Last updated: December 2024
Parties
This Data Processing Agreement ("DPA") is entered into between:
Customer (the "Controller"):
The legal entity that has entered into the Principal Agreement with Outfound (for example, by accepting the Outfound Terms of Service or signing an order form), whose details are set out in the relevant order form, account billing profile, or contract.
and
Outfound (the "Processor"):
Name: Sodalis Bilisim Teknolojileri San. ve Tic. A.S.
Address: Izmir Bilisim Vadisi, Teknopark, Izmir, Turkey
Contact: privacy@outfound.ai
Each a "Party" and together the "Parties".
This DPA forms part of the Principal Agreement and is deemed accepted by the Customer when the Customer accepts the Principal Agreement (for example, by agreeing to the Terms of Service, signing an order form, or otherwise using the Services). Alternatively, this DPA may be executed as a separate signed agreement between the Parties.
1. Background and Scope
1.1 Purpose
This DPA governs the Processing of Customer Personal Data by Outfound when providing the Services under the main agreement between the Parties (the "Principal Agreement", which may be the Terms of Service, Master Subscription Agreement, or other written contract for the Outfound platform).
1.2 Relationship
The Customer acts as the Controller and Outfound acts as the Processor in relation to Customer Personal Data. Nothing in this DPA changes the relationship between the Parties as set out in the Principal Agreement.
1.3 Precedence
This DPA supplements and forms part of the Principal Agreement. In the event of any conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to data protection matters.
1.4 Duration
This DPA shall remain in effect for the duration of the Principal Agreement and for as long as Outfound Processes Customer Personal Data on behalf of the Customer.
2. Definitions
In this DPA, the following terms have the meanings set out below. Capitalised terms not defined herein have the meanings given in the Principal Agreement or in Applicable Data Protection Law.
Term | Definition |
|---|---|
Applicable Data Protection Law | All applicable laws and regulations relating to the Processing of Personal Data, including (where applicable) the GDPR, the UK GDPR, KVKK, and any other national implementing legislation. |
Controller | The natural or legal person which determines the purposes and means of the Processing of Personal Data. |
Customer Personal Data | Any Personal Data that Outfound Processes on behalf of the Customer in connection with the Services. |
Data Subject | An identified or identifiable natural person to whom Personal Data relates. |
EEA | The European Economic Area. |
GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). |
KVKK | Turkish Personal Data Protection Law No. 6698 (Kisisel Verilerin Korunmasi Kanunu). |
Personal Data | Any information relating to an identified or identifiable natural person, as defined in Applicable Data Protection Law. |
Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data. |
Processing (and Process) | Any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction. |
Processor | A natural or legal person which Processes Personal Data on behalf of a Controller. |
Services | The B2B lead generation, AI-powered outreach, and related services provided by Outfound to the Customer under the Principal Agreement. |
Standard Contractual Clauses (SCCs) | The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission. |
Sub-processor | Any third party engaged by Outfound to Process Customer Personal Data on behalf of Outfound. |
Supervisory Authority | An independent public authority responsible for monitoring the application of Applicable Data Protection Law. |
UK GDPR | The GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. |
3. Processing of Customer Personal Data
3.1 Scope of Processing
Outfound shall Process Customer Personal Data only:
In accordance with the Customer's documented instructions (including those set out in this DPA and the Principal Agreement);
As necessary to provide the Services;
As required by Applicable Data Protection Law.
If Outfound is required by law to Process Customer Personal Data for any other purpose, Outfound shall inform the Customer of that legal requirement before Processing, unless prohibited by law from doing so.
3.2 Details of Processing
The subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Data are described in Annex I (Details of Processing).
3.3 Customer Responsibilities
The Customer warrants that:
It has all necessary rights and lawful bases to provide Customer Personal Data to Outfound for Processing;
It has provided appropriate notices to, and obtained necessary consents from, Data Subjects where required;
Its instructions to Outfound comply with Applicable Data Protection Law;
It will use the Services only for lawful B2B purposes and in accordance with the Principal Agreement.
3.4 Prohibited Data
The Customer shall not provide to Outfound, and Outfound is not obligated to Process, any special categories of Personal Data (as defined in Article 9 GDPR) or Personal Data relating to criminal convictions and offences (as defined in Article 10 GDPR), unless explicitly agreed in writing and appropriate safeguards are implemented.
