# AI Outreach Data Processing Addendum

**DRAFT TEMPLATE — NOT EFFECTIVE UNTIL COMPLETED AND SIGNED BY BOTH PARTIES**

Template version: 2026-07-15

This Data Processing Addendum ("DPA") forms part of the agreement governing Customer's use of AI Outreach (the "Agreement"). It is between:

- **Customer / Controller:** [full legal name and address] ("Customer"); and
- **Processor:** [full legal name of the Thrice Agency entity operating AI Outreach and address] ("AI Outreach").

The effective date is [date]. Capitalized terms not defined here have the meaning in the Agreement or applicable Data Protection Law.

## 1. Scope and roles

1. Customer is the controller or a processor acting for another controller. AI Outreach is Customer's processor for Customer Personal Data submitted to or generated through the service.
2. Each party will comply with the privacy and data-protection laws applicable to its role, including the GDPR, UK GDPR, and CCPA/CPRA where applicable.
3. Customer determines the lawful purpose and means of the processing, provides required notices, obtains required rights or consents, and will not instruct AI Outreach to process data unlawfully.
4. AI Outreach will process Customer Personal Data only on documented instructions in the Agreement, this DPA, and Customer's configured use of the service, unless law requires otherwise. AI Outreach will notify Customer where legally permitted if an instruction appears unlawful.

## 2. Confidentiality and personnel

AI Outreach will limit access to personnel and contractors who need it to operate, secure, support, or maintain the service. Authorized persons must be bound by confidentiality obligations and receive privacy or security guidance appropriate to their work.

## 3. Security

AI Outreach will maintain technical and organizational measures appropriate to the risk of the processing. The current measures are summarized in Annex II. AI Outreach may update them without materially reducing the overall protection of Customer Personal Data.

## 4. Subprocessors

1. Customer grants general authorization for the subprocessors in Annex III and for replacements needed to provide the service.
2. AI Outreach will require a subprocessor that processes Customer Personal Data to protect it under written terms appropriate to the processing.
3. AI Outreach remains responsible for its subprocessors to the extent required by Data Protection Law.
4. AI Outreach will provide reasonable advance notice of a material new subprocessor where required by law or the Agreement. Customer may object on reasonable data-protection grounds. The parties will work in good faith on a commercially reasonable alternative; if none is available, either party may discontinue the affected feature.

## 5. Data-subject requests

Taking into account the nature of the processing, AI Outreach will provide reasonable assistance for requests to access, correct, delete, restrict, object to, or port Customer Personal Data. If AI Outreach directly receives a request concerning Customer-controlled data, it will direct the requester to Customer unless law permits or requires another response.

## 6. Personal-data incidents

AI Outreach will notify Customer without undue delay after becoming aware of a confirmed breach of security that causes accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. As information becomes available, the notice will describe the nature of the incident, likely consequences, affected data or people, and mitigation. Notification is not an admission of fault.

## 7. Compliance assistance

AI Outreach will provide reasonable information needed for Customer's data-protection impact assessments and regulator consultations, considering the processing and information available to AI Outreach. The parties may agree on reasonable fees for unusually extensive assistance not caused by AI Outreach's breach.

## 8. Return, deletion, and retention

1. During the service term, Customer may use available export and deletion controls or contact privacy support.
2. At termination or on a valid instruction, AI Outreach will delete or return Customer Personal Data within the periods in Annex I, unless law requires retention.
3. Data retained for legal, tax, fraud-prevention, security, backup, or dispute purposes will remain protected, isolated from ordinary product use where appropriate, and deleted when the retention basis ends.

## 9. Audits and information

On reasonable written request and subject to confidentiality, AI Outreach will provide information reasonably necessary to demonstrate compliance with this DPA. If that information is insufficient, Customer may request an audit no more than once per year, or after a material incident, during business hours and without disrupting operations. The parties will agree scope, safeguards, and reasonable costs in advance.

## 10. International transfers

If Customer Personal Data is transferred from the EEA, Switzerland, or United Kingdom to a country without an applicable adequacy decision, the parties will use a valid transfer mechanism. Where appropriate, the EU Standard Contractual Clauses adopted by Decision (EU) 2021/914 apply using Module 2 (controller-to-processor) or Module 3 (processor-to-processor), and the UK Addendum applies to restricted UK transfers. The execution copy must complete the relevant options, annexes, governing law, supervisory authority, and transfer assessment.

## 11. U.S. state privacy terms

To the extent AI Outreach acts as a service provider, contractor, or processor under U.S. state privacy law, it will:

- process personal information only for the limited and specified purposes in the Agreement and this DPA;
- not sell or share personal information, including for cross-context behavioral advertising;
- not retain, use, or disclose personal information outside the direct business relationship except as permitted by law;
- not combine Customer Personal Data with data received from another person or from AI Outreach's own consumer interactions except as legally permitted to provide the service;
- provide the same level of privacy protection required by applicable law and notify Customer if it can no longer do so; and
- allow Customer to take reasonable and appropriate steps to confirm and remediate unauthorized processing.

