← Back to Outsoor

Data Processing Agreement (DPA)

This Data Processing Agreement governs the processing of personal data by Outsoor on behalf of our customers.

1. Definitions

"Controller"

The entity that determines the purposes and means of processing personal data.

"Processor"

Outsoor, the entity that processes personal data on behalf of the controller.

"Personal Data"

Any information relating to an identified or identifiable natural person.

"Processing"

Any operation performed on personal data, such as collection, storage, or analysis.

2. Scope and Application

This DPA applies to all personal data processing activities carried out by Outsoor when providing AI API services to customers. It forms an integral part of our Terms of Service and is automatically incorporated by reference.

Covered Services

  • • AI model inference and processing
  • • Data storage and caching
  • • Analytics and usage monitoring
  • • Customer support and communication
  • • Service improvement and optimization

3. Data Processing Details

3.1 Nature and Purpose of Processing

Primary Purposes

  • • Providing AI API services
  • • Processing customer requests
  • • Billing and account management
  • • Service improvement

Data Categories

  • • Account information
  • • API usage data
  • • Technical logs
  • • Communication records

3.2 Duration of Processing

Personal data will be processed for the duration of the service agreement and as necessary to fulfill legal obligations or legitimate business purposes.

Retention Periods:
• Active account data: Duration of service
• Usage logs: 12 months
• Billing records: 7 years
• Deleted account data: 30 days

4. Controller Obligations

As the data controller, you are responsible for:

Legal Basis

  • • Ensuring lawful basis for processing
  • • Obtaining necessary consents
  • • Providing privacy notices
  • • Handling data subject requests

Data Quality

  • • Providing accurate data
  • • Updating outdated information
  • • Minimizing data collection
  • • Ensuring data relevance

5. Processor Obligations

5.1 Processing Instructions

We will process personal data only on documented instructions from you, including regarding international transfers.

5.2 Confidentiality

All personnel processing personal data are bound by confidentiality obligations.

5.3 Security Measures

We implement appropriate technical and organizational security measures to protect personal data.

5.4 Sub-processors

We may engage sub-processors with your prior written consent and ensure they meet the same obligations.

6. Data Subject Rights

We will assist you in fulfilling data subject rights requests:

Access & Portability

Provide access to personal data and support data portability requests.

Rectification & Erasure

Correct inaccurate data and delete personal data upon request.

Restriction & Objection

Restrict processing and honor objection requests as appropriate.

Response Time: We will respond to data subject requests within 30 days, with the possibility of extension for complex requests.

7. Data Breach Notification

7.1 Breach Detection

We have implemented systems to detect and respond to personal data breaches promptly.

7.2 Notification Process

Immediate Actions

  • • Contain the breach
  • • Assess the scope
  • • Document the incident
  • • Notify you within 72 hours

Follow-up Actions

  • • Investigate root cause
  • • Implement remediation
  • • Provide detailed report
  • • Update security measures

8. International Data Transfers

8.1 Transfer Mechanisms

When transferring personal data outside the EEA, we rely on appropriate safeguards:

Standard Contractual Clauses

We use EU-approved Standard Contractual Clauses for international transfers.

Adequacy Decisions

We transfer data to countries with adequacy decisions where applicable.

Current Transfer Locations: United States, European Union, United Kingdom, Canada, Australia

9. Audit Rights

9.1 Audit Cooperation

We will cooperate with reasonable audit requests from you or your designated auditor.

Audit Scope

  • • Data processing activities
  • • Security measures
  • • Compliance documentation
  • • Sub-processor arrangements

Audit Process

  • • 30 days advance notice
  • • During business hours
  • • Confidentiality maintained
  • • Reasonable frequency limits

10. Termination and Data Return

10.1 Post-Termination Obligations

Upon termination of services, we will:

Data Return

  • • Return all personal data
  • • Provide data in structured format
  • • Complete within 30 days
  • • Confirm deletion of copies

Ongoing Obligations

  • • Maintain confidentiality
  • • Comply with legal requirements
  • • Support legal proceedings
  • • Provide compliance certificates

11. Contact Information

DPA Inquiries

For questions about this Data Processing Agreement or to request a signed copy, please contact us:

Primary Contacts

Legal Team: legal@outsoor.com

Data Protection Officer: dpo@outsoor.com

Compliance: compliance@outsoor.com

Response Times

General inquiries: 2 business days

Signed DPA requests: 5 business days

Urgent matters: Same day

Note: This DPA is automatically incorporated into our Terms of Service. For enterprise customers requiring a signed DPA, please contact our legal team.