Skip to main content

Outcraft AI Data Processing Agreement

Document Version: 1.0 Last Updated: March 23, 2026

This Data Processing Agreement ("DPA") forms part of the agreement for Outcraft AI services (the "Principal Agreement") between Outcraft AI, operated by Omera MB, V. Nagevičiaus g. 3, LT-08237 Vilnius, Lithuania ("Outcraft AI", "Processor", "we", "us"), and the customer entity entering into the Principal Agreement ("Customer", "Controller", "you").

This DPA reflects the parties' obligations under applicable data protection laws. In the event of a conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

Effective Date: as of Principal Agreement coming into force.

1. DEFINITIONS

1.1 Capitalised terms not defined herein shall have the meanings given in the Principal Agreement or applicable Data Protection Laws.

1.2 "Data Protection Laws" means all applicable privacy and data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR, and any successor legislation, as well as any implementing or supplementary legislation in EU/EEA Member States or the United Kingdom.

1.3 "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings set forth in GDPR.

1.4 "Customer Personal Data" means Personal Data processed by Outcraft AI on behalf of Customer pursuant to this DPA and the Principal Agreement.

1.5 "Sub-processor" means any third party engaged by Outcraft AI to Process Customer Personal Data.

1.6 "Services" means the AI-powered voice communication, inbound sales, call handling, and related services provided by Outcraft AI to Customer under the Principal Agreement.

1.7 "Supervisory Authority" means any independent public authority responsible for monitoring the application of Data Protection Laws.

1.8 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission pursuant to GDPR Article 46(2)(c), as may be amended or replaced from time to time.

1.9 "UK IDTA" means the UK International Data Transfer Addendum issued by the UK Information Commissioner's Office and laid before Parliament under s119A of the Data Protection Act 2018.

2. ROLES OF THE PARTIES

2.1 Roles of the Parties

Customer is the Controller of Customer Personal Data. Outcraft AI is the Processor and processes Customer Personal Data solely on Customer's documented instructions, including as necessary to provide the Services under the Principal Agreement, unless otherwise required by law.

2.2 Customer's Role and Responsibilities

Customer is solely responsible for:

(a) Determining the purposes and means of Processing Customer Personal Data;

(b) Ensuring it has a lawful basis under Data Protection Laws for Processing Customer Personal Data and for instructing Outcraft AI to Process such data;

(c) Ensuring it has provided appropriate notices to Data Subjects and, where required, obtained necessary consents;

(d) Ensuring compliance with Data Protection Laws in its use of the Services, including compliance with obligations relating to data subject rights, data protection impact assessments (where applicable), and consultation with Supervisory Authorities (where applicable);

(e) The accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired it.

2.3 Outcraft AI's Role and Responsibilities

Outcraft AI shall:

(a) Process Customer Personal Data only on documented instructions from Customer (including as set out in this DPA and the Principal Agreement), unless required to do otherwise by applicable law (in which case Outcraft AI shall inform Customer of that legal requirement before such Processing, unless prohibited by law);

(b) Not Process Customer Personal Data for any purpose other than providing the Services;

(c) Implement appropriate technical and organisational measures to protect Customer Personal Data (as detailed in Clause 6);

(d) Assist Customer in complying with its obligations under Data Protection Laws (as detailed in Clauses 8 to 10).

3. SCOPE AND DETAILS OF PROCESSING

3.1 Purpose of Processing

3.1.1 Outcraft AI processes Customer Personal Data to provide AI-powered inbound sales, voice automation, call handling, and related services.

3.1.2 The Processing is carried out to enable Customer to:

(a) Make AI-powered voice calls to Customer's customers, prospects, and leads;

(b) Record, transcribe, and analyse call conversations;

(c) Manage customer interactions and communications;

(d) Qualify leads and facilitate sales processes;

(e) Provide customer support via AI voice agents;

(f) Provide other Services under Principal Agreement.

3.2 Duration of Processing

Processing will commence on the date Customer first uploads Customer Personal Data to Ourcraft AI’s systems to use for the Services provision and will continue until termination or expiry of the Principal Agreement, subject to the retention and deletion provisions in Clause 11.

