Currently in beta — payments are in test mode

Data Processing Agreement

Last updated: 9 April 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Controller", "you") and Outlain ("Processor", "we", "us") for the use of the Outlain platform, as described in our Terms of Use.

This DPA applies where Outlain processes personal data on your behalf and reflects the parties' obligations under the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

1. Definitions

  • "Personal data" means any information relating to an identified or identifiable natural person that you upload to or process through the Platform
  • "Processing" means any operation performed on personal data, including collection, storage, analysis, retrieval, and deletion
  • "Subprocessor" means a third party engaged by Outlain to process personal data on your behalf
  • "Data protection laws" means the GDPR, UK GDPR, and any other applicable data protection legislation

2. Scope and purpose of processing

Subject matter Provision of the Outlain product intelligence platform
Duration For the term of the service agreement plus the data deletion period (30 days)
Nature of processing Storage, AI-powered analysis, theme extraction, specification generation, intelligent search
Categories of data subjects Individuals referenced in uploaded documents (e.g., interview participants, meeting attendees, customers mentioned in transcripts)
Types of personal data Names, job titles, opinions, quotes, and any other personal data contained in uploaded documents

3. Processor obligations

Outlain shall:

  • Process personal data only on your documented instructions, as described in the Terms of Use and this DPA
  • Ensure that persons authorised to process personal data have committed to confidentiality
  • Implement appropriate technical and organisational security measures (see Section 5)
  • Not engage another processor (subprocessor) without your prior general authorisation and 30 days' notice of changes
  • Assist you in responding to data subject requests (access, rectification, erasure, portability)
  • Assist you with data protection impact assessments and consultations with supervisory authorities where required
  • Delete or return all personal data upon termination of the service, at your choice, within 30 days
  • Make available all information necessary to demonstrate compliance and allow for audits

4. Controller obligations

You shall:

  • Ensure you have a lawful basis for processing personal data uploaded to the Platform
  • Inform data subjects that their personal data may be processed by AI services as described in the Privacy Policy
  • Not upload special category data (health, biometric, genetic data, etc.) unless you have explicit consent and a lawful basis
  • Provide documented instructions for processing that are consistent with the Terms of Use

5. Security measures

Outlain implements the following technical and organisational measures:

  • Encryption in transit: All data is encrypted during transmission
  • Encryption at rest: All stored data is encrypted using industry-standard methods
  • Authentication: Industry-standard password hashing, secure session management
  • Access control: Database-level isolation prevents cross-user data access
  • Payment security: Payment data handled entirely by a certified third-party payment processor
  • AI provider controls: AI subprocessors do not use customer data for model training
  • Incident response: We will notify you of any personal data breach without undue delay and no later than 72 hours after becoming aware of it

6. Subprocessors

You provide general authorisation for Outlain to engage subprocessors. The current subprocessor list is available on request. We will notify you at least 30 days before engaging a new subprocessor. If you object, you may terminate the service in accordance with the Terms of Use.

7. International data transfers

Personal data may be transferred to and processed in the United States by our subprocessors. We ensure appropriate safeguards for international transfers through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor)
  • Data Processing Agreements with all subprocessors
  • Supplementary measures where required by the data exporter's supervisory authority

8. Data subject requests

If we receive a request directly from a data subject regarding personal data you control, we will promptly redirect them to you. We will assist you in responding to data subject requests through the Platform's features (data export, deletion) and, where necessary, through additional technical support.

9. Audit rights

Upon reasonable request and with at least 30 days' notice, you may audit our compliance with this DPA. Audits shall be conducted during normal business hours, at your expense, and no more than once per year unless required by a supervisory authority. We may satisfy audit requests by providing relevant certifications, reports, or documentation.

10. Term and termination

This DPA remains in effect for the duration of the service agreement. Upon termination, we will delete all personal data within 30 days, unless retention is required by applicable law. At your request prior to deletion, we will export your data in a structured, machine-readable format.

Executing this DPA

This DPA applies automatically to all Team and Enterprise customers. If you require a countersigned copy or wish to discuss modifications, contact us at outlain.ai/about/contact.

Sign in

Don't have an account?

Create account

At least 6 characters

Already have an account?

We use essential cookies to keep you logged in and functional cookies to remember your preferences. No tracking, no ads. Read our Cookie Policy