Outreach’s commitment to trust
Protecting your data is our first priority
Cloud datacenter security
Data is encrypted both at rest and in transit using the industry-leading encryption standards. Outreach employs a top-tier Security Incident and Event Monitoring (SIEM) solution to monitor protected information. The Outreach platform also provides additional controls, such as governance capabilities, to further protect our customers’ users and their data.
Data protection and privacy
Outreach bases our privacy standards and policies on the General Data Protection Regulation (EU/UK) and California Privacy Legislation. We support our customers in protecting the data subject rights of the individuals whose data they steward. Our ISO 27701 certification process specifically targeted GDPR and CCPA requirements and is available for download in our Outreach Trust Center.
Business continuity and disaster recovery
Security software development lifecycle standard
Privacy by design and default
Outreach follows industry best practices to review the privacy impact of all additions and improvements to our platform. We strive to ensure our services meet privacy standards from the beginning of the development cycle.
Bug bounty program
Single sign-on (SSO)
Outreach operating as a data processor does not sell, share, or export customer data to third parties. We use customer data only to provide our service and improve our platforms. We only provide data to our sub-processors to support processing of customer data as set forth in our customer agreements.
Privacy & safety features
We enforce company policies for retention of Outreach Voice recordings and Outreach Emails (Beta) with flexible configurations based on the length of times recordings should be stored prior to deletion.
We support customers with organizational requirements around data residency, with EU citizen data to reside in the EU. Outreach offers Sales Engagement, Conversation Intelligence, Sales Coaching, Mutual Action Plans, Deal Insights, Pipeline Management, and Forecasting in an EU datacenter.
Advanced email sync controls
SOC 2 Type II
Industry standard certification for privacy and demonstrates compliance with internal controls attested to by an external auditor. The scope of the audit includes compliance requirements related to GDPR and CCPA. Outreach has maintained an ISO 27701 certification every year since 2020 without non-conformities.
Cloud Security Alliance (CSA) Security, Trust, Assurance, and Risk (STAR)
System status transparency
A leader in two The Forrester Wave Reports™
SOC 2 Type II report
ISO 27001 report
ISO 27701 report
HIPAA Assessment Letter
Auditor Assessment Letter to validate how Outreach maintains HIPAA compliant policies, procedures and controls.
Privacy white paper
The Outreach Data Protection Office executes a robust system of controls to ensure the protection of individual data subject rights. Our privacy white paper provides a holistic view of the privacy program at Outreach.
Transfer impact assessment
Outreach has prepared a data transfer impact assessment (TIA) in accordance with the EU Standard Contractual Clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914 of 4 June 2021 (SCCs). Under the SCCs, the data importer and data exporter each have a responsibility to conduct a TIA. While not required to do so, Outreach makes available to customers its TIA for the purpose of providing relevant information for customers to carry out their own TIAs.
Yearly external penetration test
Outreach security whitepaper
Frequently asked questions
The core Outreach platform is hosted in multiple Amazon Web Services (AWS) data centers in various AWS regions across the United States and/or (at our customer's option) in AWS in the EU (Ireland).
Yes. For data at rest, Outreach databases containing customer data are either encrypted using AWS RDS Cluster Encryption or stored on encrypted AWS EBS volumes using AES 265. Outreach also encrypts its virtual machine images. For data in transit, Outreach encrypts that data using TLS 1.2 or higher with Strict Transport Layer Security across public networks. Within our Virtual Private Clouds (VPCs), all connections to S3 buckets or databases containing customer data are also encrypted using TLS 1.2 or above.
Outreach established an incident management process led by our dedicated Security Team. System operations staff implements monitoring technology and procedures to ensure the timely detection of and to support the rapid response to security incidents. In the event of a confirmed incident involving customers’ data, we will notify the customer within the time frame required under applicable by law or as contractually agreed between Outreach and its customers.
You own your data and retain all rights, title, and interest in the data you store with Outreach. During and for 60 days after your subscription, you may migrate your data at any time and for any reason, without assistance from Outreach.
We inform you if there are any important changes to the service with respect to security, privacy, and compliance. This information is delivered via our in-app notification system as well as via email to your Outreach admin. We also promptly notify you if your data has been accessed improperly.
Access to customer data is strictly controlled and logged, and sample audits are performed by both Outreach and third parties to attest that access is only for appropriate business purposes. We recognize the extra importance of our customers' content. If someone such as Outreach support personnel or your own administrators access your content on the service, we can provide you with a report on that access upon request.
Further details on important aspects of data storage, such as where your data resides in terms of geographic location, who at Outreach can access it, and what we do with that information internally can be found in the data processing terms of your agreement.
As a customer of Outreach, you own and control your data. We do not use your data for anything other than providing you with the service to which you have subscribed. As a service provider, we do not scan your email or documents for advertising purposes.
Yes. Outreach develops our platform with privacy in mind and provides granular governance settings, self-serve data controls and opt-out options across our platform.
Outreach maintains SOC 2 Type II, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certifications. Many of these measures are detailed in the data processing terms and/or DPA of your agreement. We also execute DPAs, including EU/UK standard contractual clauses, with our vendors who process customer data. For more information, please visit the Certifications section above.
We apply best practices in design and operations, such as redundancy, resiliency, distributed services, and monitoring—to name a few. For more information and to subscribe to service alerts, please visit our System Status page.
All data you store in Outreach is fully backed up with tested and certified disaster recovery processes in place. Outreach handles data backup and disaster recovery. Our current RTO and RPO times are within 24 hours.
We provide a promise of 99.9% uptime as part of our customer agreement. Customers can view the status here.