Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Main Agreement (the “Agreement”) entered into between:

(1) ReachSoft OÜ, trading as Outreachly, a private limited company registered in Estonia under company number 17027954, with its registered office at Järvevana tee 9, Tallinn, 11314, Estonia (“Outreachly”, “we”, “us”, or “our”), acting in its capacity as a data processor;

and

(2) The Customer, being the legal entity that has entered into the Agreement with Outreachly (“Customer”, “you”, or “your”), and which may act as a data controller or data processor, as applicable depending on the context.

Definitions

Unless otherwise defined herein, capitalised terms used in this DPA shall have the meanings given to them in the UK GDPR, the EU GDPR, or other Applicable Data Protection Laws. In addition:

“Applicable Data Protection Laws” means all applicable laws and regulations relating to the processing of personal data, including without limitation the UK General Data Protection Regulation (“UK GDPR”), the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”), the UK Data Protection Act 2018, and any implementing, amending, or supplementing legislation or guidance issued by relevant supervisory authorities.

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-Processor”, and “Supervisory Authority” shall each have the meaning given to them under the UK GDPR and/or the EU GDPR, as applicable in the context of the processing.

“Customer Data” means any Personal Data that is provided to Outreachly by or on behalf of the Customer, or otherwise obtained or accessed by Outreachly, in the course of providing the Services under the Agreement.

“Services” means the products, platforms, tools, features, support, and related services provided by Outreachly to the Customer under the Agreement, including but not limited to software-based outreach automation, lead generation, data enrichment, and email or domain management solutions.

“Security Incident” means any confirmed or reasonably suspected unauthorised or unlawful access to, acquisition of, disclosure of, alteration of, or destruction of Personal Data, or any accidental or unlawful loss or compromise of the security of Personal Data processed by Outreachly in connection with the Services.

“Standard Contractual Clauses” or “SCCs” means, where applicable, the standard contractual clauses approved by the European Commission under Implementing Decision (EU) 2021/914, including applicable modules and any relevant annexes, and as supplemented for transfers from the UK by the International Data Transfer Addendum issued by the UK Information Commissioner’s Office.

1. Purpose and Scope

1.1 This Data Processing Agreement (“DPA”) sets out the terms on which Outreachly processes personal data on behalf of the Customer in connection with the services provided under the Agreement between the parties.

1.2 The purpose of this DPA is to ensure that both parties comply with their respective obligations under applicable data protection legislation, including but not limited to:

the UK General Data Protection Regulation (“UK GDPR”);
the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”); and
any other applicable laws or regulations concerning privacy and data protection that may apply to the processing of personal data under the Agreement (collectively, the “Applicable Data Protection Laws”).

1.3 This DPA applies solely to the extent that Outreachly acts as a data processor on behalf of the Customer. It does not apply where Outreachly acts as a data controller in its own right, such as when processing data for its own business operations or marketing activities.

1.4 This DPA supersedes any prior agreements, terms, or arrangements between the parties relating to the processing of personal data under the Agreement. It forms an integral part of the Agreement and shall prevail over any conflicting provisions relating to data protection.

2. Roles of the Parties

2.1 This Data Processing Agreement governs the Processing of Personal Data by Outreachly on behalf of the Customer in connection with the performance of the Services under the Agreement.

2.2 The Parties acknowledge and agree that, for the purposes of the Applicable Data Protection Laws:

Outreachly acts as a Processor when Processing Personal Data strictly on behalf of the Customer and in accordance with the Customer’s documented instructions in relation to the provision of the Services; and
Outreachly acts as an independent Controller with respect to the Processing of Personal Data for its own legitimate business purposes, such as direct marketing, customer account administration, billing, internal analytics, platform monitoring, or regulatory compliance.

2.3 This DPA does not apply to Processing carried out by Outreachly in its capacity as a Controller. Such Processing is governed by Outreachly’s Privacy Policy and is subject to applicable legal bases as defined under the UK GDPR and EU GDPR.

3. Processing Details

Category	Description
Nature & Purpose of Processing	Outreachly processes Personal Data solely for the purpose of delivering the Services under the Agreement. This includes lead generation, platform access, outreach automation, analytics, customer support, and other related business services as initiated by the Customer.

