Trust and Safety

Outreach’s commitment to trust

Providing a secure platform for our customers is fundamental to Outreach’s mission. It’s one of many reasons why over 5,500 customers trust Outreach with their data.

Protecting your data is our first priority

Protecting our customers' data is the cornerstone of our security and privacy program. It is ingrained in how we design our products, the operational security practices we put in place, the layers of protection we provide, and the key certifications and attestations that we meet. Read below to learn more about how we protect your data.
Cloud datacenter security
Outreach’s production infrastructure is hosted on Amazon Web Services as our primary Infrastructure as a Service (IaaS) provider. In addition to AWS’s extensive list of security and privacy certifications, Outreach also implements and attests to its own set of policies and practices to secure your data.
Compute security
Outreach services run primarily as Kubernetes-controlled containers. Outreach’s policies and standards also govern the management of our container infrastructure.
Data security

Data is encrypted both at rest and in transit using the industry-leading encryption standards. Outreach employs a top-tier Security Incident and Event Monitoring (SIEM) solution to monitor protected information. The Outreach platform also provides additional controls, such as governance capabilities, to further protect our customers’ users and their data.

Data protection and privacy

Outreach bases our privacy standards and policies on the General Data Protection Regulation (EU/UK) and California Privacy Legislation. We support our customers in protecting the data subject rights of the individuals whose data they steward. Our ISO 27701 certification process specifically targeted GDPR and CCPA requirements and is available for download in our Outreach Trust Center.

Endpoint security
All corporate desktops and laptops are managed with enterprise device management and endpoint protection software.
Business continuity and disaster recovery
Outreach maintains a Business Continuity Policy, which mandates that the Business Continuity Plan (BCP), testing, and procedures are updated and performed at least annually.
Security software development lifecycle standard
The Outreach Software Development Lifecycle (SDLC) standard incorporates security practices throughout our platform’s planning, development, and release processes.
Privacy by design and default

Outreach follows industry best practices to review the privacy impact of all additions and improvements to our platform. We strive to ensure our services meet privacy standards from the beginning of the development cycle.

Vulnerability prevention
Outreach follows OWASP guidelines in our Security Development Lifecycle. Outreach's SDLC is audited by an independent third party and is attested to in our SOC 2 Type II report.
Bug bounty program
Outreach employs a private bug bounty program that enables a large pool of security researchers to test our platform on a continuous basis.
Penetration testing
Outreach contracts with industry-leading penetration testing providers to examine our production architecture at least once a year through more scoped, formal probing.
Single sign-on (SSO)
When a user connects to Outreach, they use a web browser over an enforced Transport Layer Security (TLS) 1.2 or higher connection. The Outreach platform supports federated access via SAML 2.0 in order to provide SSO by any number of Identity Providers (IdP).
Personnel security
Security starts with the people Outreach employs. We implement security controls for employees and contractors before, during, and after their tenure at Outreach. These controls include security and privacy training and automated deprovisioning of both logical and physical access to Outreach resources.
Privacy partnerships

Outreach operating as a data processor does not sell, share, or export customer data to third parties. We use customer data only to provide our service and improve our platforms. We only provide data to our sub-processors to support processing of customer data as set forth in our customer agreements.

Privacy & safety features
Our product offers the ability to configure the product to your operational needs including granular governance controls.
Data recovery
We regularly back up your data and provide a maximum 24-hour RTO and RPO.
Data deletion
Customers can delete users, emails, and other associated prospect data directly from our Compliance Request service within the platform. If customers want to terminate their relationship with Outreach, all their data will be removed from our systems within 60 days.
Data retention

We enforce company policies for retention of Outreach Voice recordings and Outreach Emails (Beta) with flexible configurations based on the length of times recordings should be stored prior to deletion.

EU datacenter

We support customers with organizational requirements around data residency, with EU citizen data to reside in the EU. Outreach offers Sales Engagement, Conversation Intelligence, Sales Coaching, Mutual Action Plans, Deal Insights, Pipeline Management, and Forecasting in an EU datacenter.

Advanced email sync controls
To help customers meet more restrictive security requirements, Outreach is providing more control over their email data with features like Header Based Sync.

Compliance

Outreach undergoes independent third-party audits to attest and certify Outreach’s security, data privacy and compliance controls to help meet customers’ legal, regulatory and organizational policy requirements at scale. Download a copy of reports, certificates, external pen tests, whitepapers and more, please go to Trust Documents. Customers can also reach out to their Outreach sales contact for any questions.
SOC2 logo
SOC 2 Type II
The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA). The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. The AICPA created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards. Outreach maintains an annual SOC 2 Type II certification.
Coalfire logo
ISO 27001
ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks. Outreach maintains 27001 certification.
Coalfire logo
ISO 27701

Industry standard certification for privacy and demonstrates compliance with internal controls attested to by an external auditor. The scope of the audit includes compliance requirements related to GDPR and CCPA. Outreach has maintained an ISO 27701 certification every year since 2020 without non-conformities.

