LEGAL
Data Processing Agreement
1. INTRODUCTION AND ROLES
This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between Outmate (operating as "Outmate.ai", "Outmate", "Processor") and the subscriber ("Subscriber", "Controller") and governs Outmate's processing of Personal Data on behalf of the Subscriber.
With respect to Personal Data that Outmate processes on the Subscriber's behalf in providing the Platform, including data collected through the visitor-tracking pixel deployed on the Subscriber's website ("Subscriber Personal Data"), the Subscriber is the Controller and Outmate is the Processor.
Outmate acts as an independent Controller for the limited purposes described in its Privacy Policy (including account administration, security, billing, and the operation and improvement of its identification infrastructure). To the extent Outmate and the Subscriber jointly determine purposes and means of any processing, the parties will agree the allocation of responsibilities in a joint-controller arrangement.
In case of conflict between this DPA and the Terms and Conditions regarding the processing of Subscriber Personal Data, this DPA prevails.
2. DEFINITIONS
"Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, the CCPA/CPRA, the India DPDP Act and Rules, and the ePrivacy regime, as applicable.
The terms "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Personal Data Breach", and "Sub-processor" have the meanings given in the applicable Data Protection Laws. Under the CCPA/CPRA, Outmate acts as a "service provider" and the corresponding terms apply.
3. SUBJECT MATTER AND DETAILS OF PROCESSING
Subject Matter: the provision of the Platform, including visitor identification, enrichment, signal detection, workflows, integrations, and AI-assisted features.
Duration: for the term of the Subscriber's subscription and until deletion or return of Subscriber Personal Data in accordance with this DPA.
Nature and Purpose: collection, identification, de-anonymization, enrichment, scoring, storage, organization, retrieval, disclosure to Sub-processors and to integrations directed by the Subscriber, and deletion, for B2B go-to-market purposes.
Categories of Data Subjects: visitors to the Subscriber's website; the Subscriber's prospects and business contacts; and the Subscriber's authorized users.
Categories of Personal Data: online identifiers (including IP address, visitor identifier, and device fingerprint); business contact details (including name, business email, job title, professional profile URL, and business telephone where enabled); employer and firmographic data; approximate geolocation; and behavioral and intent data. The Subscriber must not submit special categories of data or other sensitive data except as permitted by law and configured appropriately.
4. PROCESSOR OBLIGATIONS
Outmate will process Subscriber Personal Data only on documented instructions from the Subscriber, including as set out in the Terms, this DPA, and the Subscriber's configuration of the Platform, unless required to process by law (in which case Outmate will inform the Subscriber unless legally prohibited).
Outmate will ensure that persons authorized to process Subscriber Personal Data are bound by confidentiality.
Outmate will implement appropriate technical and organizational measures as described in Section 8 (Security).
Outmate will assist the Subscriber, taking into account the nature of processing and information available, in: responding to Data Subject requests (Section 6); ensuring security; notifying Personal Data Breaches; conducting data-protection impact assessments; and consulting supervisory authorities, as required by Data Protection Laws.
At the Subscriber's choice, Outmate will delete or return Subscriber Personal Data at the end of the provision of services, and delete existing copies unless storage is required by law.
Outmate will make available information necessary to demonstrate compliance with this DPA and allow for and contribute to audits as described in Section 9.
CCPA/CPRA. Outmate will not sell or share Subscriber Personal Data, will not retain, use, or disclose it except as necessary to perform the services or as permitted by law, will not combine it with data from other sources except as permitted, and certifies that it understands and will comply with these restrictions.
5. SUBSCRIBER (CONTROLLER) OBLIGATIONS
The Subscriber warrants that it has a valid lawful basis and all required notices and consents for the processing it instructs Outmate to perform, including consent for cookies, fingerprinting, tracking technologies, and de-anonymization where required, particularly for visitors in the EU, EEA, UK, Switzerland, and India.
The Subscriber is responsible for the accuracy, quality, and legality of its instructions and of the Personal Data it provides or causes to be collected, and for maintaining its own privacy notice and consent mechanism on its website.
The Subscriber will not instruct Outmate to process Personal Data in violation of Data Protection Laws.
6. DATA SUBJECT RIGHTS
Taking into account the nature of the processing, Outmate will assist the Subscriber by appropriate technical and organizational measures, insofar as possible, to fulfil the Subscriber's obligations to respond to requests to exercise Data Subject rights (including access, rectification, erasure, restriction, portability, and objection).
If Outmate receives a request directly from a Data Subject regarding Subscriber Personal Data, it will, unless legally required to respond, refer the request to the Subscriber and assist as reasonably required. Outmate provides functionality enabling erasure of visitor identification data and the honoring of opt-outs.
7. SUB-PROCESSORS
The Subscriber provides general authorization for Outmate to engage Sub-processors to process Subscriber Personal Data, subject to this Section.
Outmate will impose data-protection obligations on Sub-processors that are no less protective than those in this DPA and remains responsible for its Sub-processors' performance.
Outmate's current Sub-processors include its hosting and infrastructure providers and its identification, enrichment, geolocation, search, and AI-model providers, as described in the Privacy Policy and in the Sub-processor list. A current Sub-processor list is available at available on request.
Outmate will provide a mechanism to notify the Subscriber of intended changes to Sub-processors and give the Subscriber the opportunity to object on reasonable data-protection grounds.
8. SECURITY
Outmate implements technical and organizational measures appropriate to the risk, including: encryption of data in transit; encryption at rest for sensitive identity fields where enabled; access controls, authentication, and session revocation; one-way hashing of account passwords; least-privilege access and secret management; rate limiting; audit logging of access to sensitive Personal Data; and restricted cross-origin access.
The parties acknowledge that security is a shared responsibility and that the Subscriber is responsible for securely configuring its use of the Platform and its connected integrations.
9. AUDITS
Outmate will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Subscriber or an auditor mandated by the Subscriber, no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), subject to reasonable notice, confidentiality, and Outmate's security policies. Outmate may satisfy audit obligations by providing relevant certifications or third-party reports where available.
10. PERSONAL DATA BREACH
Outmate will notify the Subscriber without undue delay after becoming aware of a Personal Data Breach affecting Subscriber Personal Data, and will provide information reasonably available to assist the Subscriber in meeting its breach-notification obligations, including under the 72-hour timelines applicable under the GDPR and the India DPDP regime.
11. INTERNATIONAL TRANSFERS
Outmate may transfer and process Subscriber Personal Data in the United States, India, and other countries. Where such transfers are subject to transfer restrictions under Data Protection Laws, the parties will rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated by reference and completed with the details in this DPA and its appendices.
12. LIABILITY
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions.
13. TERM AND TERMINATION
This DPA takes effect on the Effective Date and continues until Outmate ceases processing Subscriber Personal Data, after which the deletion or return obligations in Section 4.5 apply.
This document is provided for general information and does not constitute legal advice. Items shown highlighted are subject to final confirmation before publication.