This Data Processing Agreement (the “DPA”), is entered into by

Outfunnel’s customer identified on the account registration for Outfunnel’s services (“Controller”)

and

Outfunnel OÜ (“Processor”) registry code 14469427, legal address Harju county, Tallinn, Põhja-Tallinn, Valgevase 13, 10414

and which governs the processing of personal data that the Processor processes on behalf of the Controller
and what Controller provides to Processor.

This DPA is incorporated into the services contract (“Agreement”) previously executed by Controller and Processor.

1. DEFINITIONS

Controller’s Personal Data” means Personal Data that Processor processes on behalf of Controller or what Controller provides Processor in connection with its use of Processor’s services.

“Data Protection Requirements” means Regulation (EU) 2016/679 (GDPR) and all applicable Local Data Protection Laws.

“EU Personal Data” means Personal Data of which the sharing pursuant to this DPA is regulated by the General Data Protection Regulation and Local Data Protection Laws.

“General Data Protection Regulation” means Regulation (EU) 2016/679 on the protection of individuals with regard to the processing of personal data.

“Local Data Protection Laws” means any subordinate legislation and regulation implementing the General Data Protection Regulation which may apply to this DPA.

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It includes data that Controller chooses to provide to Processor.

“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Controller’s Personal Data.

“Privacy Laws” means all applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.

“Process” and its cognates mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Sub-processor” means any entity which provides processing services to Processor in furtherance of Processor’s processing on behalf of Controller.

Supervisory Authority” means Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

 

2. NATURE OF DATA PROCESSING

Processor is a data processor, who processes data on behalf of the Controller. Controller is a data controller. Processor agrees to process Personal Data received under the DPA only for the purposes set forth in this DPA. For the avoidance of doubt, the categories of Personal Data processed are described in Annex A to this DPA.

Processor shall process Controller’s Personal Data only on documented instructions from the Controller, including with regard to data transfers, unless EU or Estonian law requires otherwise. Instructions shall be considered documented if delivered in written or electronic form (including by email or through a service interface provided by the Processor).

 

3. COMPLIANCE WITH LAWS

The parties shall each comply with their respective obligations under all applicable Data Protection Requirements.

4.CONTROLLER’S OBLIGATIONS

Controller agrees to:

  1. Provide instructions to Processor and determine the purposes and general means of Processor’s processing of Controller’s Personal Data in accordance with this DPA;
  2. Comply with its data protection, security and other obligations with respect to Controller’s Personal Data prescribed by Data Protection Requirements for data controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Personal Data are processed on behalf of Controller; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this DPA by its personnel or by any third-party accessing or using Controller’s Personal Data on its behalf.
  3. Controller guarantees that all Personal Data provided to Processor has been lawfully collected, has a valid legal basis, and where required, valid consent. Consent must be verifiable and recorded in written or electronic form.

5. PROCESSOR’S OBLIGATIONS

A. Processor will:

  1. Process Controller’s Personal Data (i) only for the purpose of providing, supporting and improving Processor’s services, using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Controller. Processor will not use or process the Controller’s Personal Data for any other purpose. Processor will promptly inform Controller if it cannot comply with the requirements under Sections 5-8 of this DPA, in which case Controller may terminate this DPA or take any other reasonable action, including suspending data processing operations;
  2. Inform Controller promptly if, in Processor’s opinion, an instruction from Controller violates applicable Data Protection Requirements;
  3. Take commercially reasonable steps to ensure that persons employed by it and other persons engaged to perform on Processor’s behalf comply with the terms of this DPA;
  4. Ensure that its employees, authorized agents and any Sub-processors are required to comply with and acknowledge and respect the confidentiality of the Controller’s Personal Data, including after the end of their respective employment, contract or assignment. The Processor and any person acting under its authority who has access to Controller’s Personal Data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by law.
  5. Inform Controller if Processor undertakes an independent security review.
  6. Maintain appropriate organisational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Controller’s Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Controller’s Personal Data;
  7. Upon request, provide Controller with a summary of Processor’s privacy and security policies or other documented evidence that the Processor has implemented necessary technical and organisational measures;
  8. Be responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all Processor personnel with respect to Controller’s Personal Data and liable for any failure by such Processor personnel to meet the terms of this DPA;
  9. Take reasonable steps to confirm that all Processor personnel are protecting the security, privacy and confidentiality of Controller’s Personal Data consistent with the requirements of this DPA and
  10. Notify Controller of any Personal Data Breach by Processor, its Sub-processors, or any other third-parties acting on Processor’s behalf without undue delay and in any event within 24 hours of becoming aware of a Personal Data Breach. Notification must include:

