Ember
Data Processing Addendum
Effective date: June 12, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and One Infinity Labs, Inc. ("Ember", "we") whenever Ember processes personal data on your behalf. You do not need to sign anything: by connecting a mailbox, you accept this DPA as written here, and it applies automatically. If your compliance team needs a countersigned copy, email privacy@1labs.ai.
Roles
For the mailboxes you connect and the warmup data generated from them, you are the controller and we are the processor. We process that data only on your documented instructions — which are: provide the warmup and reporting service as described in the product and the Privacy Policy — and for no other purpose. We never sell it, never share it with advertisers, and never use it to train models.
For your Ember account itself (email, password hash, billing status), we are an independent controller; that processing is covered by the Privacy Policy, not this DPA.
What personal data is processed
- Mailbox credentials: IMAP/SMTP credentials you provide, encrypted with AES-256-GCM before storage, destroyed on disconnect.
- Mailbox addresses in your fleet (which are typically personal data of you or your team).
- Warmup-thread metadata: subjects, timestamps, fleet sender/recipient pairs, warmup events, and the folder placement of warmup messages.
We do not process the content of your real correspondence, your contacts, or any recipient lists — the product has no mechanism for any of them. Warmup email bodies are synthetic text generated from our template pool.
Subprocessors
We use a short list of subprocessors to run the service. Each is bound by a data processing agreement at least as protective as this one.
| Subprocessor | Purpose | Region |
|---|---|---|
| Neon, Inc. | Database (encrypted credentials, warmup events, account data) | USA |
| Vercel, Inc. | Hosting, CDN, scheduled warmup jobs | USA |
| Resend | Transactional email (verification, password reset, billing notices) | USA |
| Polar Software, Inc. | Billing — merchant of record | USA |
Note on mail transit: warmup email itself travels through your own mail providers (Google, Microsoft, or your IMAP/SMTP host) between mailboxes in your fleet. Those providers are your vendors, not our subprocessors — your agreements with them govern that transit.
We will update this page at least 14 days before adding or replacing a subprocessor that touches customer data. If you object to a change on reasonable data-protection grounds and we cannot resolve it, you may terminate the affected service and receive a pro-rata refund per the refund policy.
International transfers
Our subprocessors are US companies. Where personal data about EEA, UK, or Swiss data subjects is transferred to the United States, the transfer is covered by the EU Standard Contractual Clauses (Module 2, controller-to-processor), the UK Addendum, and/or the subprocessor's participation in the EU–US Data Privacy Framework, as applicable.
Security measures
The technical and organizational measures we maintain are described on the Security page, which forms part of this DPA. In summary: TLS in transit everywhere, AES-256-GCM encryption of mailbox credentials at rest, least-privilege access, and immediate credential destruction on disconnect.
Data subject requests
If a data subject contacts us about data we process on your behalf, we will forward the request to you without undue delay and assist you in responding. We will not respond directly unless legally required.
Confidentiality, breach notice, and audits
- Personnel with access to customer data are bound by confidentiality obligations and given the minimum access their role requires.
- We notify you of a personal data breach affecting your data without undue delay, and no later than 72 hours after we become aware of it.
- Once per year, on reasonable notice, you may request the information necessary to demonstrate our compliance with this DPA — security documentation first; audits where the law requires them.
Deletion and return
Disconnecting a mailbox destroys its credentials immediately and deletes its warmup data within 30 days. On termination of your account, all customer data is deleted within 30 days, except records Polar must retain for tax or legal reasons.
Order of precedence
If this DPA conflicts with the Terms of Service, this DPA wins for anything about personal data. If a mandatory law conflicts with both, the law wins, and we will tell you when that happens.
Contact
privacy@1labs.ai · Contact page. Ember is a product of One Infinity Labs, Inc.