AI Outreach certifies that it understands and will comply with these restrictions in an executed DPA.

## 12. Liability, precedence, and term

1. The Agreement's liability limitations apply to this DPA unless applicable law prohibits them.
2. If this DPA conflicts with the Agreement on processing Customer Personal Data, this DPA controls. Applicable transfer terms control over both for a restricted transfer.
3. This DPA remains effective while AI Outreach processes Customer Personal Data.

## Annex I — Processing details

| Item | Description |
| --- | --- |
| Subject matter | Hosting and operating AI Outreach workflows that enrich prospect records, perform research and qualification, generate outreach drafts, expose customer-directed integrations, and provide billing and support. |
| Duration | The Agreement term plus the documented retention or deletion period, unless law requires longer retention. |
| Nature and purpose | Collection, storage, organization, retrieval, enrichment, analysis, generation, export, transmission at Customer direction, support, security, billing, and deletion. |
| Frequency | Intermittent or continuous according to Customer's use of the service. |
| Data subjects | Customer users, authorized team members, customer contacts, and prospects or leads whose information Customer submits. |
| Personal-data categories | Names, business contact details, professional and employment information, profile URLs and provider-returned content, company details, campaign instructions, generated research and drafts, account identifiers, product usage, support communications, and billing references. |
| Sensitive data | Not intended. Customer must not submit special-category, highly sensitive, payment-card, government-identifier, health, biometric, or precise-location data unless the parties separately agree in writing. |
| Return and deletion | Customer export and deletion controls, followed by deletion under the published retention schedule, subject to documented legal exceptions. |

### Customer instructions or restrictions

[Describe approved purposes, affected teams, geographic limits, special retention instructions, or write "None beyond the Agreement and configured product use."]

## Annex II — Technical and organizational measures

- **Identity and access:** authenticated access, owner or team authorization checks, and restricted administrative functions.
- **Tenant separation:** application-layer ownership checks for customer workflows, prospects, exports, integrations, and account controls.
- **Transport security:** HTTPS/TLS for production service interfaces and production outbound-webhook destinations.
- **Credential protection:** secrets kept outside source control; one-way hashing or encryption for supported credentials; rotating HMAC secrets for outbound webhooks.
- **Secure integrations:** signed webhook payloads, expiring scoped download tokens, SSRF protections, delivery logs, and bounded retry behavior.
- **Data lifecycle:** self-service export and deletion-request controls, grace-period safeguards, provider cleanup where supported, and bounded raw API-log retention.
- **Application assurance:** input validation, rate limiting on sensitive public paths, automated tests, dependency controls, and production error monitoring where configured.
- **Incident handling:** investigation, containment, remediation, and Customer notification under Section 6.

Controls that depend on the production environment, including hosting encryption, backup recovery, workforce access reviews, and third-party assurance reports, must be confirmed in the executed copy or security exhibit.

## Annex III — Authorized subprocessors

| Subprocessor | Service | Purpose | Personal data involved |
| --- | --- | --- | --- |
| Bright Data | Professional-profile enrichment | Retrieve public professional-profile data for a customer-requested workflow. | LinkedIn profile URL or identifier, request metadata, and the resulting public profile response. |
| RapidAPI | API marketplace and professional-profile enrichment | Route a profile lookup to the configured LinkedIn-data API publisher. | LinkedIn profile URL or identifier, API request metadata, and the provider response. |
| Perplexity | Web-grounded research | Research a prospect or company and return grounded context for qualification and drafting. | Prompt instructions, relevant professional-profile data, company or domain context, and generated response. |
| Z.AI | Primary outreach message generation | Generate customer-requested outreach drafts from selected campaign and prospect context. | Prompt instructions, relevant professional-profile fields, company and campaign context, and generated response. |
| Google | Gemini generation and Google Sheets export | Generate research or message drafts and export customer-selected workflow results to a sheet. | Prompt and workflow context for Gemini; selected result fields and connection identifiers for Google Sheets. |
| Stripe | Payments and subscription management | Process checkout, subscriptions, credit purchases, invoices, fraud prevention, and customer billing support. | Customer and account identifiers, email, order and plan metadata, and payment details entered directly into Stripe. |

Deployment-specific hosting, database, email, observability, abuse-prevention, and support vendors must be added to the execution copy when they process Customer Personal Data.

## Annex IV — Execution details

### Customer

- Legal name: [insert]
- Registered address: [insert]
- Notice email: [insert]
- Signatory name and title: [insert]
- Signature: [insert]
- Date: [insert]

### AI Outreach processor entity

- Legal name: [insert legal entity operating AI Outreach]
- Registered address: [insert]
- Privacy notice email: privacy@aioutreach.io
- Signatory name and title: [insert]
- Signature: [insert]
- Date: [insert]

> This repository document is a contract template, not an executed agreement or legal advice. The parties should obtain legal review and complete all placeholders, transfer details, and deployment-specific subprocessors before signing.
