legal and compliance
Last updated May 25, 2026
This Data Processing Agreement (DPA) forms part of the agreement between OutPulse Technologies ("Processor") and the customer ("Controller") for the processing of personal data through the OutPulse platform. This DPA complies with GDPR Article 28, India DPDP Act 2023, UK GDPR, and other applicable data protection laws.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
"Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
"Controller" means the customer who determines the purposes and means of processing personal data through OutPulse.
"Processor" means OutPulse Technologies, which processes personal data on behalf of the Controller.
"Subprocessor" means any third party engaged by OutPulse to process personal data on behalf of the Controller.
"Data Principal" / "Data Subject" means the individual whose personal data is being processed.
OutPulse processes personal data solely for the purpose of providing the services described in the Terms of Service, including: email verification, email finding, lead management, outreach sequences, and related platform features.
Categories of data subjects: Business contacts, leads, and prospects uploaded or discovered by the Controller.
Types of personal data: Email addresses, names, job titles, company names, phone numbers, LinkedIn profile URLs, verification status, and engagement metrics.
Duration: Processing continues for the duration of the service agreement. Upon termination, data is deleted within 30 days unless legally required to retain.
Process personal data only on documented instructions from the Controller, unless required by law.
Ensure that persons authorized to process personal data are bound by confidentiality obligations.
Implement appropriate technical and organizational security measures (see Section 6).
Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection).
Notify the Controller of any personal data breach without undue delay and within 72 hours of becoming aware.
Delete or return all personal data upon termination of the agreement, at the Controller's choice.
Make available all information necessary to demonstrate compliance and allow for audits.
Ensure that the processing of personal data through OutPulse has a lawful basis (consent, legitimate interest, or contractual necessity).
Provide clear instructions to OutPulse regarding the processing of personal data.
Ensure that data subjects have been informed about the processing and their rights.
Comply with all applicable data protection laws in the jurisdictions where data subjects are located.
Obtain any required consent before using OutPulse's outreach features to contact data subjects.
OutPulse uses the following subprocessors. The Controller is deemed to have given general written authorization for these subprocessors:
• Supabase Inc. (Database, Authentication) - United States / EU - SOC 2 Type II
• Stripe Inc. (Payment Processing) - United States - PCI DSS Level 1, SOC 2
• Resend Inc. (Email Delivery) - United States - SOC 2
• Hetzner Online GmbH (Infrastructure) - Germany / United States - ISO 27001
• Cloudflare Inc. (CDN, Security) - United States - SOC 2, ISO 27001
• Sentry (Error Monitoring - anonymized data only) - United States - SOC 2
• Prospeo / Clearbit / People Data Labs (Email Discovery - only when user initiates) - United States
OutPulse will notify the Controller at least 30 days before adding or replacing a subprocessor. The Controller may object within 14 days; if the objection cannot be resolved, the Controller may terminate the affected services.
OutPulse implements the following technical and organizational measures:
• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Row-Level Security (RLS) ensuring data isolation between customers
• API key hashing (SHA-256) - raw keys never stored
• Rate limiting and abuse detection on all endpoints
• Regular vulnerability scanning and dependency auditing
• Access controls: principle of least privilege for all personnel
• Incident response plan with 72-hour breach notification
• Annual security review and penetration testing
• Employee security training and confidentiality agreements
Where personal data is transferred outside the EEA/UK, OutPulse relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).
For transfers from India, OutPulse complies with DPDP Act requirements regarding permitted jurisdictions for cross-border data transfer.
All subprocessors maintain appropriate data protection certifications and contractual safeguards.
OutPulse will assist the Controller in fulfilling data subject requests within the following timeframes:
• GDPR: 30 days from receipt of verified request
• India DPDP Act: 7 days from receipt of verified request
• CCPA: 45 days from receipt of verified request
The Controller can use OutPulse's self-service data export (GET /api/user/gdpr) and deletion (DELETE /api/user/gdpr) endpoints to fulfill requests directly.
In the event of a personal data breach, OutPulse will:
1. Notify the Controller within 72 hours of becoming aware of the breach.
2. Provide details including: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
3. Cooperate with the Controller in notifying supervisory authorities and affected data subjects as required by law.
4. For India DPDP Act: Notify the Data Protection Board of India (DPBI) within 72 hours.
The Controller may audit OutPulse's compliance with this DPA once per year, with 30 days written notice.
Audits shall be conducted during normal business hours and shall not unreasonably interfere with OutPulse's operations.
OutPulse may satisfy audit requests by providing: SOC 2 reports, ISO 27001 certificates, penetration test summaries, or other third-party audit reports.
This DPA is effective for the duration of the service agreement between the parties.
Upon termination: OutPulse will delete all personal data within 30 days, unless legally required to retain. The Controller may request a data export before deletion.
Sections 6 (Security), 9 (Breach Notification), and 10 (Audit Rights) survive termination.
This DPA is governed by the same law as the underlying service agreement.
For EU/EEA data subjects: GDPR provisions take precedence where they conflict with other terms.
For Indian data principals: DPDP Act 2023 provisions apply.
Enterprise customers: Contact legal@outpulse.io to receive a countersigned copy of this DPA.
Self-service customers: By using OutPulse, you accept this DPA as part of the Terms of Service. A signed PDF copy is available upon request.
Custom DPA requirements: If your organization requires modifications, contact legal@outpulse.io.
Contact OutPulse if your team needs DPAs, vendor-security documentation, or clarification on how marketing-site policies map to the application workspace.