Data Processing Agreement

Last updated: January 3, 2026

Overview

This Data Processing Agreement ("DPA") forms part of the agreement between Outermind Inc. ("Processor") and you ("Controller") for the use of Outermind services.

A DPA is required under GDPR Article 28 for all customers who use Outermind to process personal data of individuals in the United Kingdom or European Economic Area. This DPA applies to all customers, not just enterprise accounts.

By using Outermind, you agree to this DPA. If you require a custom DPA or have specific contractual requirements, please contact legal@outermind.ai.

Request Full DPA Document

To receive a PDF copy of our complete Data Processing Agreement for your records or for signature by your organization, contact our legal team.

Request DPA Document

DPA Contents Summary

Our DPA includes the following key sections in compliance with GDPR Article 28:

1

Definitions

Standard definitions aligned with GDPR terminology for data controller, data processor, personal data, and processing.

2

Data Processing Terms

Specifies that Outermind processes data only on documented instructions from the customer.

3

Security Measures

Technical and organizational measures including encryption, access controls, and regular security audits.

4

Sub-Processing

Terms for engaging sub-processors, notification procedures, and customer objection rights.

5

Data Subject Rights

Assistance with responding to data subject requests within regulatory timelines.

6

Data Breach Notification

72-hour notification to customers of any personal data breach affecting their data.

7

Audit Rights

Customer rights to audit compliance with the DPA through third-party assessments.

8

Data Deletion

Procedures for data deletion or return upon termination of services.

Data Subject Rights Handling

When Outermind receives a data subject request relating to your data, we will:

  • Notify you within 48 hours of receiving the request
  • Provide reasonable assistance in responding to the request
  • Not respond directly to data subjects without your authorization (unless legally required)

Response Timelines

Request TypeGDPR TimelineCCPA Timeline
Access Requests30 days (extendable by 60 days)45 days (extendable by 45 days)
Deletion Requests30 days45 days
Portability Requests30 daysN/A
Rectification Requests30 days45 days

Sub-Processor Management

We maintain a list of approved sub-processors at outermind.ai/legal/sub-processors.

Sub-Processor Change Notification

  • We will notify customers 30 days before adding new sub-processors
  • You may object within 14 days of notification
  • If the objection cannot be resolved, you may terminate without penalty
  • Subscribe to updates at legal@outermind.ai

Security Measures

Our technical and organizational security measures include:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access Controls: Role-based access with multi-factor authentication
  • Data Isolation: Tenant data is logically separated and region-specific
  • Monitoring: 24/7 security monitoring and anomaly detection
  • Penetration Testing: Annual third-party security assessments
  • Employee Training: Regular security and privacy training for all staff

For more details, see our Security page.

Data Breach Notification

In the event of a personal data breach affecting your data, Outermind will:

  • Notify you within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories of data affected, and approximate number of data subjects
  • Describe the likely consequences and measures taken or proposed to address the breach
  • Assist you in meeting your own notification obligations to supervisory authorities and data subjects

Our incident response procedures are documented and tested regularly.

Liability

The DPA includes the following liability provisions:

  • Each party is liable for its own breaches of the DPA
  • Outermind's liability for data processing breaches is capped at 12 months of fees paid
  • Exclusions apply to: gross negligence, willful misconduct, and regulatory fines directly resulting from a party's breach

Audit Rights

As a customer, you have the right to verify our compliance with this DPA through:

  • Third-Party Reports: We provide SOC 2 Type II reports upon request (subject to NDA)
  • Security Questionnaires: We respond to standard security questionnaires (CAIQ, SIG)
  • On-Site Audits: Available for enterprise customers with 30 days advance notice, subject to reasonable scope and scheduling

International Data Transfers

When you select a data region, your data remains within that region. For any necessary transfers outside your region (such as payment processing), we rely on:

  • Standard Contractual Clauses (SCCs): EU-approved clauses for transfers to third countries
  • UK International Data Transfer Agreement: For transfers from the UK
  • Data Processing Agreements: With all sub-processors requiring equivalent protection

Our DPA incorporates the EU SCCs as an annex for customers requiring them.

Termination and Data Return

Upon termination of services:

  • You may request a full export of your data in JSON or CSV format
  • We will delete all your personal data within 30 days of termination
  • We will certify deletion upon request
  • Backup copies are purged within 30 additional days

See our Data Retention Policy for complete retention schedules.

Relationship to Other Agreements

This DPA is incorporated into and supplements:

In case of conflict between this DPA and other agreements, this DPA takes precedence with respect to data protection matters.

Contact Information

For questions about this DPA or to exercise your rights:

  • Company: Outermind Inc.
  • Email: legal@outermind.ai
  • Address: 920 Incline Way, #16C-142, Incline Village, NV 89451, USA