notice through the website, documentation, email, in-app notice, or another reasonable channel. Customer may object on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may stop using the affected feature or terminate the service according to the agreement.

Google, Microsoft, HubSpot, and similar services are typically Customer-authorized Integrated Services rather than general SignalBox subprocessors. Customer directs SignalBox to access those services under Customer's own tenant, portal, account, OAuth consent, admin consent, or configuration. Customer remains responsible for its relationship with those providers and for the data it chooses to sync into or retain in those systems.

9. AI Providers

AI-assisted features may use OpenAI, Anthropic, customer-provided AI providers, or other configured AI processors. AI features may classify messages, summarize relationship activity, extract entities, generate draft replies, learn draft preferences, and produce relationship signals.

TenDigits does not permit AI subprocessors to use Customer Personal Data to train their general models unless Customer separately enables or instructs that use through a provider account or configuration. Where Customer uses its own AI provider account or API key, Customer is responsible for that provider relationship and settings.

Customer can disable AI-assisted drafting and disconnect integrations. Some non-drafting classification and signal features may still require temporary email body processing to provide the service.

10. Data Subject Requests

Customer is responsible for responding to data subject requests as controller. TenDigits will reasonably assist Customer in fulfilling requests to access, correct, export, restrict, or delete Customer Personal Data, taking into account the nature of the service and the information available to TenDigits.

Customer admins can delete an organization from SignalBox. Organization deletion is designed to be immediate and irreversible: Customer Data, org-scoped audit records, AI outputs, drafts, CRM cache, LinkedIn data, mailbox configurations, connected credentials, and vault secrets are deleted from SignalBox systems. SignalBox also attempts provider-side cleanup before destroying credentials, including revoking supported OAuth tokens and deleting SignalBox-created drafts from Gmail or Microsoft 365 where possible.

Some records are not controlled by SignalBox deletion:

• Customer-owned email messages remain in Customer mailboxes.
• HubSpot contacts, companies, deals, and default synced CRM records remain in Customer's HubSpot portal unless Customer separately deletes them or selects an available optional cleanup flow.
• Supabase Auth identity records may be retained so a user can authenticate again and create or join a new organization.
• De-identified deletion confirmation records, security records, billing records, or records required for legal, tax, fraud-prevention, dispute, or compliance reasons may be retained for the period required or permitted by law.
• Backups and provider logs may age out according to infrastructure retention schedules and are protected from active use during that period.

11. Personal Data Breach

TenDigits will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include available information about the nature of the incident, affected data, likely consequences, mitigation steps, and contact point, to the extent known and legally permitted.

Customer is responsible for determining whether it must notify regulators, data subjects, customers, or other parties. TenDigits will provide reasonable assistance for those obligations.

12. International Transfers

Customer Personal Data may be processed in Canada, the United States, the European Economic Area, the United Kingdom, or other locations where TenDigits, its subprocessors, or Customer's Integrated Services operate.

Where Data Protection Laws require a transfer mechanism, the parties agree to use the applicable Standard Contractual Clauses, UK International Data Transfer Addendum, adequacy decision, Data Privacy Framework certification, or another lawful transfer mechanism. If there is a conflict between this DPA and the applicable transfer terms, the transfer terms control for the transferred data.

13. Audits and Assistance

TenDigits will make reasonable information available to Customer to demonstrate compliance with this DPA, including documentation about security measures, subprocessors, data flows, deletion controls, and relevant policies. Customer may request additional information where reasonably necessary for a security review, vendor assessment, or regulator inquiry.

Audits must be reasonable in scope, frequency, timing, and confidentiality. TenDigits may satisfy audit requests through documentation, security questionnaires, interviews, third-party reports when available, or other evidence appropriate for the size and maturity of the service.

14. Return and Deletion

During the term, Customer may export or delete Customer Data using available product controls or by contacting TenDigits. After termination or account deletion, TenDigits will delete Customer Data from active systems unless retention is required or permitted by law, needed for security, fraud prevention, dispute resolution, tax, accounting, or compliance obligations, or present only in backups pending ordinary backup expiration.

Deletion of Customer Data from SignalBox does not delete data from Customer-controlled Integrated Services except where SignalBox offers and Customer selects a specific cleanup action.

15. Liability

Each party's liability under this DPA is subject to the limitations, exclusions, and remedies in the agreement, unless Data Protection Laws require otherwise.

16. Order of Precedence

If there is a conflict between this DPA and the agreement, this DPA controls for the processing of Customer Personal Data. If there is a conflict between this DPA and mandatory Data Protection Laws, the applicable law controls.

17. Contact

For privacy or data protection questions, contact us at hello@tendigits.com.

Annex A: Processing Details

Annex B: Security Measures

SignalBox's current security measures are summarized in Section 7 and in the Security, Subprocessors & Integrated Services schedule. Measures may evolve as the service matures, provided they do not materially reduce the overall protection of Customer Personal Data.

Annex C: Subprocessors

Current subprocessors and Integrated Services are listed in the Security, Subprocessors & Integrated Services schedule.