3.3 Nature of Processing

The nature of Processing includes:

(a) Collection of Customer Personal Data uploaded by Customer or provided by Data Subjects during calls;

(b) Storage of Customer Personal Data on Outcraft AI's systems and Sub-processor systems;

(c) Recording of voice calls initiated through the Services;

(d) Transcription of voice recordings using AI-powered speech-to-text technology;

(e) Analysis of call content using natural language processing;

(f) Organisation, structuring, and retrieval of Customer Personal Data;

(g) Transmission of Customer Personal Data to Customer and authorised Sub-processors;

(h) Improving Customer services: Outcraft AI processes Customer Data solely for the purpose of providing the Services to the respective Customer, including call handling, transcription, analysis, and related functionality as outlined in this section. By default, Customer Data is not used to train or improve models across different clients. Any improvements to the Services are based on aggregated or anonymised data, or are limited to the specific Customer’s environment where applicable. Where relevant, Customer-specific optimisations (e.g. call flows, prompts, or performance tuning) may be implemented based on that Customer’s data, but only for that Customer’s use.

(i) Deletion or destruction of Customer Personal Data upon instruction or termination.

3.4 Categories of Data Subjects

Customer Personal Data may relate to the following categories of Data Subjects:

(a) Customer's existing customers;

(b) Customer's prospective customers and sales leads;

(c) Individuals who interact with Customer's AI voice agents;

(d) Customer's employees, contractors, or agents who use the Services.

3.5 Categories of Personal Data

Customer Personal Data may include the following categories:

3.5.1 Identifiers

(a) Full names;

(b) Email addresses;

(c) Telephone numbers (mobile and landline);

(d) Postal addresses;

(e) Customer IDs, account numbers, or other unique identifiers.

3.5.2 Audio and Electronic Information

(a) Voice recordings of telephone calls;

(b) Transcriptions of call audio;

(c) Call recordings metadata (duration, timestamp, caller ID).

3.5.3 Communication Content

(a) Information shared during telephone conversations (e.g., product preferences, questions, feedback, complaints, order details).

3.5.4 Technical Data

(a) IP addresses (if Customer integrates with the Services via web interfaces);

(b) Device information;

(c) Log data.

3.5.5 Commercial Information

(a) Purchase history or intentions;

(b) Product or service interests;

(c) Transaction details.

3.5.6 Inferences

(a) Customer preferences or characteristics derived from call interactions;

(b) Lead qualification scores or assessments.

3.6 Collection and Processing Special Categories of Personal Data

Outcraft AI does not intentionally collect or process special categories of personal data (as defined in GDPR Article 9), such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification purposes, health data, or data concerning sex life or sexual orientation. If such data is voluntarily disclosed by Data Subjects during calls, Customer is responsible for ensuring it has an appropriate legal basis for Processing such data and that Outcraft AI is authorised to Process it. Customer shall notify Outcraft AI immediately if special categories of data are being Processed so appropriate additional safeguards can be implemented.

3.7 Location of Processing

3.7.1 Primary hosting location: Customer Personal Data is hosted on Amazon Web Services (AWS) in Frankfurt, Germany (EU - AWS eu-central-1 region).

3.7.2 Sub-processor locations: Customer Personal Data may be accessed or processed by Sub-processors located in third countries outside the EU/EEA, as detailed in Clause 7. Appropriate safeguards for international transfers are in place as described in Clause 10.

4. CUSTOMER INSTRUCTIONS

4.1 Customer Instructions

Outcraft AI shall Process Customer Personal Data only on documented instructions from Customer, unless required to do so by applicable law.

4.2 Documented Instructions

Customer's instructions for Processing Customer Personal Data are documented in:

(a) This DPA;

(b) The Principal Agreement (including Terms of Service);

(c) Customer's use of the Services (including uploading data, configuring call scripts, initiating calls, and using platform features);

(d) Written instructions provided by Customer to Outcraft AI from time to time via email to support@outcraft.ai or through the Services' support channels.

