Data Processing Agreement
Last updated: March 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between the customer identified in the applicable Outpacer account ("Customer," "Controller," or "you") and Outpacer AI ("Outpacer," "Processor," "we," "us," or "our"), a company incorporated in Delaware, United States, operating the platform at outpacer.ai. This DPA sets out the terms under which Outpacer processes Personal Data on behalf of the Customer in connection with the Service, and reflects the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of applicable Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and other applicable data protection legislation.
2. Definitions
For the purposes of this DPA, the following definitions apply in addition to any definitions in the Agreement:
- "Controller" means the natural or legal person (in this case, the Customer) that determines the purposes and means of the processing of Personal Data.
- "Processor" means the natural or legal person (in this case, Outpacer) that processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Service.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
- "Personal Data" means any information relating to a Data Subject that can be used, directly or indirectly, to identify that person, including but not limited to names, email addresses, IP addresses, user identifiers, and usage data.
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Data Protection Laws" means all applicable legislation relating to data protection and privacy, including the GDPR, UK GDPR, CCPA, and any national implementing legislation or regulations.
- "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as applicable.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
3. Scope and Purpose of Processing
3.1 Data Processed
In the course of providing the Service, Outpacer may process the following categories of Personal Data on behalf of the Customer:
- Account information: names, email addresses, job titles, and organisation details of Customer's employees and authorised users
- Authentication data: hashed passwords, session tokens, and multi-factor authentication identifiers
- Usage data: IP addresses, browser types, device identifiers, pages visited, features used, and timestamps
- Content data: website URLs, keywords, content drafts, and SEO analysis data submitted by Customer through the Service
- Payment data: billing addresses and transaction identifiers (full payment card details are processed directly by Stripe and are not stored by Outpacer)
- Communication data: support messages, feedback, and chat transcripts
3.2 Purposes of Processing
Personal Data is processed solely for the following purposes:
- Providing, operating, and maintaining the Service
- Generating AI-powered SEO content, keyword research, and site analysis
- Processing payments and managing subscriptions
- Sending transactional communications (account verification, billing notifications, security alerts)
- Providing customer support through live chat and email
- Analysing usage patterns to improve and debug the Service
- Ensuring security and preventing fraud
3.3 Categories of Data Subjects
The Data Subjects whose Personal Data may be processed under this DPA include:
- Customer employees and authorised users: Individuals within the Customer's organisation who have been granted access to the Service.
- Customer's website visitors (indirect): Where the Customer integrates analytics or tracking data from their own websites into the Service (for example, through Google Search Console or CMS integrations), aggregated or anonymised data about the Customer's website visitors may be processed. Outpacer does not directly collect Personal Data from the Customer's website visitors.
4. Roles and Responsibilities
The Customer acts as the Controller and determines the purposes and means of the processing of Personal Data. Outpacer acts as the Processor and processes Personal Data only on behalf of and in accordance with the documented instructions of the Customer. Outpacer shall not process Personal Data for any purpose other than as specified in this DPA or as otherwise instructed by the Customer in writing, unless required to do so by applicable law, in which case Outpacer shall inform the Customer of that legal requirement before processing (unless prohibited by law from doing so).
5. Processing Instructions
Outpacer shall process Personal Data only in accordance with the Customer's documented instructions. The Customer's instructions are provided through the Service interface, including through account configuration, feature usage, API calls, and any written instructions communicated to Outpacer via email at legal@outpacer.ai. The Customer acknowledges that the use of specific Service features (such as publishing content to third-party CMS platforms or connecting integrations) constitutes an instruction to process the relevant data as required to perform those features. If Outpacer believes that an instruction from the Customer infringes applicable Data Protection Laws, Outpacer shall promptly notify the Customer and may suspend the relevant processing until the matter is resolved.
6. Sub-processors
The Customer grants Outpacer general authorisation to engage Sub-processors for the purpose of providing the Service. Outpacer shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. Outpacer will maintain an up-to-date list of Sub-processors and will provide at least 30 days' prior written notice before engaging a new Sub-processor or replacing an existing one. The Customer may object to a new Sub-processor by notifying Outpacer within 14 days of receiving notice; the parties will work in good faith to resolve any objection.
6.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic | AI content generation and natural language processing | United States |
| OpenAI | AI content generation and embedding models | United States |
| Stripe | Payment processing, subscription billing, and fraud detection | United States |
| Supabase | Database hosting, authentication, and user management | United States |
| Vercel | Application hosting, edge network, and serverless compute | United States (global edge) |
| Railway | Background job processing and microservice hosting | United States |
| Upstash | Redis caching, rate limiting, and message queuing | United States (global edge) |
| Resend | Transactional email delivery (account verification, billing notifications, security alerts) | United States |
| PostHog | Product analytics, feature flag management, and session replay | United States / European Union |
| Crisp | Live chat support, customer messaging, and helpdesk | European Union (France) |
| DataForSEO | Keyword research, SERP data, rank tracking, and backlink analysis | European Union (Lithuania) |
7. Security Measures
Outpacer shall implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:
7.1 Encryption
All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption. Database backups are encrypted and stored in geographically separate locations. API keys and secrets are stored in encrypted environment variables and are never committed to source code repositories.
