Get Started
Legal

Data Processing Agreement

The GDPR Article 28 compliant agreement governing our processing of personal data on your behalf. Auto-incorporated into every Team and Enterprise subscription.

Last updated: 17 May 2026Effective: 17 May 2026
This template was prepared in good faith. For Enterprise customers requiring a counter-signed DPA, please contact legal@boxes.sh. Obtain attorney review before publication.

1. Parties and roles

This Data Processing Agreement ("DPA") is entered into between L1fe AI, Inc. ("Boxes", "Processor") and the customer entity identified in the applicable Order Form or click-through agreement ("Customer", "Controller"). It forms part of, and is governed by, the Boxes Terms of Service.

For Customer Data containing personal data, Customer is the controller (or, where Customer is itself a processor for its own customers, the processor) and Boxes is the processor (or sub-processor), as those terms are defined in GDPR Article 4.

2. Subject matter and duration

Boxes will process personal data contained in Customer Data on Customer's behalf for the duration of the Customer's subscription, solely to provide and maintain the Services, deliver support, and exercise the rights and obligations set out in the Terms of Service.

3. Categories of data subjects and personal data

  • Data subjects. Customer's employees, contractors, agents (human and AI), customers, prospects, suppliers, partners, and any other natural person whose personal data Customer chooses to process through the Services.
  • Categories of personal data. Names, contact details, communication content, file content, calendar entries, professional profile data, IP addresses, device data, authentication credentials, agent provenance records, and any other personal data Customer uploads or transmits through the Services.
  • Special categories. Customer should not upload special-category data (health, racial / ethnic origin, religious belief, political opinion, sexual orientation, biometric data) without first ensuring an appropriate Article 9 lawful basis applies, executing a separate amendment to this DPA, and engaging required regulatory consultations.

4. Processing only on Customer's instructions

Boxes will process personal data only on the documented instructions of Customer, including with regard to transfers of personal data to a third country. Customer's instructions are set out in the Terms of Service, this DPA, and any configuration or feature toggles within the Services. Boxes will notify Customer if, in its opinion, an instruction infringes GDPR or other applicable law.

5. Confidentiality of personnel

Boxes ensures that personnel authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality, and that access to personal data is restricted to personnel who need to access it to perform their duties.

6. Security measures

Boxes implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256-GCM);
  • Pseudonymisation where applicable, including agent capability tokens and per-tenant key derivation;
  • Role-based access control with multi-factor authentication for all staff;
  • Regular testing, assessment, and evaluation of security effectiveness (SOC 2 Type II audited annually);
  • A documented incident-response and business-continuity programme;
  • Backup, redundancy, and disaster-recovery procedures;
  • Tamper-evident audit logging with cryptographic chaining.

7. Subprocessors

Customer authorises Boxes to engage subprocessors to support the Services. A current list is maintained at /legal/subprocessors. Boxes will:

  • Provide at least 14 days' prior notice of any new subprocessor by email and via subscription on the subprocessors page;
  • Impose data-protection obligations on each subprocessor by written contract that are no less protective than those set out in this DPA;
  • Remain liable to Customer for the acts and omissions of each subprocessor.

If Customer reasonably objects to a new subprocessor on legitimate data-protection grounds, Customer may terminate the relevant portion of the Services on a pro-rata refund basis.

8. Data subject rights

Taking into account the nature of the processing, Boxes provides Customer with self-service tools (admin export, data subject access workflows, content deletion) to enable Customer to fulfil its obligations to respond to data subject requests under GDPR Articles 15–22. Boxes assists Customer with any request that cannot be fulfilled through self-service, at no additional cost for Team plans and as set out in the Order Form for Enterprise plans.

9. Personal data breach notification

Boxes will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

10. International data transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the EU Standard Contractual Clauses approved by Commission Decision 2021/914 (Module Two: Controller-to-Processor, or Module Three: Processor-to-Processor as applicable) are hereby incorporated into this DPA by reference and form an integral part of it. For UK transfers, the UK International Data Transfer Addendum (Version B1.0) is incorporated. For Swiss transfers, the Swiss FDPIC's adapted SCCs apply.

Boxes maintains a Transfer Impact Assessment that is available to Customer upon request.

11. Audit rights

Boxes makes available to Customer all information necessary to demonstrate compliance with this DPA, including by way of:

  • The most recent SOC 2 Type II report (under NDA);
  • The most recent ISO 27001 certificate;
  • A summary of penetration test findings (under NDA);
  • Responses to reasonable security questionnaires.

If Customer reasonably requires further information, Customer may, at its own expense and not more than once per twelve months, perform an audit through a mutually-agreed independent auditor, with at least 60 days' prior written notice, during normal business hours, subject to confidentiality, and in a manner that does not unreasonably disrupt Boxes' operations.

12. Return and deletion of data

Upon termination of the Services, Customer may export Customer Data for 30 days. After that period, Boxes will delete all Customer Data from production systems, with deletion completed from backups within 35 days. Audit-log retention (see §14) applies as a limited exception.

13. Term

This DPA is effective from the start of Customer's subscription and continues until the later of: (a) the end of the subscription term; (b) the completion of all data deletion obligations under §12.

14. Right-to-erasure / audit-log reconciliation

Customer acknowledges that the Boxes tamper-evident agent audit log is retained for seven years to meet accountability obligations under GDPR Article 5(2), industry-specific recordkeeping requirements, and to support Customer's own evidentiary needs. Right-to-erasure requests under Article 17 are reconciled with this retention as follows:

  • Audit log entries are pseudonymised on receipt of a valid erasure request, replacing direct identifiers with hashed surrogates while preserving cryptographic chain integrity;
  • The corresponding original Customer Data is permanently deleted in line with §12;
  • This approach is justified under Article 17(3)(e) — establishment, exercise, or defence of legal claims — and is documented in Boxes' Records of Processing Activities.

Customer may request a counter-signed copy of this DPA by emailing legal@boxes.sh.