DATA PROCESSING AGREEMENT (DPA)
This Outkeep Data Processing Agreement and its Annexes (“DPA”) is incorporated into and forms part of our Customer Terms of Service between you and us (the “Agreement”). This DPA reflects the parties’ agreement with respect to (i) the Processing of Customer Personal Data by us as a Processor on your behalf, and (ii) the Processing of Controller Personal Data by each party as a Controller in connection with our enrichment products and your use of the Outkeep tracking code.
In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over other terms in the Agreement to the extent of such conflict or inconsistency. The Controller-to-Processor terms apply solely to the extent that Outkeep is a Processor of Customer Personal Data in connection with the Subscription Services. The Controller-to-Controller terms apply solely to the extent that Customer uses our enrichment products or the Outkeep Tracking Code with Intent data sharing enabled, and each party is considered a Controller under Data Protection Laws.
We update these terms from time to time. If you have an active Outkeep subscription, we will let you know when we do via email notification). You can find archived versions of the DPA in our archives located on our website. The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
1. DEFINITIONS
“California Personal Information” means Customer Personal Data that is subject to the protection of the CCPA.
“CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or “CPRA”).
“Consumer,” “Business,” “Sell,” “Service Provider,” and “Share” will have the meanings given to them in the CCPA.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.
“Controller Personal Data” means Personal Data that each party Processes as a Controller in connection with the enrichment products or the Outkeep Tracking Code, and each party is considered a Controller under Data Protection Laws.
“Customer Personal Data” means Personal Data contained within Customer Data that Outkeep Processes as a Processor on behalf of Customer.
“Customer Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by us and/or our Sub-Processors in connection with the provision of the Subscription Services.
“Data Protection Laws” means all applicable United States federal and state legislation relating to data protection and privacy which applies to the Processing of Personal Data under the Agreement, including the CCPA, and other applicable U.S. federal and state privacy laws, in each case as amended, repealed, consolidated, or replaced from time to time.
“Data Broker Laws” means all applicable United States state laws regulating data brokers, including but not limited to California Civil Code Section 1798.99.80 et seq., Texas Business and Commerce Code Chapter 509, Oregon Revised Statutes Chapter 646A, and Vermont Statutes Title 9, Chapter 62A, as may be amended, superseded, or replaced.
“Data Subject” means the individual to whom Personal Data relates.
“Instructions” means the written, documented instructions issued by Customer to Outkeep, and directing Outkeep to perform a specific or general action with regard to Customer Personal Data (including, but not limited to, depersonalizing, blocking, deletion, and making available).
“Personal Data” means any information relating to an identified or identifiable individual where such information is protected similarly as personal data, personal information, or personally identifiable information under Data Protection Laws.
“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
“Sub-Processor” means any Processor engaged by us or our Affiliates to assist in fulfilling our obligations with respect to the Processing of Customer Personal Data under the Agreement.
“Transfer Impact Assessment” or “TIA” means an assessment conducted to evaluate whether adequate protection can be ensured for Personal Data transferred to countries without adequate data protection laws.
2. CUSTOMER RESPONSIBILITIES
2.1 Compliance with Laws. Within the scope of the Agreement and your use of the services, you will be responsible for complying with all requirements that apply to you under Data Protection Laws with respect to your Processing of Personal Data. You are solely responsible for transparency, lawful collection, obtaining necessary consents, honoring opt-out preferences, and ensuring legal basis for transfers and marketing.
2.1.1 Data Broker Compliance. You acknowledge that Outkeep is registered as a data broker in California, Texas, Oregon, and Vermont. When using our enrichment products or commercial dataset, you agree to:
(i) Provide clear notice in your privacy policy that data may be obtained from data broker sources, including specific reference to Outkeep as a data broker;
(ii) Include opt-out instructions directing individuals to email privacy@localhost with “Data Broker Opt-Out” in the subject line;
(iii) Honor opt-out requests within 15 business days and maintain records of compliance efforts;
(iv) Comply with all applicable Data Broker Laws including registration, disclosure, and consumer rights requirements;
(v) Indemnify Outkeep against any claims arising from your failure to comply with Data Broker Laws in connection with your use of our commercial dataset.
2.2 Customer Instructions. You are responsible for ensuring that your Instructions to us regarding the Processing of Customer Personal Data comply with applicable laws, including Data Protection Laws.
2.3 Security. You are responsible for independently determining whether the data security provided for in the Subscription Service adequately meets your obligations under Data Protection Laws.
2.4 AI Processing Compliance. When using Outkeep’s AI features and functionality, you acknowledge and agree to: establish legal basis, provide notice, enable opt-out mechanisms, ensure fairness, and maintain accuracy in AI decisions.
3. OUTKEEP OBLIGATIONS AS PROCESSOR
3.1 Compliance with Instructions. We will Process Customer Personal Data only for the purposes described in this DPA, except as otherwise required by law.
