How Outreach approaches GDPR

Outreach is committed to earning and maintaining our customers’ trust and confidence. 

Protecting our customers’ data is the cornerstone of our security program. It is ingrained in how we design our products, the operational security practices we put in place, the layers of protection we provide to reduce the risk of a single point of failure, and the key legal, regulatory, and compliance certifications and attestations that we meet.

What is GDPR? 

GDPR stands for General Data Protection Regulation. It is a comprehensive data protection and privacy law introduced by the European Union (EU) in 2018 to protect individuals' personal data and enhance their privacy rights.

GDPR applies to any organization that collects, processes, or stores personal data of individuals within the EU, regardless of whether the organization is located within the EU or not. 

GDPR grants individuals several rights, such as the right to access their data, the right to rectify inaccuracies, the right to erasure (also known as the "right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object to processing.

For more information related to GDPR compliance, visit the Outreach Knowledge Base.

How Outreach helps organizations meet their GDPR requirements 

Outreach has implemented processes and procedures to ensure both Data Controller and Data Processor obligations are met. Outreach has determined that our current security and data privacy controls, and certifications including ISO 27001 and ISO 27701, allow Outreach to adhere to the GDPR’s requirements applicable to Outreach’s business. GDPR compliance requirements are built into the control framework Outreach is audited against as a part of our ISO 27701 certification. 

A core component of GDPR is ensuring that your data processors implement security best practices for safeguarding personal data. Outreach already has a number of these security and privacy mechanisms in place.

Data privacy features at a glance

Unsubscribe and opt-out

Outreach provides an opt-out mechanism for email communication done through our platform. If a prospect decides to stop receiving emails sent with Outreach, we respect the prospect's choice and Outreach users are notified appropriately.

Right to be Forgotten feature

Customer admins are able to process single Right to be Forgotten (RTBF) within their admin menu in the Outreach platform. Customers are also provided an API solution to perform bulk deletion if needed.

Communication preferences

Outreach provides the ability to granularly opt-out prospects from emails and calls.

Standard contractual clauses

Outreach includes EU model clauses in customer contracts to ensure international data transfers abide by GDPR requirements.

EU data tenancy

Outreach's EU data center is available cross-platform for customers who require EU data tenancy.


Data is encrypted both at rest and in transit using the industry-leading encryption standards. Outreach employs a top-tier Security Incident and Event Monitoring (SIEM) solution to monitor protected information.

Ongoing penetration testing

Outreach employs a private bug bounty program that enables a large pool of security researchers to test our platform on a continuous basis.


When a user connects to Outreach, they use a web browser over an enforced Transport Layer Security (TLS) 1.2 or higher connection. The Outreach platform supports federated access via SAML 2.0 in order to provide SSO by any number of Identity Providers (IdP).


Profiles are configured in Outreach to allow or deny certain activity within the platform. Users and groups can be assigned roles that grant access only to parts of the platform necessary to perform their job functions. Groups can exist in a role hierarchy and inherit permissions from other groups.

For more information or to find specific documentation related to GDPR, visit our Trust page.

Over 6,000 global customers trust Outreach