4.3 Additional Instructions

4.3.1 Customer may issue additional written instructions concerning Processing that are consistent with the terms of this DPA and the Principal Agreement. Outcraft AI shall comply with such instructions unless they conflict with Data Protection Laws, in which case Outcraft AI shall promptly inform Customer.

4.3.2 If Outcraft AI believes an instruction infringes Data Protection Laws, Outcraft AI shall immediately inform Customer. Outcraft AI may suspend Processing of the relevant instruction until Customer confirms or modifies the instruction.

4.4 Legal Requirement to Process

If Outcraft AI is required by applicable law to Process Customer Personal Data otherwise than in accordance with Customer's instructions, Outcraft AI shall inform Customer of that legal requirement before Processing (unless prohibited by law on important grounds of public interest).

5. CONFIDENTIALITY

5.1 Confidentiality Obligations

Outcraft AI shall ensure that all employees, contractors, and other persons authorised to Process Customer Personal Data:

(a) Are bound by appropriate confidentiality obligations (whether contractual or statutory) that survive the termination of their engagement;

(b) Have received appropriate training on data protection and the confidential nature of Customer Personal Data;

(c) Process Customer Personal Data only as necessary to perform their duties in providing the Services.

5.2 Access Restrictions

5.2.1 Access to Customer Personal Data within Outcraft AI is granted on a strict need-to-know basis and limited to:

(a) Personnel directly involved in providing the Services;

(b) Personnel responsible for technical infrastructure, security, and support;

(c) Personnel necessary to respond to Customer support requests or legal obligations.

5.2.2 Access rights are regularly reviewed and promptly revoked when no longer necessary.

6. SECURITY MEASURES

6.1 Implementation of security measures

Outcraft AI shall implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against Personal Data Breaches, taking into account:

(a) The state of the art;

(b) The costs of implementation;

(c) The nature, scope, context, and purposes of Processing;

(d) The risk of varying likelihood and severity for the rights and freedoms of Data Subjects.

6.2 Encryption

All Customer Personal Data is encrypted in transit and at rest.

6.2.1 Data in Transit

Data in transit is protected as follows:

(a) All data transmitted over public networks is encrypted using HTTPS with TLS 1.3 or higher;

(b) Plaintext transmission of Customer Personal Data is prohibited;

(c) API communications use encrypted channels;

(d) Internal service-to-service communication within the infrastructure uses encrypted connections.

6.2.2 Data at Rest

Data at rest is encrypted as follows:

(a) All Customer Personal Data stored in databases, file systems, and backups is encrypted using AES-256 encryption;

(b) Encryption is managed through AWS Key Management Service (KMS);

(c) Database backups and snapshots are encrypted and stored within the same AWS region;

(d) Certain sensitive data fields (including names, email addresses, and phone numbers) are additionally encrypted at the application level and decrypted only at runtime.

6.3 Infrastructure and Network Security

The Services are hosted on Amazon Web Services (AWS) within the European Union (eu-central-1 region).

6.3.1 Hosting and Infrastructure

Infrastructure security includes:

(a) Primary hosting on AWS in Frankfurt, Germany (eu-central-1 region);

(b) Multi-availability zone deployment for redundancy;

(c) Infrastructure as Code (IaC) for consistent and auditable deployments;

(d) Containerised services using Docker for isolation and security.

6.3.2 Network Security

Network security measures include:

(a) Private Virtual Private Cloud (VPC) with segmented network architecture;

(b) Databases and sensitive services not exposed to public internet;

(c) Network access control lists (NACLs) and security groups restricting traffic;

(d) Whitelisted IP addresses for administrative access;

(e) DDoS protection via Cloudflare;

(f) Web Application Firewall (WAF) protecting against common web exploits (OWASP Top 10);

(g) Rate limiting and abuse prevention mechanisms.

6.4 Access Controls

Multi-factor authentication (MFA) is mandatory for all personnel across identity, collaboration, and operational systems.