4. Processor Obligations
4.1 Compliance
Outfound shall:
Comply with Applicable Data Protection Law in its Processing of Customer Personal Data;
Implement and maintain appropriate technical and organisational measures to protect Customer Personal Data, as described in Annex II (Security Measures);
Ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
Not engage any Sub-processor except in accordance with Section 5 of this DPA.
4.2 Confidentiality
Outfound shall ensure that its personnel engaged in the Processing of Customer Personal Data:
Are informed of the confidential nature of the Customer Personal Data;
Have received appropriate training on their data protection responsibilities;
Are bound by confidentiality obligations that survive the termination of their employment or engagement.
4.3 Security
Outfound shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those measures set out in Annex II. These measures shall take into account:
The state of the art and the costs of implementation;
The nature, scope, context, and purposes of Processing;
The risk of varying likelihood and severity for the rights and freedoms of natural persons.
4.4 Records
Outfound shall maintain records of Processing activities carried out on behalf of the Customer as required by Article 30(2) GDPR and shall make such records available to the Customer upon request.
5. Sub-processing
5.1 Authorised Sub-processors
The Customer provides a general authorisation for Outfound to engage Sub-processors to Process Customer Personal Data, subject to the conditions set out in this Section 5.
5.2 Sub-processor List
A description of the categories of Sub-processors engaged by Outfound is set out in Annex III (Sub-processors). Outfound shall maintain an up-to-date list of its Sub-processors and shall make such list available to the Customer upon request.
5.3 Sub-processor Requirements
Before engaging any Sub-processor, Outfound shall:
Conduct appropriate due diligence to ensure the Sub-processor is capable of providing the level of protection for Customer Personal Data required by this DPA;
Enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those imposed on Outfound under this DPA;
Remain fully liable to the Customer for the performance of the Sub-processor's obligations.
5.4 Changes to Sub-processors
Outfound shall notify the Customer in advance (typically at least fifteen (15) days) of any intended addition or replacement of Sub-processors, providing the Customer with an opportunity to object to such changes.
If the Customer objects to a new Sub-processor on reasonable grounds relating to data protection, the Parties shall discuss the Customer's concerns in good faith. If the Parties cannot resolve the matter, the Customer may terminate the affected Services without penalty by providing written notice within thirty (30) days of receiving notice of the new Sub-processor.
5.5 Emergency Sub-processors
In urgent circumstances where Outfound needs to engage a new Sub-processor to maintain continuity of the Services, Outfound may provide shorter notice, provided that Outfound informs the Customer as soon as practicable and the Customer retains the right to object as set out above.
6. International Data Transfers
6.1 Transfers within EEA/UK
Customer Personal Data may be Processed within the EEA or the UK without additional safeguards.
6.2 Transfers outside EEA/UK
Where Customer Personal Data is transferred to a country outside the EEA or UK that has not been recognised as providing an adequate level of data protection, Outfound shall ensure that appropriate safeguards are in place, which may include:
Standard Contractual Clauses (SCCs) adopted by the European Commission;
UK International Data Transfer Addendum (IDTA) where applicable;
Binding Corporate Rules approved by a Supervisory Authority;
Any other valid transfer mechanism under Applicable Data Protection Law.
6.3 Sub-processor Transfers
Outfound shall ensure that any Sub-processor located outside the EEA/UK is subject to appropriate transfer mechanisms as described in Section 6.2.
6.4 Transfer Impact Assessments
Upon request, Outfound shall provide the Customer with information reasonably necessary to conduct transfer impact assessments and shall cooperate with the Customer in implementing supplementary measures where required.
7. Data Subject Rights
7.1 Assistance with Requests
Outfound shall assist the Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including:
Right of access (Article 15 GDPR);
Right to rectification (Article 16 GDPR);
Right to erasure ("right to be forgotten") (Article 17 GDPR);
Right to restriction of processing (Article 18 GDPR);
Right to data portability (Article 20 GDPR);
Right to object (Article 21 GDPR);
Rights related to automated decision-making and profiling (Article 22 GDPR).
7.2 Customer Responsibility
The Customer is primarily responsible for responding to Data Subject requests. Outfound shall promptly notify the Customer if it receives any request directly from a Data Subject and shall not respond to such request without the Customer's prior written authorisation, unless required by law.