Types of Personal Data

Personal Data processed may include: full name, email address, job title, company name, and phone number. Outreachly does not record or process IP addresses.

Categories of Data Subjects

Data Subjects include individuals identified as business leads, prospects, contacts, or authorised users of the Customer’s Outreachly account. Outreachly does not collect or process data relating to the customers of the Customer unless explicitly provided by the Customer.

Duration of Processing

Personal Data is processed for the duration of the Agreement. Upon termination or expiry of the Agreement, Personal Data is securely deleted or anonymised unless further retention is required by applicable law. Login data for authorised platform users is retained for up to 12 months after termination for audit and record-keeping purposes, unless otherwise instructed by the Customer.

Data Location

Data is primarily hosted and processed within the European Economic Area (EEA). Where Personal Data is transferred outside the EEA or UK, such transfers are subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent mechanisms recognised under Applicable Data Protection Law.

4. Roles and Responsibilities

4.1 Outreachly as Processor

Outreachly, when acting as a data processor on behalf of the Customer, shall:

Process Personal Data solely on the Customer’s documented instructions, as set out in this DPA or as otherwise communicated in writing, unless required to do so by law (in which case Outreachly will inform the Customer, unless prohibited from doing so).
Implement and maintain appropriate technical and organisational measures (TOMs) to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 of the GDPR.
Provide reasonable assistance to the Customer in ensuring compliance with Articles 32 to 36 of the GDPR, including data security, breach notification, data protection impact assessments (DPIAs), and prior consultation with supervisory authorities.
Not retain, use, disclose, sell, or share Personal Data for any purpose other than for the performance of the Services under the Agreement or as required by law.
Ensure that all personnel who have access to or process Personal Data are contractually bound by confidentiality obligations and have received appropriate training in data protection and security.
Maintain records of processing activities under its responsibility, as required under Article 30(2) of the GDPR.

4.2 The Customer as Controller

The Customer, acting as data controller (or as a processor acting on behalf of another controller), shall:

Ensure that it has a valid legal basis under the Applicable Data Protection Law for the collection and sharing of Personal Data with Outreachly for processing under this DPA.
Provide all necessary privacy notices to Data Subjects and obtain valid consents or authorisations where required by law.
Be responsible for the accuracy, quality, and lawfulness of the Personal Data it provides to Outreachly and for ensuring that such data is not excessive or irrelevant to the Services provided.
Maintain an up-to-date record of its own processing activities in accordance with applicable legal requirements.
Be responsible for managing and responding to all requests from Data Subjects, supervisory authorities, or other third parties concerning the Personal Data processed under this DPA. Outreachly will provide reasonable assistance upon written request, as outlined in Section 7 (Data Subject Rights).

5. Sub-Processors

5.1 The Customer acknowledges and agrees that Outreachly may engage third-party service providers (“Sub-Processors”) to support the delivery of the Services, where such Sub-Processors process Personal Data on behalf of Outreachly.

5.2 As of the effective date of this DPA, Outreachly engages the following Sub-Processors in connection with the Services:

Google – provision of GSuite (email and calendar API) services, including sending email communications and booking meetings;
Cloudflare – provision of network security and content delivery (CDN) infrastructure;
Make (formerly Integromat) – automation and third-party integration orchestration;
Other Sub-Processors – a full and current list can be made available upon request.

5.3 Outreachly shall ensure that each Sub-Processor is contractually bound to comply with data protection obligations that are no less protective than those set out in this DPA, in accordance with Article 28(4) of the GDPR.

5.4 Outreachly shall:

Remain fully responsible for the performance of its Sub-Processors and for their compliance with this DPA;
Restrict Sub-Processor access to Personal Data to only what is necessary to perform the specific services subcontracted;
Ensure Sub-Processors process Personal Data strictly in accordance with Outreachly’s instructions and only for the purpose of fulfilling Outreachly’s obligations under the Agreement.

5.5 Outreachly shall provide the Customer with prior notice of any intended changes concerning the addition or replacement of Sub-Processors. The Customer may object to such changes on reasonable and documented grounds relating to data protection. If Outreachly cannot accommodate the objection, the Customer may terminate the relevant portion of the Services without penalty.

