1. Preamble
This Data Processing Addendum ("DPA") forms part of the Master Terms of Service between Outly SAS ("Processor" or "Outly") and the user of the Services ("Controller" or "Customer"). This DPA reflects the parties' agreement with regard to the processing of Personal Data.
2. Definitions
- "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
- "Processor" means the entity which processes Personal Data on behalf of the Controller.
- "Data Subject" means the identified or identifiable person to whom Personal Data relates.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Sub-processor" means any third party appointed by or on behalf of Processor to process Personal Data.
3. Details of Processing
- Subject Matter: The provision of LinkedIn automation services as defined in the Terms of Service.
- Duration: The processing will continue for the duration of the Customer's subscription.
- Nature and Purpose: Storage, retrieval, analysis, and automated interaction with professional networking data to facilitate lead generation and outreach.
- Categories of Data Subjects: The Customer's employees (users) and the Customer's prospects (professional contacts on LinkedIn).
4. Obligations of the Processor
The Processor agrees to:
- Instructions: Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country.
- Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Security: Take all measures required pursuant to Article 32 of the GDPR (Security of processing), including encryption and ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems.
- Assistance: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (Security, Breach Notification, DPIA).
5. Sub-processing
The Controller grants the Processor general authorization to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors.
Current Approved Sub-processors
| Sub-processor | Service | Location |
|---|---|---|
| Vercel Inc. | Cloud Hosting & Deployment | USA / Global CDN |
| Amazon Web Services | Cloud Infrastructure / Storage | USA / EU |
| Supabase | Database Hosting | USA / EU |
| Stripe | Payment Processing | USA |
| OpenAI | AI Content Generation | USA |
| PostHog | Product Analytics | EU / USA |
6. International Data Transfers
Where Personal Data is transferred from the EEA, Switzerland, or the UK to a country that has not been recognized by the European Commission as providing an adequate level of protection (e.g., the United States), the Processor agrees to abide by the Standard Contractual Clauses (SCCs) approved by the European Commission, which are hereby incorporated by reference.
7. Data Breach Notification
In the event of a Personal Data Breach affecting the Controller's data, the Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach. The notification shall describe the nature of the breach, the likely consequences, and the measures taken or proposed to address the breach.
8. Deletion or Return of Data
Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all the Personal Data to the Controller and delete existing copies unless applicable law requires storage of the Personal Data.