7.3 Technical Assistance
Outfound shall provide the Customer with self-service tools and functionality within the Services to enable the Customer to access, correct, delete, or export Customer Personal Data. Where such tools are insufficient, Outfound shall provide reasonable technical assistance upon request.
7.4 Costs
Outfound may charge reasonable fees for assistance with Data Subject requests that are excessive, repetitive, or manifestly unfounded, provided that Outfound notifies the Customer of such fees in advance.
8. Personal Data Breaches
8.1 Notification
In the event of a Personal Data Breach affecting Customer Personal Data, Outfound shall notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.
8.2 Content of Notification
The notification shall include, to the extent known:
A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned;
The name and contact details of the Outfound contact from whom more information can be obtained;
A description of the likely consequences of the Personal Data Breach;
A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
8.3 Cooperation
Outfound shall cooperate with the Customer and take reasonable steps to assist the Customer in:
Investigating and remediating the Personal Data Breach;
Fulfilling the Customer's obligations to notify Supervisory Authorities and affected Data Subjects under Applicable Data Protection Law;
Mitigating the effects of the Personal Data Breach.
8.4 Record Keeping
Outfound shall maintain a record of all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.
9. Data Protection Impact Assessments and Prior Consultation
9.1 Assistance with DPIAs
Where the Customer is required to carry out a data protection impact assessment (DPIA) under Article 35 GDPR (or equivalent provisions under Applicable Data Protection Law), Outfound shall provide reasonable assistance to the Customer, taking into account the nature of the Processing and the information available to Outfound.
9.2 Prior Consultation
Where the Customer is required to consult with a Supervisory Authority under Article 36 GDPR (or equivalent provisions), Outfound shall provide reasonable cooperation and assistance.
10. Return and Deletion of Data
10.1 During the Agreement
During the term of the Principal Agreement, the Customer may access, export, or delete Customer Personal Data using the self-service tools provided within the Services.
10.2 Upon Termination
Upon termination or expiry of the Principal Agreement, the Customer may request return or deletion of Customer Personal Data. Outfound shall:
Provide the Customer with a reasonable period (not less than thirty (30) days) following termination to export Customer Personal Data;
Upon written request from the Customer, delete all Customer Personal Data in its possession within ninety (90) days of such request, except where retention is required by Applicable Law.
10.3 Retention Exceptions
Outfound may retain Customer Personal Data to the extent required by Applicable Law, including for:
Compliance with legal, tax, or accounting obligations;
Establishment, exercise, or defence of legal claims;
Audit log retention as required by law (up to two (2) years for certain records).
Any retained data shall continue to be protected in accordance with this DPA.
10.4 Certification
Upon request, Outfound shall provide written certification that it has deleted Customer Personal Data in accordance with this Section 10.
11. Audit and Compliance
11.1 Information Requests
Upon reasonable request, Outfound shall make available to the Customer all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.
11.2 Audit Rights
The Customer (or an independent third-party auditor appointed by the Customer) may conduct audits to verify Outfound's compliance with this DPA, subject to the following conditions:
The Customer shall provide at least thirty (30) days' prior written notice of any audit;
Audits shall be conducted during normal business hours and shall not unreasonably disrupt Outfound's operations;
The Customer (and any auditor) shall comply with Outfound's reasonable security and confidentiality requirements;
The Customer shall bear its own costs of any audit, unless the audit reveals a material breach of this DPA by Outfound;
Audits shall be limited to once per calendar year, unless required by a Supervisory Authority or following a Personal Data Breach.
11.3 Third-Party Certifications
Outfound may, where available, satisfy audit requests by providing relevant third-party certifications or reports (for example, ISO 27001 or SOC 2), security summaries, results of penetration tests or security assessments conducted by independent third parties, or responses to reasonable security questionnaires.
12. Liability
12.1 Liability Cap
Each Party's liability under this DPA shall be subject to the limitations of liability set out in the Principal Agreement.
12.2 Responsibility for Breaches
Each Party shall be responsible for any damages caused by its own breach of this DPA or Applicable Data Protection Law, subject to the limitations set out in the Principal Agreement.
13. General Provisions
13.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws of Turkey, without regard to its conflict of laws principles.
13.2 Jurisdiction
Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Izmir, Turkey.