6.4.1 Authentication and Authorisation

Authentication and authorisation measures include:

(a) Multi-factor authentication (MFA) mandatory for all personnel accessing production systems, infrastructure, and internal tools;

(b) Role-Based Access Control (RBAC) implemented across all systems;

(c) Principle of least privilege enforced - personnel granted minimum access necessary;

(d) Service accounts use strong, unique credentials;

(e) Regular password rotation policies.

6.4.2 Access Management

Access management procedures include:

(a) Centralised identity and access management (IAM);

(b) Access requests formally approved by authorised personnel;

(c) Access rights reviewed quarterly;

(d) Immediate revocation of access upon employee departure or role change;

(e) All access events logged for audit purposes.

6.5 Monitoring and Logging

Continuous monitoring is implemented using AWS CloudWatch, Grafana, and uptime monitoring tools.

6.5.1 Monitoring

Monitoring activities include:

(a) Continuous monitoring of infrastructure, applications, and security events;

(b) Real-time alerting for security incidents, performance degradation, and availability issues;

(c) Uptime monitoring of critical services;

(d) Automated anomaly detection.

6.5.2 Logging

6.5.2.1 Comprehensive logging includes:

(a) User access and authentication events;

(b) API calls and data access;

(c) System and application errors;

(d) Security-relevant events (failed login attempts, unauthorised access attempts);

(e) Changes to infrastructure and configurations.

6.5.2.2 Logs are stored securely with integrity protection and retained for a minimum of 6 months (and longer where required by law or Customer contract). Logs are regularly reviewed for security incidents and operational issues.

6.6 Vulnerability and Patch Management

Automated dependency and vulnerability scanning is enabled for all infrastructure components.

6.6.1 Vulnerability Management

Vulnerability management includes:

(a) Automated scanning of application dependencies for known vulnerabilities;

(b) Container image scanning for security flaws before deployment;

(c) Infrastructure vulnerability assessments using AWS Inspector and third-party tools;

(d) Regular security testing, including penetration testing (at least annually);

(e) Vulnerability disclosure programme for responsible reporting of security issues.

6.6.2 Patch Management

Patch management procedures include:

(a) Automated patching of infrastructure components where possible;

(b) Regular security updates applied to operating systems, libraries, and dependencies;

(c) Critical security patches prioritised and applied within 7 days of release;

(d) High-severity patches applied within 30 days;

(e) Change management process for production deployments.

6.7 Incident Response

6.7.1 Outcraft AI maintains a documented incident response plan that includes:

(a) Incident detection and reporting procedures;

(b) Incident classification and severity assessment;

(c) Escalation procedures to senior management and Data Protection Officer;

(d) Investigation and root cause analysis;

(e) Containment and remediation steps;

(f) Communication with affected parties (including Customer, Data Subjects, Supervisory Authorities as required);

(g) Post-incident review and lessons learned.

6.7.2 In the event of a Personal Data Breach affecting Customer Personal Data, Outcraft AI shall comply with the notification obligations in Clause 12.

6.8 Business Continuity and Disaster Recovery

Outcraft AI maintains business continuity and disaster recovery measures to ensure availability and resilience of the Services.

6.8.1 Backup Procedures

Backup procedures include:

(a) Automated daily backups of Customer Personal Data;

(b) Backups encrypted and stored in the same AWS region;

(c) Backup retention: 90 days (or as agreed with Customer);

(d) Regular testing of backup restoration procedures.

6.8.2 Disaster Recovery

Disaster recovery measures include:

(a) Multi-availability zone deployment for high availability;

(b) Documented disaster recovery plan with defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO);

(c) Regular disaster recovery testing.

6.9 Sub-processor Security

Outcraft AI ensures that all Sub-processors:

(a) Implement security measures at least equivalent to those described in this Clause 6 and shall provide a total level of security that is not less than the level of protection required by this DPA;

(b) Are contractually bound to protect Customer Personal Data;

(c) Do not use Customer Personal Data for their own purposes (including AI model training) unless expressly authorised by Customer.

6.10 Updates to Security Measures

Outcraft AI may update the security measures described in this Clause 6 from time to time, provided that such updates do not result in a material degradation of the overall security of the Services.