3.2 Conflict of Laws. If we cannot Process due to a legal requirement, we will notify you and suspend processing until new lawful Instructions are received.
3.3 Security. We will implement and maintain technical and organizational measures to protect Customer Personal Data, as detailed in Annex 2.
3.4 Confidentiality. We will ensure authorized personnel are under confidentiality obligations.
3.5 Customer Personal Data Breaches. We will notify you without undue delay after becoming aware of any Customer Personal Data Breach and assist with compliance duties.
3.6 Deletion or Return. We will delete or return all Customer Data after termination unless retention is required by law.
3.7 AI Processing Obligations. We will process AI data based on legitimate business interest, with safeguards, human oversight, and opt-out honoring within 30 days.
4. DATA SUBJECT REQUESTS
We provide tools to manage retrieval, correction, deletion, or restriction of Customer Personal Data. If unable to address a Data Subject Request, we will assist at your cost. If requests are sent directly to us, we will notify you and direct individuals to contact you.
4.1 Data Broker Opt-Out Requests
We will process opt-out requests sent to privacy@localhost within 15 business days, notify you of affected Controller data, cease commercial use, and maintain audit records.
5. SUB-PROCESSORS
We may engage Sub-Processors as described in Annex 3. We remain responsible for their performance. You will be notified of any changes and may object on reasonable grounds. We also conduct Transfer Impact Assessments for international Sub-Processors and require equivalent safeguards.
6. INTERNATIONAL TRANSFERS
We may transfer data internationally with contractual, technical, and organizational safeguards, including encryption, access control, legal compliance, and TIAs. You are responsible for conducting your own TIAs and providing required Data Subject notices.
7. CONTROLLER TO CONTROLLER
When both parties act as Controllers (for enrichment or tracking code with intent sharing), each acts independently, fulfills its own obligations, and manages Data Subject Requests separately. Both parties will comply with Data Broker Laws and restrict use to agreed business purposes.
8. CALIFORNIA PERSONAL INFORMATION
We comply with the CCPA as a Service Provider. We will not sell or disclose California Personal Information beyond the Agreement’s purposes. Sub-Processors are bound by equivalent terms. AI processing is considered a business purpose under the CCPA; no sale occurs, and opt-out requests are honored within 15 business days.
9. GENERAL PROVISIONS
Affiliate compliance, liability limits, and order of precedence follow the General Terms. Nothing limits Data Subject rights. This DPA becomes legally binding upon your acceptance of the Agreement.
ANNEX 1: DETAILS OF PROCESSING
Parties: Customer (Controller) and Outkeep (Processor).
Data Subjects: Contacts, prospects, customers, users, and other individuals.
Categories: Contact info, demographics, professional and behavioral data.
Frequency: Continuous.
Purpose: Provide Subscription Service.
Retention: Duration of subscription and per Agreement.
D. Data Broker Processing Details
- Purpose: Enhancement of professional contact database
- Legal Basis: Legitimate business interest
- Opt-Out: Email privacy@localhost with “Data Broker Opt-Out” in subject line
E. AI Processing Details
- Purpose: Improvement of AI features and functionality
- Legal Basis: Legitimate interest
- Safeguards: Security measures and human oversight
- Opt-Out: Email privacy@localhost with “AI Processing Opt-Out” in subject line
ANNEX 2: SECURITY MEASURES
Technical: Access control, encryption, system hardening, vulnerability management, secure backups, and network monitoring.
Organizational: Personnel screening, confidentiality agreements, physical security, incident response, compliance audits.
Transfer Security: Enhanced encryption, secure protocols (TLS 1.3+), logging, contractual restrictions, localization options.
Data Broker Security: Segregated storage, opt-out processing systems, audit trails, and compliance monitoring.
AI Security: Isolated training environments, anonymization, model security, output monitoring, and retention controls.
ANNEX 3: SUB-PROCESSORS
List available at outkeep.com/legal/data-processing-agreement. Includes infrastructure and hosting, analytics and monitoring, and communication providers. Sub-Processors involved in Data Broker or AI activities must meet enhanced due diligence and opt-out requirements.
ANNEX 4: CONTACT DETAILS
Email: privacy@localhost
Address: [Outkeep Company Address]
- General DPA Questions: privacy@localhost
- Data Subject Requests: privacy@localhost
- Data Broker Opt-Out: privacy@localhost (Subject: “Data Broker Opt-Out”)
- AI Processing Opt-Out: privacy@localhost (Subject: “AI Processing Opt-Out”)
- Transfer Assessment Requests: privacy@localhost (Subject: “Transfer Assessment Request”)
- Security Incidents: security@localhost
- Sub-Processor Objections: privacy@localhost (Subject: “Sub-Processor Objection”)