7.2 Access Controls
Access to Personal Data is restricted to authorised Outpacer personnel on a need-to-know basis. All Outpacer staff with access to production systems are required to use multi-factor authentication. Role-based access controls (RBAC) are enforced across all internal systems, and access rights are reviewed quarterly. Administrative access to production databases is logged and audited.
7.3 Incident Response
Outpacer maintains a documented incident response plan that includes procedures for identifying, containing, investigating, and remediating security incidents. The incident response plan is tested at least annually. All security incidents are logged and reviewed by the security team, and post-incident reports are prepared for any incidents involving Personal Data.
7.4 Employee Training
All Outpacer employees and contractors with access to Personal Data are required to complete data protection and security awareness training upon hire and at least annually thereafter. Employees are bound by confidentiality obligations and are aware of their responsibilities under applicable Data Protection Laws.
8. Personal Data Breach Notification
In the event of a Personal Data Breach, Outpacer shall notify the Customer without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. The notification shall include:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and data records concerned
- The name and contact details of Outpacer's designated contact point for further information
- A description of the likely consequences of the Personal Data Breach
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
Outpacer shall cooperate with the Customer and provide all reasonable assistance to facilitate the Customer's compliance with its breach notification obligations under applicable Data Protection Laws. Outpacer shall document all Personal Data Breaches, including the facts surrounding the breach, its effects, and the remedial action taken.
9. Data Subject Requests
Outpacer shall assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, data portability, restriction of processing, and objection to processing). If Outpacer receives a request directly from a Data Subject, Outpacer shall promptly redirect the Data Subject to the Customer and notify the Customer of the request within 5 business days, unless otherwise required by law. Outpacer shall provide the Customer with reasonable technical and organisational assistance to respond to such requests, including providing relevant data exports and facilitating data deletion where technically feasible. The Customer is responsible for ensuring that Data Subject requests are legitimate and authorised before instructing Outpacer to take action.
10. Data Deletion and Return
Upon termination or expiration of the Agreement, or upon the Customer's written request, Outpacer shall delete all Personal Data processed on behalf of the Customer within 30 days, unless applicable law requires further retention. Before deletion, Outpacer shall provide the Customer with the opportunity to export their data through the Service's built-in export functionality or through a data export request to legal@outpacer.ai. Upon completion of deletion, Outpacer shall provide written confirmation to the Customer that all Personal Data has been securely deleted, except for data retained under a legal obligation or in anonymised form for analytics purposes. Backup copies shall be deleted in accordance with Outpacer's standard backup retention schedule, which shall not exceed 90 days from the date of the deletion request.
11. Audit Rights
Outpacer shall make available to the Customer, upon reasonable written request and no more than once per calendar year, documentation demonstrating compliance with the obligations set out in this DPA. This documentation may include summaries of security audits, penetration testing reports, and certifications held by Outpacer or its Sub-processors. Outpacer shall provide such documentation within 30 business days of receiving a written request. If the Customer reasonably requires an on-site audit or third-party audit beyond the documentation provided, such audit shall be conducted at the Customer's expense, during normal business hours, with at least 30 days' prior written notice, and subject to reasonable confidentiality obligations. Outpacer shall cooperate with and provide reasonable access to the auditing party for the purpose of verifying compliance with this DPA.
12. International Data Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) and the United Kingdom, including the United States, where Outpacer and the majority of its Sub-processors are located. For transfers of Personal Data from the EEA or UK to countries that have not been deemed to provide an adequate level of data protection, Outpacer relies on the European Commission's Standard Contractual Clauses (SCCs) as the primary transfer mechanism. Outpacer shall enter into the appropriate module of the SCCs (Module Two: Controller to Processor) with the Customer upon request. Where a Sub-processor is located in a third country, Outpacer shall ensure that appropriate safeguards are in place, including SCCs or other legally recognised transfer mechanisms, before transferring Personal Data to that Sub-processor. Outpacer will conduct transfer impact assessments where required and implement supplementary measures as necessary.
13. Liability
Each party's liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement (Terms of Service). Nothing in this DPA shall limit either party's liability for breaches of applicable Data Protection Laws to the extent that such limitation is not permitted by law. For the avoidance of doubt, the Customer shall remain responsible for ensuring that it has a lawful basis for providing Personal Data to Outpacer and for instructing Outpacer to process that data. Outpacer shall be liable for damages caused by its processing only to the extent that it has not complied with the obligations of this DPA or applicable Data Protection Laws specifically directed to Processors.
14. Duration
This DPA shall commence on the date the Customer first uses the Service and shall remain in effect for as long as Outpacer processes Personal Data on behalf of the Customer — that is, this DPA is co-terminous with the Agreement. Upon termination of the Agreement, this DPA shall automatically terminate, subject to Outpacer's obligation to delete or return Personal Data as set out in Section 10 above. Provisions of this DPA that by their nature should survive termination (including but not limited to confidentiality, data deletion, liability, and audit obligations) shall survive the termination of this DPA.
15. General Provisions
- Precedence: In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
- Severability: If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
- Amendments: This DPA may be amended by Outpacer from time to time to reflect changes in applicable Data Protection Laws or the Service. Material changes will be communicated to the Customer with at least 30 days' notice.
- Governing law: This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law provisions.
16. Contact
For questions regarding this Data Processing Agreement, data protection practices, or to exercise any rights under this DPA, please contact:
- Email: legal@outpacer.ai
- Outpacer AI, Delaware, United States