7. SUB-PROCESSORS

7.1 Current Sub-processors Authorisation

Customer hereby provides general authorisation for Outcraft AI to engage Sub-processors to Process Customer Personal Data, subject to the requirements of this Clause 7.

7.2 List of Current Sub-processors

The current list of Sub-processors authorised by Customer is as follows:

Sub-processor Service Provided Location of Processing Safeguards for Transfers
Amazon Web Services EMEA SARL (AWS) Cloud infrastructure and hosting Germany (EU) - primary; may access from other AWS regions EU-based; AWS GDPR DPA; SCCs where applicable
Cloudflare, Inc. Content delivery network (CDN), DDoS protection, WAF United States, EU SCCs; EU-US Data Privacy Framework
Twilio Inc. Telephony and SMS messaging services United States SCCs; EU-US Data Privacy Framework
VAPI AI Voice AI processing and call handling United States SCCs
OpenAI, L.L.C.
AI-based transcription, natural language processing
United States
SCCs; OpenAI Business Agreement prohibiting training on Customer data
Stripe Payments Europe Ltd Payment processing United States
SCCs; EU-US Data Privacy Framework
Wise Europe SA     Payment service provider for bank transfers
United Kingdom, EU UK GDPR adequacy; SCCs where applicable
Google Ireland Limited (Google Workspace) Google Workspace services (including Gmail) for customer support and communication United States, EU
SCCs; EU-US Data Privacy Framework

7.3 Sub-processor restrictions:

(a) OpenAI is contractually prohibited from using Customer Personal Data to train or improve AI models;

(b) VAPI AI processes voice data solely to provide call handling services and does not retain recordings beyond what is necessary for service delivery;

(c) All Sub-processors are bound by confidentiality and data protection obligations equivalent to those in this DPA.

7.4 General Authorisation and Notification of Sub-processor Changes

7.4.1 Customer grants Outcraft AI general written authorisation, within the meaning of Article 28(2) GDPR, to engage and replace Sub-processors (including Outcraft AI Affiliates acting as Sub-processors), subject to the notification procedure set out in this Clause 7.4.

7.4.2 Outcraft AI shall maintain and make publicly available an up-to-date list of current Sub-processors at [URL to be inserted] (the "Sub-processor List"), including for each Sub-processor: its name, country of establishment, and a description of the processing activities performed. Updates to the Sub-processor List shall constitute valid notice to Customer of the relevant Sub-processor change for the purposes of this Clause 7.4. Customer is responsible for monitoring the Sub-processor List or subscribing to the RSS feed to receive updates.

7.4.3 Outcraft AI shall update the Sub-processor List at least 10 days prior to any new or replacement Sub-processor (other than an Affiliate Sub-processor under Clause 7.4.5) commencing processing of Customer Personal Data.

7.4.4 Notwithstanding Clause 7.4.3, Outcraft AI may engage a new or replacement Sub-processor with less than 10 days' notice where required to address an urgent security, legal, or operational requirement. In such circumstances, Outcraft AI shall update the Sub-processor List as soon as reasonably practicable, which shall constitute notice to Customer.

7.4.5 Affiliate Sub-processors. Customer hereby specifically authorises Outcraft AI to engage any current or future Outcraft AI Affiliate as a Sub-processor without prior individual notification, provided that:

(a) such Affiliate is listed on the Sub-processor List at the time of, or promptly following, its engagement; and

(b) Outcraft AI remains fully liable for the acts and omissions of any such Affiliate Sub-processor as if they were the acts and omissions of Outcraft AI itself.

For the purposes of this Clause, "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with Outcraft AI, where "control" means ownership of more than 50% of the voting interests of the subject entity.

7.5 Objection to new Sub-processors

7.5.1 Customer may object to Outcraft AI's appointment of a new or replacement Sub-processor on reasonable and documented data protection grounds by notifying Outcraft AI in writing within 10 days of the Sub-processor List being updated pursuant to Clause 7.4.3. For the avoidance of doubt, the right of objection under this Clause 7.5 does not apply to:

(a) Affiliate Sub-processors engaged pursuant to Clause 7.4.5; or

(b) Sub-processors engaged on an urgent basis under Clause 7.4.4, provided that Customer may raise concerns regarding such Sub-processors in accordance with Clause 7.5.2 following the update to the Sub-processor List.