CSA logo
Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR)
Outreach has performed a self-assessment using the CSA (Cloud Security Alliance) STAR (Security, Trust, Assurance and Risk) attestation. The CSA aims to build standards and transparency through a common framework.
Coalfire HIPAA sized
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information or ‘Protected Health Information’ (PHI) from being disclosed without the patient's consent or knowledge. Outreach has achieved an independent HIPAA attestation.
Screenshot of a list of operational System Statuses

System status transparency

Outreach continuously monitors our uptime and makes our system status publicly available.
Forrester Wave Leader 2022 graphic and badge

Report

Forrester logo

A leader in two The Forrester Wave Reports™

Outreach is the only sales tech vendor to be named a Leader in both the Forrester Wave™ for Revenue Operations and Intelligence, Q1 2022 and as a Leader in The Forrester Wave™: Sales Engagement, Q3 2020

Trust documents

At Outreach one of the ways we are committed to earning our customers’ trust is through transparency. Customers can access additional information to help when evaluating Outreach for the first time or when conducting annual risk assessments. To support our customers, we are providing a self-serve portal to allow customers to find relevant documents and resources. Customers can access the page through Whistic, to securely and seamlessly access resources. Once an account has been set up, users can access documents at any time.
SOC 2 Type II report
A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Outreach maintains an annual SOC 2 Type II certification.
ISO 27001 report
ISO/IEC 27001 is an international standard on how to manage information security. Outreach maintains a yearly ISO 27001 attestation.
ISO 27701 report
ISO/IEC 27701 is a standard for implementing, maintaining and continually improving a Privacy Information Management System (PIMS), and allows Outreach to adopt new privacy regulations rapidly. The scope of the audit includes key controls from GDPR and CCPA. Outreach maintains a yearly ISO 27701 attestation.
HIPAA Assessment Letter

Auditor Assessment Letter to validate how Outreach maintains HIPAA compliant policies, procedures and controls.

Privacy white paper

The Outreach Data Protection Office executes a robust system of controls to ensure the protection of individual data subject rights. Our privacy white paper provides a holistic view of the privacy program at Outreach.

Transfer impact assessment

Outreach has prepared a data transfer impact assessment (TIA) in accordance with the EU Standard Contractual Clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021 (SCCs). Under the SCCs, the data importer and data exporter each have a responsibility to conduct a TIA. While not required to do so, Outreach makes available to customers its TIA for the purpose of providing relevant information for customers to carry out their own TIAs.

Yearly external penetration test
Outreach employs an external company to run a penetration test every year and makes the report summary available.
Outreach security whitepaper
This whitepaper outlines Outreach's approach to security and compliance for the Outreach core platform, and the underlying infrastructure of our products and services. It explains how Outreach protects data, via organizational and technical controls. Please request a copy from your Account Executive.

Frequently asked questions

The core Outreach platform is hosted in multiple Amazon Web Services (AWS) data centers in various AWS regions across the United States and/or (at our customer's option) in AWS in the EU (Ireland).

Yes. For data at rest, Outreach databases containing customer data are either encrypted using AWS RDS Cluster Encryption or stored on encrypted AWS EBS volumes using AES-256. Outreach also encrypts its virtual machine images. For data in transit, Outreach encrypts that data using TLS 1.2 or higher with Strict Transport Layer Security across public networks. Within our Virtual Private Clouds (VPCs), all connections to S3 buckets or databases containing customer data are also encrypted using TLS 1.2 or above.

Outreach established an incident management process led by our dedicated Security Team. System operations staff implements monitoring technology and procedures to ensure the timely detection of and to support the rapid response to security incidents. In the event of a confirmed incident involving customers’ data, we will notify the customer within the time frame required under applicable by law or as contractually agreed between Outreach and its customers.

You own your data and retain all rights, title, and interest in the data you store with Outreach. During and for 60 days after your subscription, you may migrate your data at any time and for any reason, without assistance from Outreach.

We inform you if there are any important changes to the service with respect to security, privacy, and compliance. This information is delivered via our in-app notification system as well as via email to your Outreach admin. We also promptly notify you if your data has been accessed improperly.

Access to customer data is strictly controlled and logged, and sample audits are performed by both Outreach and third parties to attest that access is only for appropriate business purposes. We recognize the extra importance of our customers' content. If someone such as Outreach support personnel or your own administrators access your content on the service, we can provide you with a report on that access upon request.

Further details on important aspects of data storage, such as where your data resides in terms of geographic location, who at Outreach can access it, and what we do with that information internally can be found in the data processing terms of your agreement.

As a customer of Outreach, you own and control your data. We do not use your data for anything other than providing you with the service to which you have subscribed. As a service provider, we do not scan your email or documents for advertising purposes.

Yes. Outreach develops our platform with privacy in mind and provides granular governance settings, self-serve data controls and opt-out options across our platform.

Outreach maintains SOC 2 Type II, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certifications. Many of these measures are detailed in the data processing terms and/or DPA of your agreement. We also execute DPAs, including EU/UK standard contractual clauses, with our vendors who process customer data. For more information, please visit the Certifications section above.

We apply best practices in design and operations, such as redundancy, resiliency, distributed services, and monitoring—to name a few. For more information and to subscribe to service alerts, please visit our System Status page.

All data you store in Outreach is fully backed up with tested and certified disaster recovery processes in place. Outreach handles data backup and disaster recovery. Our current RTO and RPO times are within 24 hours.

We provide a promise of 99.9% uptime as part of our customer agreement. Customers can view the status here.