13.3 Severability
If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
13.4 Amendments
This DPA may be amended only by a written instrument signed by both Parties. However, Outfound may update the Sub-processor list in accordance with Section 5.4 without requiring a formal amendment to this DPA.
13.5 Entire Agreement
This DPA, together with the Principal Agreement and any annexes attached hereto, constitutes the entire agreement between the Parties with respect to the Processing of Customer Personal Data.
13.6 Notices
All notices under this DPA shall be sent to the contact details specified in the Customer's account or the Principal Agreement, or to privacy@outfound.ai for notices to Outfound.
Signatures (Optional)
This section is for use when the Parties wish to execute the DPA as a separate signed agreement. If the Customer has accepted this DPA by accepting the Principal Agreement (for example, by agreeing to the Terms of Service), no separate signature is required.
For the Customer (Controller):
Name: ____________________________
Title: ____________________________
Date: ____________________________
Signature: ____________________________
For Outfound (Processor):
Name: ____________________________
Title: ____________________________
Date: ____________________________
Signature: ____________________________
Annex I - Details of Processing
1. Subject Matter and Purpose of Processing
Outfound Processes Customer Personal Data to provide the Services, which include:
B2B lead generation and discovery based on Customer-defined target criteria
Company and contact research and intelligence gathering
Email address verification and deliverability checking
AI-powered email personalisation and content generation
Email campaign management and delivery (where enabled)
Analytics and reporting on campaign performance
Account management, billing, and customer support
2. Duration of Processing
Processing shall continue for the duration of the Principal Agreement and for such additional period as necessary to comply with the data return and deletion obligations set out in Section 10 of this DPA.
3. Categories of Data Subjects
Customer Personal Data may relate to the following categories of Data Subjects:
Category | Description |
|---|---|
Customer Users | Employees, contractors, and authorised representatives of the Customer who access and use the Services |
B2B Contacts (Leads) | Business professionals whose contact information is generated, enriched, or managed through the Services |
4. Categories of Personal Data
Category | Examples |
|---|---|
Account Data | Name, email address, phone number (optional), job title, company name, timezone, language preferences |
Authentication Data | User identifiers, login credentials (hashed), session tokens, authentication logs |
Billing Data | Billing contact name and email, billing address, tax identification numbers (credit card data is NOT stored by Outfound) |
Lead/Contact Data | Business contact details (name, work email, job title, phone), company information (name, domain, industry, size, location), professional social media URLs (LinkedIn, Twitter) |
Usage Data | Feature usage, pages accessed, timestamps, IP addresses, browser and device information |
Communication Data | Email content created through the platform, campaign metadata, delivery and engagement metrics |
AI Input/Output Data | Prompts, targeting criteria, generated email content, personalisation snippets |
5. Special Categories of Personal Data
None. Outfound does not intentionally Process special categories of Personal Data (as defined in Article 9 GDPR). The Customer shall not provide such data to Outfound.
6. Frequency of Processing
Processing is performed on a continuous basis throughout the term of the Principal Agreement, as the Customer uses the Services.
7. Retention Period
Customer Personal Data is retained for the duration of the Principal Agreement and deleted or returned in accordance with Section 10 of this DPA, subject to legal retention requirements.
