Updated: April 1, 2025
At OutSystems, we care about our customers. A big part of that is ensuring that we take proper care of your data. Since you are likely to have questions about the Data Processing Agreement (“DPA”) that sets out the rules under which we handle the personal data processed on your behalf, we have designed these FAQs to help you understand it better.
However, please note that this document does not provide legal advice and that this information may not consider future changes in the applicable legislation. Your own legal counsel can help you to familiarize yourself with the legal requirements for your specific situation.
If you have any further questions, please contact your sales representative, who will coordinate with OutSystems’ Data Privacy Office (dpo@outsystems.com) and ensure that all your questions are answered.
Capitalized terms used in these FAQs shall have the meaning assigned to them in the DPA, MSA and EULA.
The DPA establishes the rules under which OutSystems processes personal data on behalf of its customers. It deals with the product and services provided by OutSystems and is part of the Master Subscription Agreement (“MSA”) between OutSystems and its customers. It is also a part of the End-User Licensing Agreement (“EULA”) that governs the use of our software by each individual user, in which case it only applies to the extent that OutSystems processes personal data on behalf of the end-user and a data processing agreement should exist under applicable laws.
Yes, OutSystems offers a DPA to its customers; the document can be found here.
OutSystems DPA is tailored to OutSystems’ product and services, connects with the MSA, the EULA and other relevant OutSystems documentation. It addresses specific aspects related to audits, certifications, security measures, and sub-processing activities, all of which are aligned with how OutSystems’ product and services work.
While this depends on the country in which each of the parties is established (and on the applicability of relevant personal data protection laws), OutSystems is a multinational Group whose operations are mainly established in Europe. Therefore, for the majority of cases, the GDPR is applicable (and a DPA is required, assuming personal data will be processed on your behalf). Furthermore, while the DPA uses terminology based on EU legislation, it aims to cover other relevant jurisdictions (such as the UK and Switzerland). Considering this, the DPA shall, as a rule, be entered into by the customer and OutSystems.
Yes, please see below:
- OutSystems’ DPA can be found here;
- OutSystems’ MSA can be found here;
- OutSystems’ EULA can be found here;
- Information about OutSystems’ security measures can be found here;
- The list of OutSystems’ Sub-processors can be found here;
- OutSystems’ Privacy Statement can be found here;
- Information about OutSystems’ Compliance Program can be found here.
The DPA is incorporated by reference into the OutSystems’ MSA and the OutSystems’ EULA. Therefore, there is no need to sign the DPA.
Whitin the context of the provision of services, OutSystems only has access to and processes the personal data that you, the customer, have provided to us. This means that you are in control of what personal data (contained in your Application) is processed by OutSystems, since you have the power to decide which personal data (if any) will be processed through your Application. Hence, OutSystems acts as the data processor and the customer acts, as a rule, as the data controller. Additionally, please note that OutSystems only processes the aforementioned data in accordance with the DPA entered between the parties.
i) The customer that signed the MSA and ii) the customer’s affiliates who are authorized to use OutSystems’ Services pursuant to the MSA and who agree to be bound by the DPA.
Yes. OutSystems engages sub-processors in order to provide its products and services. These sub-processors consist of affiliates of OutSystems as well as third-party organizations.
OutSystems’ DPA has two schedules and also refers to a sub-processors list.
The first schedule includes details the processing activities carried out by OutSystems on your behalf (i.e. a brief description of those processing activities, the nature and purpose of the processing, the categories of data subjects involved and the types of personal data processed). The second schedule includes standard contractual clauses that may apply.
Additionally, the DPA refers to a sub-processors list that identifies the entities that OutSystems engages in order to provide its services. Please see question 9 above for more information on OutSystems’ sub-processors.
OutSystems will directly manage any requests made by data subjects relating to the exercise of their rights under applicable law, insofar as these relate to personal data processed by OutSystems as a controller.
Where the aforementioned requests relate to personal data processed by OutSystems on behalf of a customer, OutSystems will promptly notify the relevant customer of the request received, as detailed in section 5.3 of our DPA.
Where OutSystems acts as a processor, and as set out in our DPA, OutSystems will notify the controller after becoming aware of a breach event (as defined in our DPA). Where and in so far as it is not possible to provide all the relevant information at the same time, the information may be provided in phases without undue delay.
Unless otherwise stipulated by applicable law, the MSA or the DPA, upon termination of the MSA, the controller may export the personal data processed on its behalf in accordance with the rules set forth in the MSA regarding the detachment of Customer Content. OutSystems will delete the personal data processed on behalf of the controller once the deadline defined for the detachment of Customer Content under the MSA has elapsed.
OutSystems uses appropriate technical, organizational and administrative security measures to protect the personal data it processes on behalf of its customers against accidental or unlawful loss, misuse, unauthorized access, disclosure, alteration and destruction. OutSystems’ security measures are continually improved in line with technological developments. Those measures are set forth on https://security.outsystems.com, including in the document OutSystems Information Security and Business Continuity Terms and Conditions available therein. Furthermore, OutSystems is certified and attested by independent auditors to confirm compliance with the standards listed on https://security.outsystems.com.