Data Processing Addendum

This Data Processing Addendum (the "DPA") describes how Outword LLC ("Outword," "we," "us," or "our") processes personal data on behalf of its clients in delivering managed outbound services. It reflects the terms that govern that processing and is executed as part of an enterprise agreement between Outword and the client.

1. Roles of the Parties

For personal data processed in connection with the services, the client is the controller and determines the purposes and means of processing. Outword is the processor and processes that personal data only on the client documented instructions, including as set out in the applicable agreement and statement of work. Where Outword engages another party to process personal data, that party acts as a subprocessor under this DPA.

2. Scope and Nature of Processing

Outword processes personal data to provide managed outbound services, including building and validating target audiences, preparing and delivering multichannel outreach, handling replies, and reporting on results. The categories of data subjects are typically business contacts and prospects of the client. The categories of personal data typically include business contact details such as name, work email address, job title, employer, and engagement signals. Processing continues for the duration of the engagement, unless the agreement provides otherwise.

3. Processor Obligations

Outword, acting as processor, agrees to:

• Process personal data only on the client documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Outword will inform the client where permitted).
• Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures, as described below.
• Assist the client, taking into account the nature of the processing, in responding to data subject requests and in meeting its obligations regarding security, breach notification, and data protection impact assessments.
• Make available information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits in accordance with the agreement.

4. Security Measures

Outword maintains administrative, technical, and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction, appropriate to the risk. These measures include, as applicable:

• Access controls that limit access to personal data to authorized personnel on a need-to-know basis.
• Encryption of data in transit and, where appropriate, at rest.
• Logging, monitoring, and segregation of environments used to deliver the services.
• Confidentiality obligations and security awareness expectations for personnel.
• Regular review of security measures and prompt remediation of identified risks.

Security questions about an engagement can be directed to security@outword.io.

5. Subprocessors

The client authorizes Outword to engage vetted subprocessors to deliver the services. Outword imposes data protection obligations on its subprocessors that are no less protective than those in this DPA, and remains responsible for their performance. The current list of subprocessors is maintained and provided under this DPA. Outword will give the client reasonable notice of any intended addition or replacement of a subprocessor, and the client may object on reasonable data protection grounds as set out in the agreement. See our Subprocessors page for more detail. (The published list of named subprocessors is a [PLACEHOLDER] pending counsel review.)

6. International Transfers

Where the provision of the services involves transferring personal data from the EU, UK, or other regulated regions to a country that has not received an adequacy decision, the parties rely on an appropriate transfer mechanism. This typically means incorporating the European Commission Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum where applicable, together with any required supplementary measures. The applicable transfer mechanism is incorporated into the executed DPA.

7. Data Subject Requests

If Outword receives a request from a data subject to exercise rights under applicable data protection law in relation to personal data processed on behalf of the client, Outword will, where legally permitted, promptly notify the client and not respond to the request itself except on the client instructions. Outword will provide reasonable assistance to enable the client to respond to the request, including by suppressing or correcting the relevant data where instructed.

8. Personal Data Breach Notification

Outword will notify the client without undue delay after becoming aware of a personal data breach affecting personal data processed on the client behalf. The notification will include, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. Outword will cooperate with the client and take reasonable steps to mitigate and remediate the breach.

9. Return and Deletion of Data

On termination or expiry of the services, and at the client choice, Outword will return or delete the personal data processed on the client behalf, and delete existing copies, unless retention is required by applicable law. The specific approach and timing are set out in the agreement. Pending deletion, Outword continues to protect the personal data in accordance with this DPA.

10. Liability and Precedence

The liability of each party under this DPA is subject to the limitations and exclusions in the agreement between the parties. In the event of a conflict between this DPA and the agreement on the subject of data protection, this DPA controls. In the event of a conflict between this DPA and the SCCs, the SCCs control to the extent of the conflict.

11. How to Execute This DPA

This DPA is entered into as part of an enterprise agreement with Outword. To request the current executable version, or to ask questions about data processing, contact us at privacy@outword.io, or by mail at Outword LLC, [REGISTERED ADDRESS TO BE SPECIFIED].