About GDPR - Smart Compose Feature – GDPR Compliance Inquiry

Smart Compose Feature – GDPR Compliance Inquiry

I’m currently evaluating the use of your Smart Compose functionality within our application and would like to ensure that it aligns with GDPR requirements, as our users and data are based in the EU.
Could you please clarify the following points:
Data Usage:
Does the Smart Compose feature process or store the content of user emails in any way for learning or model improvement purposes?
Training Data:
Are customer email contents used to train or fine-tune any machine learning models – either globally or per customer instance?
Data Storage & Processing Location:
Are the data processed by Smart Compose exclusively stored and handled within the EU? If not, what legal safeguards (e.g. Standard Contractual Clauses) are in place?
DPA Coverage:
Is the Smart Compose feature explicitly covered by your Data Processing Agreement (DPA), and are subprocessors involved in its delivery listed accordingly?
Opt-out or Control Options:
Is there an option to disable Smart Compose or restrict it from accessing certain types of sensitive content?
We’re aiming for full GDPR compliance and transparency with our users, and we want to ensure that using Smart Compose does not create any unintentional risks.
Looking forward to your clarification.

The Smart Compose functionality drafts an email based on the prompt provided. It does not utilize any data for training purposes, either globally or on a per-customer basis.

It is not explicitly called out in the Nylas DPA, which you can find under Section 5 - Data Privacy in the standard Terms; however, it does address AI products in general (Section 5.8).

No data is stored for Smart Compose and the system only receives the prompt for the message. Considering Smart Compose receives no PII there is no current opt out functionality for users to restrict PII.