Outreach GDPR Readiness

Posted: April 2018

Outreach has been preparing for the European Union’s (EU) General Data Protection Regulation (GDPR) for over a year. We have implemented processes and procedures to ensure we meet both our Data Controller and Data Processor obligations. With addition of a few new processes to support Data Subject requests, Outreach has determined that our current security controls, and certifications including ISO 27001 and Privacy Shield, allow us to adhere to the GDPR’s requirements applicable to Outreach’s business. This assessment includes supporting our customers in meeting their GDPR obligations.

To determine our readiness for GDPR, Outreach conducted a gap analysis of our current capabilities and validated that assessment with a third party GDPR expert - CoalFire, who conducted a formal GDPR assessment. A Letter of Compliance attesting to our compliance with GDPR requirements can be provided upon request.

It is important to note that GDPR does not have an accredited certification method. That means, there is no GDPR-approved way to demonstrate compliance. We believe our customers will appreciate that we are voluntarily undergoing an audit with a respected firm to obtain their opinion. We will openly share their Letter of Compliance with our customers as soon as it is available.
Here is what Outreach has done to meet our GDPR obligations and help our customers do the same:

Privacy Shield and Data Transfer

Outreach currently complies with current EU and EEA data protection laws as they stand today regarding onward transfer of data subject information to a data processor. As a customer, we understand that you are entrusting us with your data. Therefore, Outreach takes a principled approach to privacy and security - we were an early adopter and comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA to the United States. Privacy Shield was designed with many of the privacy concepts that are in GDPR in mind. You can view a description of how we comply with the Privacy Shield Principles in our Privacy Policy. To learn more about the Privacy Shield Framework and the scope of our participation, visit the U.S. Department of Commerce website.

Privacy Shield allows Outreach to meet the current privacy requirements of Europe for onward transfer by doing the following privacy principles:

  • Notice
  • Choice
  • Accountability for Onward Transfer
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement and Liability

Standard Contractual Clauses (Model contract clauses)

Additionally, Outreach signs Data Processing Agreements (DPA) with customers who need them. Where necessary, Outreach includes standard model clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, Outreach has DPAs in place with all sub-processors where legally required.


Outreach has already implemented many strong data security requirements and controls to protect our customers data - many of which already meet GDPR standards.

  • Outreach maintains ISO 27001 certification. ISO 27001 is a security management standard that specifies security management best practices and controls based on ISO 27002 best practice guide. As an ISO 27001-certified organization, there is a high level of integration between the ISO 27002 code of practice and the Information Security Management System (ISMS). The ISO 27001 certification validates our security and meets many of the requirements of GDPR.
  • Outreach maintains a SOC 2 Type II accreditation report. The SOC 2 evaluates Outreach controls that are relevant to the principles of security, availability, and confidentiality. This is a rigorous assessment that tests the operating effectiveness of our controls over a defined period, demonstrating and documenting our compliance with controls pertaining to security, availability, and confidentiality.
  • Outreach has strong data protection controls, which includes encryption in transit and encryption at rest of customer data, to safeguard data subject’s data from unintended disclosure or misuse. Outreach rigorously tests its product to remedy proactively vulnerabilities and follows industry best practices and guidance in information security.
  • Outreach maintains incident response and notification processes. These procedures are tested annually.
  • Outreach has procedures in place to ensure data recovery and data integrity, so that customer lost or inadvertently corrupted.
  • Outreach provides assurances that the customer retains full control of their data.
  • Outreach’s key data sub-processors, i.e. Amazon Web Services (AWS), all maintain rigorous security standards (SOC2 and/or ISO 27001 certifications, where possible), and undergo annual vendor reviews.
Data Security

Security Certifications

Outreach maintains multiple 3rd party certifications for security and privacy.

  • SOC 2 Type II
  • TRUSTe
  • ISO 27001
  • EU-U.S. Privacy Shield
  • Cloud Security Alliance

GDPR for Sales Managers

How Outreach Enables You for Success

GDPR and Outreach

Recommendations for Outreach Customers

Outreach believes that as a SaaS company security and privacy is a shared responsibility with our customers. We are committed to partnering with you to help you successfully meet your GDPR, and future, privacy requirements. Requirements such as greater data access and erasure rules, privacy by design, and data breach notification processes may mean changes for your organization, and are a shared responsibility between yourself and your partners. Therefore, it is important to understand your obligations related to the GDPR regardless of where your organization resides, and Outreach will work with you to achieve them.

