Outmarket

Product

Solution

Outmarket

Solution

Product

Outmarket

Solution

Product

Outmarket

Solution

Product

Outmarket
Outmarket

Jun 28, 2025

Data Processing Addendum (DPA)

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (the “Agreement”) between Outmarket AI (“Processor”) and the Customer (“Controller”). This DPA reflects the parties’ agreement with regard to the processing of Data in accordance with applicable data protection laws and regulations.

2. Definitions

2.1 "Customer"

means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.

2.2 "Customer Data"

means application data, data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Customer or Users and is Processed by Outmarket AI on behalf of Customer. For the avoidance of doubt, Customer Data does not include usage, statistical, learned, or technical information that does not reveal the actual contents of such Customer Data.

2.3 "Users"

means individuals authorized by Customer to use the Services under the terms of the Agreement.

2.4 "Customer Personal Data"

means Personal Data that is contained within Customer Data.

2.5 "Personal Data"

means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.

2.6 "Data"

means Customer Data, Customer Personal Data, and any other Personal Data processed by Processor in the course of providing the Services.

2.7 "Processing"

means any operation or set of operations performed on Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2.8 "Sub-processor"

means any third party appointed by or on behalf of Processor to process Data in connection with the Agreement.

2.9 "Data Protection Laws"

means all applicable legislation protecting the fundamental rights and freedoms of individuals and their right to privacy with respect to the processing of Data.

2.10 "Data Subject"

means any identified or identifiable natural person, as defined under Applicable Data Protection Laws, whose Personal Data is collected, accessed, used, stored, or otherwise processed by the Controller or Processor in the course of providing the Services.

3. Processing of Data

3.1 Processor’s Obligations

Processor shall process Data only on documented instructions from Controller, including with regard to transfers of Data to a third country or an international organization, unless required to do so by Union or Member State law to which Processor is subject. In such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3.2 Controller’s Obligations

Controller shall provide documented instructions that are compliant with Data Protection Laws. Controller shall ensure that it has obtained all necessary consents, permissions, and notices required for Processor to process Data in accordance with this DPA.

4. Security Measures

4.1 Confidentiality

Processor shall ensure that persons authorized to process Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Security

Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, as appropriate:

  • The pseudonymization and encryption of Data;

  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

  • The ability to restore the availability and access to Data in a timely manner in the event of a physical or technical incident;

  • A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

5. Multi-Tenant Secure-System Measures

Processor shall ensure the highest level of measures to maintain data confidentiality and security in a multi tenant secure system, including but not limited to:

  • Data Isolation: Ensuring logical data isolation between tenants to prevent unauthorized access to other tenants' Data.

  • Access Control: Implementing strict access control measures, including role-based access control and multi-factor authentication, to limit access to Data to only those individuals who need it to perform their job duties.

  • Encryption: Encrypting Data both in transit and at rest using industry-standard encryption algorithms and protocols.

  • Monitoring and Logging: Continuously monitoring and logging access to Data and system activities to detect and respond to security incidents promptly.

  • Regular Audits: Conducting regular security audits and vulnerability assessments to identify and mitigate potential security risks.

  • Data Minimization: Ensuring that only the minimum necessary amount of Data is processed for the specified purposes.

6. Sub-processors

6.1 General Authorization

Controller provides general authorization to Processor to engage Sub-processors. Processor shall inform Controller of any intended changes concerning the addition or replacement of Sub-processors at least fifteen (15) days in advance via email or through a customer portal, thereby giving Controller the opportunity to object to such changes.

6.2 Sub-processor Obligations

Processor shall ensure that the Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.

Sub-Processor

Subject Matter

Nature & Purpose of Processing

Location(s)

AWS

Cloud computing & storage

Hosting and processing of structured / unstructured Data

USA

GCP

Cloud computing & storage

Hosting and processing of structured / unstructured Data

USA

Google Gemini

AI model inference

Processing natural language queries and AI-based analytics

USA

OpenAI

AI model inference

Processing natural language queries and AI-based analytics

USA

Anthropic

AI model inference

Processing natural language queries and AI-based analytics

USA

Supabase

Database hosting & management

Storing, managing, and retrieving Customer Data

USA

GitHub

Code repository & version control

Managing source code, version control, and CI/CD pipelines

USA

Llama Parse

Document parsing & processing

Extracting, parsing, and analyzing structured documents

USA

Airbyte

Data integration & ETL processing

Extracting, transforming, and loading Data for analysis

USA

Temporal

Workflow-orchestration engine

Coordinating and executing asynchronous application workflows

USA

Sentry

Application monitoring & error tracking

Capturing, logging, and analyzing application errors / performance

USA

7. Data-Subject Rights

Processor shall respond to such assistance requests within ten (10) business days of receipt unless otherwise agreed in writing to exercise their rights under Data Protection Laws, including access, rectification, erasure, restriction of processing, data portability, and objection to the processing of their Data.

8. Data-Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a data breach affecting Data. Such notification shall include all relevant information necessary for Controller to meet any obligations to report or inform data subjects of the personal data breach under Data Protection Laws.

9. Data-Protection Impact Assessment & Prior Consultation

Processor shall provide reasonable assistance to Controller with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities, which Controller reasonably considers to be required by Data Protection Laws.

10. Deletion or Return of Data

Unless otherwise agreed in writing, Processor shall permanently delete all remaining Data within sixty (60) days following the termination or expiration of the Agreement.

11. Audit Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.

Such audits shall be conducted with at least thirty (30) days’ prior written notice, during normal business hours, and in a manner that does not interfere with the normal operations of the Processor. Audits shall occur no more than once in any twelve (12) month period unless (i) required by Data Protection Laws, (ii) requested by a supervisory authority, or (iii) following a confirmed Data Breach.

Controller and Processor shall mutually agree in advance on the scope, timing, and duration of the audit. Any information disclosed in connection with an audit shall be subject to confidentiality obligations under the Agreement, and Controller shall ensure that any third-party auditor is bound by appropriate confidentiality obligations prior to conducting any audit.

12. Liability

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement.

13. Duration & Termination

This DPA shall remain in effect for as long as the Processor processes Data on behalf of the Controller under the Agreement.

14. Governing Law & Jurisdiction

This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

Data Processing Addendum (DPA)

Data Processing Addendum (DPA)

Outmarket Raises $4.7M to Save You 80% of Your Time on Insurance Workflows

Outmarket Raises $4.7M to Save You 80% of Your Time on Insurance Workflows

Outmarket Raises $4.7M to Save You 80% of Your Time on Insurance Workflows

Outmarket Raises $4.7M to Save You 80% of Your Time on Insurance Workflows

Outmarket

© 2025 Outmarket. All rights reserved.