6. Security Measures

6.1 Outreachly shall implement and maintain appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk associated with the Processing of Personal Data under this DPA. These measures are designed to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, and shall take into account the nature, scope, context, and purposes of the Processing, as well as the likelihood and severity of the risk to Data Subjects.

6.2 Outreachly’s security controls include, but are not limited to:

Encryption of Personal Data in transit using TLS 1.2 or higher, and at rest using AES-256 or equivalent standards;
Role-based access control (RBAC), with two-factor authentication (2FA) required for access to privileged systems and administrative tools;
Logging and continuous monitoring of access to systems containing Personal Data;
Regular internal access reviews and system audits, including periodic review of user permissions;
Employee security awareness training and mandatory confidentiality undertakings for all personnel with access to Personal Data;
Secure software development lifecycle (SSDLC) practices, including code reviews, version control, and vulnerability patching;
Patch and update management across production systems to ensure timely mitigation of known vulnerabilities.

6.3 Outreachly shall test, assess, and evaluate the effectiveness of its technical and organisational measures at regular intervals and update them where necessary to maintain appropriate security standards.

6.4 A detailed overview of Outreachly’s Technical and Organisational Measures (TOMs) is available to the Customer upon written request.

7. Data Subject Rights

7.1 Outreachly shall, to the extent legally permitted, promptly notify the Customer if it receives any request from a Data Subject in relation to Personal Data processed on the Customer’s behalf. This includes requests to access, rectify, erase, restrict, or object to the Processing of Personal Data, or to exercise the right to data portability.

7.2 Outreachly shall not respond to any such request directly, unless:

It is legally required to do so, in which case it shall inform the Customer before responding (unless prohibited by law); or
The Customer has given prior written instructions authorising Outreachly to respond on its behalf.

7.3 Outreachly shall provide reasonable assistance to the Customer, taking into account the nature of the Processing, to enable the Customer to fulfil its obligations to respond to Data Subject requests under Articles 12 to 23 of the UK GDPR and/or EU GDPR.

7.4 If a request is made directly to Outreachly that clearly relates to the Customer’s data, Outreachly may inform the Data Subject that the request has been referred to the Customer and provide the Customer’s relevant contact details, unless otherwise directed by the Customer.

8. International Transfers

8.1 Where the Processing of Personal Data involves a transfer to a country outside the United Kingdom or European Economic Area (EEA) that does not benefit from an adequacy decision issued by the relevant supervisory authority, Outreachly shall ensure that such transfers are made in compliance with the Applicable Data Protection Laws.

8.2 In such cases, Outreachly shall implement appropriate safeguards to protect the Personal Data, which may include:

The execution of the European Commission’s Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914;
The UK International Data Transfer Addendum (IDTA) to the SCCs, as adopted by the UK Information Commissioner’s Office; or
Other lawful transfer mechanisms recognised under UK and/or EU GDPR.

8.3 Outreachly shall conduct a Transfer Impact Assessment (TIA) as required, considering the nature of the data, destination country laws and practices, and technical and organisational measures in place, to assess whether the SCCs or other safeguards provide adequate protection.

8.4 The Customer may request a summary of the legal safeguards and transfer mechanisms implemented by Outreachly in relation to any international data transfer. Outreachly shall respond to such requests in a reasonable timeframe, subject to commercial confidentiality and legal restrictions.

9. Security Incident Management

9.1 In the event of a Personal Data breach involving Customer Data, Outreachly shall notify the Customer without undue delay, and in any case within seventy-two (72) hours of becoming aware of the breach, unless such breach is unlikely to result in a risk to the rights and freedoms of natural persons.

9.2 Outreachly shall provide the Customer with timely updates as information becomes available and shall cooperate fully with the Customer to support any required breach notification to supervisory authorities and/or affected Data Subjects, including by:

Describing the nature and scope of the breach, including where possible the categories and approximate number of Data Subjects and records concerned;
Outlining the likely consequences or risks arising from the breach;
Describing the measures taken or proposed to address the breach and mitigate its possible adverse effects;
Assisting in containment, investigation, and remediation activities as necessary.