    • Nature of the breach

    • Approximate number of data subjects impacted

    • Categories and approximate number of data records

    • Likely consequences of the breach

    • Measures taken or proposed to mitigate harm

    • Contact point for further information

B. Processor will inform Controller if Processor becomes aware of:

  1. Any non-compliance by Processor or its employees with Sections 5-8 of this DPA or the Data Protection Requirements relating to the protection of Controller’s Personal Data processed under this DPA;
  2. Any legally binding request for disclosure of Controller’s Personal Data by a law enforcement authority, unless Processor is otherwise forbidden by law to inform Controller, for example to preserve the confidentiality of an investigation by law enforcement authorities;
  3. Any notice, inquiry or investigation by a Supervisory Authority with respect to Controller’s Personal Data or
  4. Any complaint or request (in particular, requests for access to, rectification or blocking of Controller’s Personal Data) received directly from Controller’s data subjects. Processor will not respond to any such request without Controller’s prior written authorization.

C. Processor will provide reasonable assistance to Controller regarding:

  1. Any requests from Controller’s data subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Controller’s Personal Data that Processor processes for Controller. In the event that a data subject sends such a request directly to Processor, Processor will promptly send such request to Controller. Such requests shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay.
  2. The investigation of Personal Data Breaches and the notification to the Supervisory Authority and Controller’s data subjects regarding such Personal Data Breaches
  3. Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out
    consultations with any Supervisory Authority. Processor may claim a reasonable fee for support services which are not included in the description of the services and which are not attributable to failures on the part of the Processor. 

D. If Processor is required by Data Protection Requirements to process any Controller’s Personal Data for a reason other than providing the services described in the DPA, Processor will inform Controller of this requirement in advance of any processing, unless Processor is legally prohibited from informing Controller of such processing (e.g. as a result of secrecy requirements that may exist under applicable EU member state laws).

E. If Processor intends to engage a new or replacement Sub-processor to process Controller’s Personal Data, Processor shall:
(i) maintain an accurate, up-to-date, exclusive list of approved Sub-processors published online;
(ii) provide the Controller 10 (ten) days’ prior written notice before granting the Sub-processor access to Controller’s Personal Data, including the Sub-processor’s identity, location, and processing scope. The Processor may continue using Sub-processors as required to deliver the Service and has no duty to negotiate if the Controller objects. Objection may result in Service suspension or termination;

(iii) If the Controller objects, the Processor may, at its discretion, continue with existing Sub-processors or immediately suspend/terminate Service access without liability or negotiation. This counts as termination for cause, with no refunds, credits, or compensation unless required by non-waivable law;
(iv) enter into a contract with the Sub-processor imposing equivalent obligations to those in this DPA, including security, confidentiality, and audit cooperation; and
(v) remain liable to the Controller for all Sub-processor acts and omissions with regard to data protection where such Sub-processors act on Processor’s instructions.

 

6. LIABILITY AND AUDITS

  1. Any person who has suffered material or non-material damage as a result of an infringement of Data Protection Requirements, has the right to receive compensation from Controller or Processor for the damage suffered. The party responsible for the event giving rise to the damage must compensate the damage to the data subject.
  2. Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents. Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to or in connection with any culpable infringement by the respectively other party.
  3. If a Supervisory Authority requires an audit of the data processing facilities from which Processor processes Controller’s Personal Data to ascertain or monitor Controller ‘s compliance with Data Protection Requirements, Processor will cooperate with such audit. Processor bears its own participation and internal resource costs for such audits. Controller bears only external auditor fees if applicable.
  4. Controller may conduct Processor audits or appoint an auditor at reasonable intervals, providing 7 (seven) days written notice, unless the audit is urgent or mandated by Supervisory Authority (then no notice is required).
  5. Processor may charge an audit fee only if reasonable, proportionate, and communicated in advance, except if the audit reveals Processor’s non-compliance.