Data Sharing and Minimization

By nature of Outreach’s integration architecture, you determine what data is sent over for processing. Accordingly, your company acts as the controller and must abide to a set of core principles regarding the handling of the personal data.

Per the GDPR principles, you should avoid sharing unnecessary personal data with Outreach. Typically, the only class of personal data you should share with Outreach is contact information (name, business email/phone) and you should not share other classes of data (e.g. health-related data, sexual orientation, religion-related information) that are not relevant to managing your sales pipeline.

Like many SaaS companies we operate a Shared Responsibility model in coordination with our customers. It is your responsibility to ensure certain data types are not sent to Outreach for processing.

Recommendation: Review the user information shared with Outreach and ensure you are not sharing any unneeded or sensitive (SSN, driver’s license, credit card #, passport #, etc.) personal data.

Disclosure & Consent

GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. As such, you may need to update your privacy policy to reflect your use of Outreach as a data processor for the purpose of improving and managing your sales processes.

If your legal counsel determines you also need to obtain user consent before using Outreach, make sure you update your integration with Outreach to only send data from those who provided the required consent or have otherwise consented to it. Please note that proof of consent is required and may be necessary in the event of legal proceedings.

Recommendation: Determine with your legal counsel what additional information should be added to your privacy policy. Determine if you need consent and, if so, update your consent collection and implement API changes accordingly.

Use Outreach’s Data Processing Addendum (DPA)

If your company determines that you are subject to GDPR, you can obtain a copy of Outreach's most recent DPA by submitting a request to [email protected]. When making a request, please include in your message to us the subject line, "DPA Request."

Outreach continues to monitor the continuing guidance issued by the Article 29 Working Party (which will be replaced by the European Data Protection Board [EDPB]) to ensure that we remain abreast with the most recent developments pertaining to GDPR. Even when the regulation comes into full effect, Outreach is prepared for the fact that privacy compliance in the EU will be an evolving area and that compliance with GDPR is not a one-stop check box or finish line – it will require continuous adjustments and actions to ensure that we, and our customers, remain compliant.


Frequently Asked Questions

  • What is the GDPR?

    The new General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) helps protect and ensure the privacy rights of European Union (EU) and European Economic Area (EEA) citizens and GDPR replaces the Data Protection Directive 95/46/EC and aims to harmonize data privacy laws across Europe, while expanding the rights and empowerment of individuals in regard to the control of their personal information. The GDPR establishes global privacy requirements governing how you manage and protect personal data of EU and EEA citizens and residents while respecting individual choice—regardless of where data is sent, processed, or stored.

  • Who Does the GDPR apply to?

    GDPR not only applies to companies that process the personal data of protected individuals, and have a presence in the EU (e.g. offices or establishments), but also to companies that do not have any presence in the EU but target the European market. Customers, including non-EU based customers, should carefully assess whether they are subject to the GDPR.

  • Is Outreach ready to comply with the GDPR?

    Yes. Through our numerous security certifications including ISO 27001:2013 and Privacy Shield, Outreach already has many of the programs and processes in place to meet our GPDR obligations. Outreach has also introduced new processes to meet new requirements introduced by GDPR

  • What capabilities does Outreach offer customers to help them meet their GDPR obligations?

    Outreach has over 15 features and capabilities to help our customers meet their GDPR requirements and respond to Data Subject requests. Some of the key capabilities include:

    - CSV export for data portability requests

    - Prospect and email deletion for “right to be forgotten” requests

    - SAML federation, SSO and Governance features help you meet your data access obligations

    - Outreach’s Triggers, Global Opt-out and Custom Unsubscribe features help you with GDPR consent management

  • Does Outreach have a Data Processing Addendums (DPA) for their customers?

    Yes. These are included by default in all new contracts. If you are a current customer and need a DPA, please submit a request to [email protected], with the subject line, "DPA Request."

  • Does Outreach have sub-processors?

    Yes. These are detailed in our DPA with customers. We also have DPAs in place with each of our sub-processors.

Please note that the information below does not provide legal advice and should not be used as such. We recommend you consult with the appropriate legal counsel for that purpose. If your company uses Outreach as its Sales Engagement Platform platform, you may be sharing personal data with us. In these scenarios, Outreach acts as a data processor because Outreach processes the personal data on your company’s behalf.