9.3 Outreachly’s notification of a breach under this section shall not be construed as an acknowledgment by Outreachly of any fault or liability with respect to the breach.

9.4 The Customer is responsible for determining whether to notify the competent supervisory authority and/or affected Data Subjects, and for fulfilling any such obligations under the Applicable Data Protection Laws.

10. Data Retention and Deletion

10.1 Outreachly shall retain Personal Data only for as long as necessary to fulfil its obligations under the Agreement, or as otherwise required by Applicable Data Protection Laws.

10.2 Platform user account data (such as login credentials and user access logs) may be retained for up to twelve (12) months following the date of last activity or termination of the Agreement, unless the Customer provides written instructions for earlier deletion.

10.3 Upon termination or expiration of the Agreement, or upon written request by the Customer, Outreachly shall securely delete or return all Customer Data, unless retention is required by applicable law or necessary to fulfill outstanding legal obligations.

10.4 Outreachly shall confirm in writing the completion of such deletion or return upon request. Where deletion is not technically feasible, Outreachly will ensure continued protection of the Personal Data in accordance with this DPA.

11. Audit Rights

11.1 Outreachly shall, upon written request, make available to the Customer all relevant documentation necessary to demonstrate compliance with its obligations under this DPA and the Applicable Data Protection Laws.

11.2 Where the Customer reasonably considers that such documentation is insufficient to demonstrate compliance, and subject to reasonable prior notice and appropriate confidentiality undertakings, Outreachly shall permit the Customer (or a qualified and independent third-party auditor appointed by the Customer) to conduct an on-site or remote audit or inspection of Outreachly’s data processing practices and facilities.

11.3 Such audits:

Shall be limited to once in any twelve (12) month period, unless required by a competent supervisory authority or in response to a verified Security Incident;
Must be conducted during normal business hours and in a manner that minimises disruption to Outreachly’s operations;
Shall not grant access to systems, data, or infrastructure unrelated to the processing of the Customer’s Personal Data;
May be subject to a reasonable fee where audits involve material time, resources, or access requests beyond industry standard practice.

11.4 Outreachly reserves the right to propose an equivalent audit report prepared by an independent third party, provided the report addresses the scope of the Customer’s inquiry and is no more than twelve (12) months old.

12. Term and Termination

12.1 This DPA shall remain in full force and effect for the duration of the Agreement, and for so long as Outreachly processes Personal Data on behalf of the Customer.

12.2 Termination or expiry of the Agreement shall automatically terminate this DPA, without the need for further action, except to the extent that Outreachly is required to retain Personal Data in accordance with Section 10 (Data Retention and Deletion).

13. Liability and Indemnity

13.1 Nothing in this DPA shall limit or exclude either party’s liability for:

Death or personal injury resulting from negligence;
Fraud or fraudulent misrepresentation; or
Any other liability which cannot be lawfully limited or excluded under applicable law.

13.2 Subject to clause 13.1, to the maximum extent permitted by law:

Outreachly shall not be liable, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, for any indirect, incidental, punitive, special, or consequential loss or damage, or for any loss of profits, loss of business, loss of data, loss of reputation, or anticipated savings arising out of or in connection with this DPA, even if Outreachly was advised of the possibility of such damages; and
Outreachly’s total aggregate liability arising out of or in connection with this DPA (whether in contract, tort, or otherwise) shall in no event exceed the total fees paid by the Customer under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

13.3 The Customer shall indemnify and hold harmless Outreachly against all claims, losses, damages, liabilities, costs, and expenses (including reasonable legal fees) arising out of or in connection with:

Any breach by the Customer of its obligations under this DPA or Applicable Data Protection Laws;
Any instruction given by the Customer that infringes the GDPR, UK GDPR, or other applicable laws;
Any processing carried out by Outreachly in accordance with the Customer’s documented instructions.

14. Governing Law and Jurisdiction

14.1 This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales.

14.2 The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this DPA or its subject matter.

15. Contact Details

For all privacy or data protection-related enquiries, please contact:

Email: [email protected]

Address: ReachSoft OÜ, Järvevana tee 9, Tallinn, 11314, Estonia