Annex II - Technical and Organisational Security Measures
Outfound implements and maintains the following technical and organisational measures to protect Customer Personal Data:
1. Encryption
Measure | Description |
|---|---|
Encryption in Transit | All data transmitted between customers and Outfound servers is encrypted using TLS 1.2 or higher |
Encryption at Rest | Sensitive Personal Data (including email addresses, names, phone numbers) is encrypted at rest using strong encryption (e.g. AES-256) |
Field-Level Encryption | High-risk PII fields are subject to additional field-level encryption with configurable encryption levels |
Database Encryption | Production databases use encrypted storage |
2. Access Control
Measure | Description |
|---|---|
Authentication | User authentication is handled by a third-party identity provider using industry-standard authentication mechanisms and secure session management |
Multi-Factor Authentication | Support for multi-factor authentication (e.g. TOTP) where enabled by the Customer's configuration |
Role-Based Access Control (RBAC) | Granular permissions based on user roles (Owner, Admin, Member, Viewer) |
Password Security | Strong password policies and industry-standard hashing are applied by the identity provider |
Least Privilege | Personnel access to Customer Personal Data is limited to those who require it for their role |
3. Multi-Tenancy and Data Isolation
Measure | Description |
|---|---|
Tenant Isolation | Strict logical separation of Customer data using tenant identifiers enforced at the application and database level |
Query Filtering | All database queries are automatically filtered by tenant identifier to prevent cross-tenant data access |
Organisation Boundaries | Additional isolation at the organisation level within each tenant |
4. Audit Logging and Monitoring
Measure | Description |
|---|---|
Comprehensive Audit Logs | All data access, modifications, and security events are logged with user ID, timestamp, IP address, and action details |
Audit Log Retention | Audit logs retained for up to two (2) years for compliance purposes |
Security Monitoring | Real-time monitoring for suspicious activity, rate limit violations, and security incidents |
Alerting | Automated alerts for critical security events |
5. Infrastructure Security
Measure | Description |
|---|---|
Network Segmentation | Separation of application, API, and database tiers with restricted network access |
Container Security | Services run as non-root users in isolated containers |
Secrets Management | Sensitive credentials stored securely using environment variables and secrets management |
Regular Updates | Systems are regularly updated and patched |
6. Data Protection
Measure | Description |
|---|---|
PII Redaction | Sensitive data redacted in logs (strict mode in production) |
Input Validation | All user inputs validated to prevent injection attacks |
Soft Deletes | Data deletion uses soft delete mechanisms to maintain audit trails before permanent removal |
Backup and Recovery | Regular automated backups with tested recovery procedures |
7. API Security
Measure | Description |
|---|---|
Rate Limiting | Per-tenant rate limiting to prevent abuse and denial-of-service |
API Key Management | Secure API key generation, validation, and rotation capabilities |
Security Headers | Implementation of security headers (CORS, CSRF protection) |
8. Incident Response
Measure | Description |
|---|---|
Incident Response Plan | Documented procedures for detecting, responding to, and recovering from security incidents |
Breach Notification | Procedures to notify affected customers within 72 hours of becoming aware of a Personal Data Breach |
Post-Incident Review | Root cause analysis and remediation following security incidents |
9. Personnel Security
Measure | Description |
|---|---|
Confidentiality Agreements | All personnel with access to Customer Personal Data are bound by confidentiality obligations |
Security Training | Regular security awareness training for personnel |
Access Reviews | Periodic reviews of personnel access rights |
10. Vendor Management
Measure | Description |
|---|---|
Sub-processor Due Diligence | Assessment of Sub-processor security practices before engagement |
Contractual Protections | Data protection obligations imposed on all Sub-processors |
Ongoing Monitoring | Regular review of Sub-processor compliance |
Annex III - Sub-processors
Outfound engages the following categories of Sub-processors to provide the Services. A current list of specific Sub-processor names may be provided to Customers upon request.
Category | Purpose of Processing | Typical Location |
|---|---|---|
Authentication & Identity | User authentication, session management, single sign-on, identity verification | EEA / US |
Payment Processing | Processing payments, managing subscriptions, fraud prevention (Outfound does not store credit card data) | EEA |
Cloud Hosting & Infrastructure | Hosting of application and databases, content delivery, compute resources | EEA / US |
Analytics & Error Tracking | Application performance monitoring, error tracking, debugging, usage analytics | EEA / US |
Email Delivery | Sending transactional and campaign emails on behalf of Customers, email event tracking | US |
AI & Machine Learning Services | AI-powered content generation, personalisation, text analysis, lead scoring | US |
Data Enrichment & Verification | B2B contact and company data enrichment, email address verification, deliverability checking | US |
Notes
No Specific Vendor Names: This Annex lists categories of Sub-processors rather than specific vendor names. A detailed list of current Sub-processors, including their legal names and locations, is available upon request by contacting privacy@outfound.ai.
Updates: Outfound will notify Customers of changes to Sub-processors in accordance with Section 5.4 of this DPA.
International Transfers: Where Sub-processors are located outside the EEA/UK, Outfound ensures appropriate transfer mechanisms are in place (such as Standard Contractual Clauses) in accordance with Section 6 of this DPA.
Customer Data Handling: Not all Sub-processors will Process all categories of Customer Personal Data. The specific Sub-processors used depend on the features of the Services utilised by the Customer.
End of Data Processing Agreement