Legal
Data Processing Agreement
Template provided for transparency — review with qualified counsel before relying on it.
Last updated: 2026-06-15
This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Customer”) and [Outlink AI, Inc.] and governs the processing of personal data we carry out on your behalf when you use the service. It is drafted in the shape of Article 28 of the GDPR.
Roles, subject matter, and duration
For the personal data processed through the service, the Customer is the controller and [Outlink AI, Inc.] is the processor. The subject matter is the provision of autopilot link-building outreach; the nature and purpose of the processing is to send outreach from the Customer’s connected mailbox, handle replies, relate activity to Search Console signals, and operate and secure the service. Processing lasts for the term of the agreement and the limited period afterward described under deletion below.
Categories of data subjects and personal data
The data subjects are the Customer’s authorized users and the recipients of the Customer’s outreach. The personal data includes account and billing identifiers, connected-inbox content used for outreach and the replies it receives, Google Search Console metrics, and product and usage data.
Processing on documented instructions
We process personal data only on the Customer’s documented instructions — including the configuration you set in the product and this DPA — unless the law requires otherwise, in which case we notify you where permitted.
Confidentiality, security, and breach notification
Personnel authorized to process personal data are bound by confidentiality. We maintain technical and organizational security measures appropriate to the risk — including encryption in transit, access controls, and tenant isolation. If we become aware of a personal-data breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware, and provide the information you need to meet your own notification obligations.
Subprocessors
You give general authorization for us to engage the subprocessors below to deliver the service. Each subprocessor is bound by data-protection terms no less protective than this DPA. We will give you notice of any intended change to this list and a reasonable opportunity to object on reasonable data-protection grounds.
| Subprocessor | Purpose | Data |
|---|---|---|
| Stripe | Payments and subscription billing | Billing identifiers (no full card stored by us) |
| Resend | Transactional email (account and system messages) | Email address, message metadata |
| OpenAI | AI drafting and classification | Outreach and reply content used for generation |
| Moz | Domain-authority metrics | Target and prospect domains |
| SerpAPI / DataForSEO-class provider | SERP and ranking data | Query and domain data |
| Google (OAuth + Search Console) | Inbox send and rank/coverage signals | Restricted Gmail scope data; Search Console metrics |
| Microsoft (Outlook OAuth) | Inbox send | Restricted Outlook scope data |
| Neon | Postgres data storage | All stored workspace data |
| Vercel | Application hosting | Request and operational data |
Data-subject-rights assistance
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights, and to meet your obligations around security, breach notification, and data-protection impact assessments.
Deletion or return on termination
On termination of the service, and at your choice, we will delete or return the personal data we process on your behalf and delete existing copies, unless the law requires us to retain it. The product also offers self-serve account deletion that removes your workspace data.
Audit rights
We will make available the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality and scheduling.
International transfers and contact
Where personal data is transferred outside its region of origin, we rely on an appropriate transfer mechanism such as the Standard Contractual Clauses. [The transfer mechanism is a placeholder to be confirmed with counsel before launch.] For any question about this DPA, contact our data-protection contact at dpo@outlinkai.com.