Security at Outword built for enterprise review.
Outword runs outbound on your behalf, which means we handle your prospect data and send under your brand. We treat both as assets. This page sets out how we protect them, in terms your security team can evaluate.
Security that survives a vendor review.
We built Outword to clear enterprise security diligence, not to pass a checkbox. The controls below are the ones a CISO asks about: what data we hold and why, who can touch it, how it is encrypted, how we vet the people and vendors in the loop, and what happens if something goes wrong. We aim to make the review short by answering it before you ask.
What we control, and how
Data minimization
We collect and retain only the business-contact data an engagement needs to run. No consumer data, no special-category data, and we delete or return your data on request when the work ends.
Access controls
Access is least-privilege and role-based. Only the operators assigned to your engagement can reach your data, every account uses multi-factor authentication, and access is reviewed and revoked when roles change.
Encryption in transit and at rest
Data is encrypted in transit with modern TLS and encrypted at rest in the systems that store it. Credentials and secrets are held in a dedicated secrets store, never in plain files or shared documents.
Personnel and vendor controls
Operators are vetted, bound by confidentiality, and trained on data handling. We work with a short list of reputable sub-processors, each under a data processing agreement, and we keep the list current.
Authenticated sending
Every sending domain is set up with SPF, DKIM, DMARC, and reverse DNS. This proves the mail is genuinely from you, protects your domain from spoofing, and is what keeps legitimate outbound landing in the inbox.
Incident response
We monitor for problems and have a written response process: contain, investigate, notify affected clients without undue delay, and remediate. You get a named contact and a clear line of communication if anything happens.
We hold less, so there is less to protect.
The safest data is the data you never collect. Outword works with business-contact information for legitimate B2B outreach, nothing more. We scope what we ingest to the engagement, segregate client data, retain it only while the work is active, and delete or hand it back when you ask. Minimization is the first control, not an afterthought.
- Business-contact data only, scoped to the engagement
- Client data segregated, never pooled or resold
- Defined retention, with deletion or return on request
- No consumer or special-category data in scope
Your domain reputation is something we defend.
Sending under your brand is a privilege we protect. We authenticate every domain, warm sending carefully, hold complaint and bounce rates to strict limits, and honor opt-outs promptly. The benefit to you is twofold: your messages reach the inbox, and your domain reputation stays clean for the rest of your business, including the email your own team sends.
- SPF, DKIM, DMARC, and reverse DNS on every sending domain
- Strict bounce and complaint thresholds, monitored continuously
- Opt-outs honored promptly on every message
- Reputation protected for your whole organization, not just outbound
Compliant outreach by design.
Outword runs permission-based and legitimate-interest B2B outreach, and we operate to the major frameworks our clients answer to: GDPR for personal data of EU and UK individuals, CAN-SPAM for US email, and CASL for Canadian recipients. That means a lawful basis for processing, clear identification of the sender, a working and honored opt-out, and prompt handling of data subject requests. We help you stay inside the lines, not skirt them.
- GDPR: lawful basis, data minimization, and data subject request handling
- CAN-SPAM: accurate headers, clear identification, honored opt-out
- CASL: consent or a recognized exemption for Canadian recipients
- A data processing agreement available for engagements that need one
Proof
Security review without the friction.
Enterprise buyers ask the same questions: where does the data live, who can see it, how is it encrypted, and what happens in an incident. We answer them up front, in plain language, with the documentation a security team needs. The goal is a procurement process that moves forward, not one that stalls at the questionnaire.
Reflects the standard enterprise security diligence Outword is built to clear.
100%
Sending domains authenticated
24h
Target acknowledgment on a reported issue
Illustrative. Real metrics and named references are added with client approval.
Questions, answered
We will be straight with you: we do not claim a certification we do not hold. Outword operates controls aligned to SOC 2 principles, security, availability, and confidentiality, and is built to meet enterprise security review. Where formal attestations or certifications apply to an engagement, we provide them under NDA when available. We would rather tell you exactly what we run than wave a logo.
Hand your security team the answers.
Book a call and we will walk your team through our controls and provide the documentation your review needs.