7. DATA TRANSFERS

EU Personal Data will generally be processed and used within the territory of a member state of the European Union or the European Economic Area and any movement of EU Personal Data to a non-EU country requires the prior written consent of Controller and shall only be carried out at the specific conditions set forth by Article 44 et seq. GDPR.

8. DATA RETURN AND DELETION

Processor shall not create copies or duplicates of Controller’s Personal Data without the Controller’s knowledge and consent, except for backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet
regulatory data retention requirements.

The parties agree that on the termination of the data processing services or upon Controller’s reasonable request, Processor shall, and shall cause any Sub-processors to, at the choice of Controller, return all the Controller’s Personal Data and copies of such data to Controller or securely destroy them and demonstrate to the satisfaction of Controller that it has taken such measures, unless Data Protection Requirements prevent Processor from returning or destroying all or part of the Controller’s Personal Data disclosed. In such case, Processor agrees to preserve the confidentiality of the Controller’s Personal Data retained by it and that it will only actively process such Controller’s Personal Data after such date in order to comply with applicable laws.

Processor shall delete Personal Data, including backup copies, within 90 (ninety) days of termination, or earlier on Controller request, unless retention is legally required under EU/EEA or Estonian law.

9. THIRD PARTY DATA PROCESSORS

Controller acknowledges that in the provision of some services, Processor, acting only as a connector for Controller-configured syncing, may, on receipt of documented instructions from Controller, transfer Controller’s Personal Data to, or otherwise interact with, a Controller-selected third-party data processor. Controller agrees that if and to the extent such transfers occur, Controller is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with Data Protection Requirements. This clause does not reduce or replace Processor obligations for Sub-processors engaged directly by the Processor under Section 5.

10. TERM

This DPA shall remain in effect as long as Processor carries out Personal Data processing operations on behalf of the Controller or until the termination of the Agreement.  All Personal Data has to be returned or deleted in accordance with Section 8 above.

11.     MISCELLANEOUS

This DPA shall be governed by the laws of Estonia. Processor remains fully subject to GDPR regardless of governing law. Where any clause conflicts with GDPR, GDPR requirements shall prevail.

Any action or proceedings related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Harju County Court, Tallinn, Estonia.

ANNEX A

DESCRIPTION OF THE PROCESSING

1. Data Subjects. The personal data processed concerns
the following categories of data subjects:

  • Controller’s contacts (which may be prospects, customers or other types of contacts)

2. Purposes of the processing. The processing carries the following purposes.

The processing is intended to enable Controller to do following:

  • upload or create email distribution lists and manage marketing campaigns
  • send emails and track campaign engagement (opens, clicks, unsubscribes, bounces and other email actions)
  • measure and report marketing performance, including website visits of identified contacts
  • configure and initiate data syncing of Controller’s contacts and engagement data between Controller-selected third-party services.

3. Categories of Data. The personal data processed concerns the following categories of data.

  • Controller’s contact data provided through email distribution lists, CRM databases or marketing campaigns;

  • email engagement data (email opens, link clicks, unsubscribes, bounces);

  • metadata related to contact website visits, including device type, source of visit, and IP address;

  • data that Controller chooses to sync through the Services to a Controller-selected third-party service, including contact attributes and engagement signals

4. Recipients. The personal data processed may be disclosed only to the following recipients or categories of recipients:

  • Employees and other representatives of Processor, who have a legitimate business purpose for the processing of such personal data.

5. Infrastructure providers and sub-processors

The list of our infrastructure providers and sub-processors is available here

  1. Contact Information

Contact points for data protection enquiries:

Processor’s email: info@outfunnel.com

Last updated: Nov 27th 2025