Jun 28, 2025
Data Processing Addendum (DPA)
1. Introduction
This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (the “Agreement”) between Outmarket AI (“Processor”) and the Customer (“Controller”). This DPA reflects the parties’ agreement with regard to the processing of Data in accordance with applicable data protection laws and regulations.
2. Definitions
2.1 "Customer"
means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.
2.2 "Customer Data"
means application data, data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Outmarket AI on behalf of Customer. For the avoidance of doubt, Customer Data does not include usage, statistical, learned, or technical information that does not reveal the actual contents of such Customer Data.
2.3 "Users"
means individuals authorized by Customer to use the Services under the terms of the Agreement.
2.4 "Customer Personal Data"
means Personal Data that is contained within Customer Data.
2.5 "Personal Data"
means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.
2.6 "Data"
means Customer Data, Customer Personal Data, and any other Personal Data processed by Processor in the course of providing the Services.
2.7 "Processing"
means any operation or set of operations performed on Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
2.8 "Sub-processor"
means any third party appointed by or on behalf of Processor to process Data in connection with the Agreement.
2.9 "Data Protection Laws"
means all applicable legislation protecting the fundamental rights and freedoms of individuals and their right to privacy with respect to the processing of Data.
2.10 "Data Subject"
means any identified or identifiable natural person, as defined under Applicable Data Protection Laws, whose Personal Data is collected, accessed, used, stored, or otherwise processed by the Controller or Processor in the course of providing the Services.
3. Processing of Data
3.1 Processor’s Obligations
Processor shall process Data only on documented instructions from Controller, including with regard to transfers of Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject. In such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2 Controller’s Obligations
Controller shall provide documented instructions that are compliant with Data Protection Laws. Controller shall ensure that it has obtained all necessary consents, permissions, and notices required for Processor to process Data in accordance with this DPA.
4. Security Measures
4.1 Confidentiality
Processor shall ensure that persons authorized to process Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Security
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:
The pseudonymization and encryption of Data;
The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
The ability to restore the availability and access to Data in a timely manner in the event of a physical or technical incident;
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
5. Multi-Tenant Secure-System Measures
Processor shall ensure the highest level of measures to maintain data confidentiality and security in a multi tenant secure system, including but not limited to:
Data Isolation: Ensuring logical data isolation between tenants to prevent unauthorized access to other tenants' Data.
Access Control: Implementing strict access control measures, including role-based access control and multi-factor authentication, to limit access to Data to only those individuals who need it to perform their job duties.
Encryption: Encrypting Data both in transit and at rest using industry-standard encryption algorithms and protocols.
Monitoring and Logging: Continuously monitoring and logging access to Data and system activities to detect and respond to security incidents promptly.
Regular Audits: Conducting regular security audits and vulnerability assessments to identify and mitigate potential security risks.
Data Minimization: Ensuring that only the minimum necessary amount of Data is processed for the specified purposes.
6. Sub-processors
6.1 General Authorization
Controller provides general authorization to Processor to engage Sub-processors. Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors at least fifteen (15) days in advance via email or through a customer portal, thereby giving Controller the opportunity to object to such changes.
6.2 Sub-processor Obligations
Processor shall ensure that the Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.
Sub-Processor | Subject Matter | Nature & Purpose of Processing | Location(s) |
|---|---|---|---|
AWS | Cloud computing & storage | Hosting and processing of structured / unstructured Data | USA |
GCP | Cloud computing & storage | Hosting and processing of structured / unstructured Data | USA |
Google Gemini | AI model inference | Processing natural language queries and AI-based analytics | USA |
OpenAI | AI model inference | Processing natural language queries and AI-based analytics | USA |
Anthropic | AI model inference | Processing natural language queries and AI-based analytics | USA |
Supabase | Database hosting & management | Storing, managing, and retrieving Customer Data | USA |
GitHub | Code repository & version control | Managing source code, version control, and CI/CD pipelines | USA |
Llama Parse | Document parsing & processing | Extracting, parsing, and analyzing structured documents | USA |
Airbyte | Data integration & ETL processing | Extracting, transforming, and loading Data for analysis | USA |
Temporal | Workflow-orchestration engine | Coordinating and executing asynchronous application workflows | USA |
Sentry | Application monitoring & error tracking | Capturing, logging, and analyzing application errors / performance | USA |
7. Data-Subject Rights
Processor shall respond to such assistance requests within ten (10) business days of receipt unless otherwise agreed in writing to exercise their rights under Data Protection Laws, including access, rectification, erasure, restriction of processing, data portability, and objection to the processing of their Data.
8. Data-Breach Notification
Processor shall notify Controller without undue delay after becoming aware of a data breach affecting Data. Such notification shall include all relevant information necessary for Controller to meet any obligations to report or inform data subjects of the personal data breach under Data Protection Laws.
9. Data-Protection Impact Assessment & Prior Consultation
Processor shall provide reasonable assistance to Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, which Controller reasonably considers to be required by Data Protection Laws.
10. Deletion or Return of Data
Unless otherwise agreed in writing, Processor shall permanently delete all remaining Data within sixty (60) days following the termination or expiration of the Agreement.
11. Audit Rights
Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.
Such audits shall be conducted with at least thirty (30) days’ prior written notice, during normal business hours, and in a manner that does not interfere with the normal operations of the Processor. Audits shall occur no more than once in any twelve (12) month period unless (i) required by Data Protection Laws, (ii) requested by a supervisory authority, or (iii) following a confirmed Data Breach.
Controller and Processor shall mutually agree in advance on the scope, timing, and duration of the audit. Any information disclosed in connection with an audit shall be subject to confidentiality obligations under the Agreement, and Controller shall ensure that any third-party auditor is bound by appropriate confidentiality obligations prior to conducting any audit.
12. Liability
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.
13. Duration & Termination
This DPA shall remain in effect for as long as the Processor processes Data on behalf of the Controller under the Agreement.
14. Governing Law & Jurisdiction
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.