A leader in two The Forrester Wave Reports™
Outreach is the only sales tech vendor to be named a Leader in both the Forrester Wave™ for Revenue Operations and Intelligence, Q1 2022 and as a Leader in The Forrester Wave™: Sales Engagement, Q3 2020
Protecting our customers' data is the cornerstone of our security and privacy program. It is ingrained in how we design our products, the operational security practices we put in place, the layers of protection we provide, and the key certifications and attestations that we meet. Read below to learn more about how we protect your data.
Outreach’s production infrastructure is hosted on Amazon Web Services as our primary Infrastructure as a Service (IaaS) provider. In addition to AWS’s extensive list of security and privacy certifications, Outreach also implements and attests to its own set of policies and practices to secure your data.
Outreach services run primarily as Kubernetes-controlled containers. Outreach’s policies and standards also govern the management of our container infrastructure.
Data is encrypted both at rest and in transit using the industry-leading encryption standards. Outreach employs a top-tier Data Loss Prevention (DLP) solution to monitor protected information. The Outreach platform also provides additional controls, such as governance capabilities, to further protect our customers’ users and their data.
Learn More→All corporate desktops and laptops are managed with enterprise device management and endpoint protection software.
Outreach maintains a Business Continuity Policy, which mandates that the Business Continuity Plan (BCP), testing, and procedures are updated and performed at least annually.
The Outreach Software Development Lifecycle (SDLC) standard incorporates security practices throughout our platform’s planning, development, and release processes.
Outreach follows OWASP guidelines in our Security Development Lifecycle. Outreach's SDLC is audited by an independent third party and is attested to in our SOC 2 Type II report.
Outreach employs a private bug bounty program that enables a large pool of security researchers to test our platform on a continuous basis.
Report a Vulnerability→Outreach contracts with industry-leading penetration testing providers to examine our production architecture at least once a year through more scoped, formal probing.
When a user connects to Outreach, they use a web browser over an enforced Transport Layer Security (TLS) 1.2 or higher connection. The Outreach platform supports federated access via SAML 2.0 in order to provide SSO by any number of Identity Providers (IdP).
Learn More→Security starts with the people Outreach employs. We implement security controls for employees and contractors before, during, and after their tenure at Outreach. These controls include security and privacy training and automated deprovisioning of both logical and physical access to Outreach resources.
Privacy is critical to our customers and we take it seriously. Outreach does not sell, share, or export your data to third parties we gather from the use of our platform for our own purposes. We only provide data to our sub-processors in support of processing of your data as set forth in your customer agreement.
View subprocessors→Our product offers the ability to configure the product to your operational needs including granular governance controls.
We regularly back up your data and provide a maximum 24-hour RTO and RPO.
Customers can delete users, emails, and other associated prospect data directly from our Compliance Request service within the platform. If customers want to terminate their relationship with Outreach, all their data will be removed from our systems within 60 days.
Learn More→We enforce company policies for retention of Outreach Voice recordings with flexible configurations based on the length of times recordings should be stored prior to deletion.
We support customers with organizational requirements around data residency, with EU citizen data to reside in the EU, starting with Outreach Engage.
To help customers meet more restrictive security requirements, Outreach is providing more control over their email data with features like Header Based Sync (Beta).
Learn more→
Outreach undergoes independent third-party audits to attest and certify Outreach’s security, data privacy and compliance controls to help meet customers’ legal, regulatory and organizational policy requirements at scale.
Download a copy of reports, certificates, external pen tests, whitepapers and more, please go to Trust Documents. Customers can also reach out to their Outreach sales contact for any questions.
The SOC 2 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA). The purpose of this report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy. The AICPA created the Statement on Standards for Attestation Engagements No. 18 (SSAE 18) to keep pace with globally recognized international accounting standards. Outreach maintains an annual SOC 2 Type II certification.
ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks. Outreach maintains 27001 certification.
Industry standard certification for privacy and demonstrates compliance with internal controls attested to by an external auditor. The scope of the audit includes compliance requires related to GDPR and CCPA. Outreach maintains 27701 certification.
Outreach has performed a self-assessment using the CSA (Cloud Security Alliance) STAR (Security, Trust, Assurance and Risk) attestation. The CSA aims to build standards and transparency through a common framework.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information or ‘Protected Health Information’ (PHI) from being disclosed without the patient's consent or knowledge. Outreach has achieved an independent HIPAA attestation.
Outreach continuously monitors our uptime and makes our system status publicly available.
Outreach is the only sales tech vendor to be named a Leader in both the Forrester Wave™ for Revenue Operations and Intelligence, Q1 2022 and as a Leader in The Forrester Wave™: Sales Engagement, Q3 2020
At Outreach one of the ways we are committed to earning our customers’ trust is through transparency. Customers can access additional information to help when evaluating Outreach for the first time or when conducting annual risk assessments.
To support our customers, we are providing a self-serve portal to allow customers to find relevant documents and resources.
Customers can access the page through Whistic, to securely and seamlessly access resources. Once an account has been set up, users can access documents at any time.
A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Outreach maintains an annual SOC 2 Type II certification.
ISO/IEC 27001 is an international standard on how to manage information security. Outreach maintains a yearly ISO 27001 attestation.
ISO/IEC 27701 is a standard for implementing, maintaining and continually improving a Privacy Information Management System (PIMS), and allows Outreach to adopt new privacy regulations rapidly. The scope of the audit includes key controls from GDPR and CCPA. Outreach maintains a yearly ISO 27701 attestation.
Outreach employs an external company to run a penetration test every year and makes the report summary available.
This whitepaper outlines Outreach's approach to security and compliance for the Outreach core platform, and the underlying infrastructure of our products and services. It explains how Outreach protects data, via organizational and technical controls. Please request a copy from your Account Executive.