7.5.2 Any objection must specify in reasonable detail the data protection grounds on which it is based. Outcraft AI shall not be required to consider objections that are not based on demonstrable data protection concerns.

7.5.3 If Customer raises a valid objection, Outcraft AI and Customer shall discuss the concerns in good faith. If no resolution is reached within 15 days of the objection:

(a) Outcraft AI shall not be required to refrain from using the Sub-processor in connection with services provided to customers generally; and

(b) Customer may, as its sole remedy, terminate the affected Services upon 30 days' written notice to Outcraft AI, and shall receive a pro-rated refund of prepaid fees covering the unexpired period after the date of termination.

7.5.4 If Customer does not object within the 10-day period referred to in Clause 7.5.1, Customer shall be deemed to have accepted the new or replacement Sub-processor.

7.6 Liability for Sub-processors

Outcraft AI shall be liable for the acts and omissions of its Sub-processors only to the extent that such acts or omissions directly cause a breach of this DPA, and subject to the limitations of liability set forth in the Principal Agreement.

8. DATA SUBJECT RIGHTS

8.1 Data Subject Rights Requests

Customer is responsible for responding to requests from Data Subjects exercising their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, data portability, and objection where applicable).

8.2 Assistance with Data Subject Requests

Outcraft AI shall, taking into account the nature of the Processing, provide reasonable assistance to Customer to enable Customer to respond to such requests, including by:

(a) Providing Customer with the ability to access, retrieve, correct, and delete Customer Personal Data through the Services' user interface;

(b) Responding promptly to Customer's written requests for assistance in locating or providing Customer Personal Data;

(c) Providing technical assistance where Customer is unable to independently access or retrieve data through the Services.

8.3 Data Subject Requests Received by Outcraft AI

If Outcraft AI receives a Data Subject request directly from a Data Subject whose personal data is included in Customer Personal Data, Outcraft AI shall:

(a) Notify Customer promptly (within 7 business days) and provide details of the request;

(b) Not respond to the Data Subject directly (unless legally required to do so or instructed by Customer);

(c) Forward the request to Customer where legally permitted;

(d) Provide reasonable assistance to Customer in responding to the request, as described in Clause 8.2.

8.4 Fees for Assistance

8.4.1 Assistance provided under Clause 8.2 within the scope of normal Services operations shall be provided at no additional charge.

8.4.2 Outcraft AI shall be entitled to charge reasonable fees at its then-current professional services rates for any assistance that requires effort or resources beyond the scope of Clause 8.4, including but not limited to manual data extraction, bespoke reporting, extensive search and retrieval processes, or requests exceeding reasonable frequency or volume.

9. DATA PROTECTION IMPACT ASSESSMENTS AND PRIOR CONSULTATION

9.1 Assistance with DPIAs

9.1.1 Where required by Data Protection Laws, Customer is responsible for conducting Data Protection Impact Assessments (DPIAs) for its Processing activities using the Services.

9.1.2 Upon Customer's written request, Outcraft AI shall provide reasonable assistance to Customer in conducting a DPIA, including by:

(a) Providing information about the nature of the Processing, technical and organisational measures implemented by Outcraft AI, and Sub-processors engaged;

(b) Providing documentation describing the Services' security measures and data flows;

(c) Responding to Customer's reasonable written questions relevant to the DPIA.

9.2 Prior Consultation with Supervisory Authorities

If Customer is required to consult with a Supervisory Authority prior to Processing under GDPR Article 36, Outcraft AI shall, upon written request, provide reasonable assistance to Customer in such consultation, including by providing relevant information about the Processing activities and security measures.

10. INTERNATIONAL DATA TRANSFERS

10.1 International Data Transfers

Outcraft AI is established in the European Union and primarily processes Customer Personal Data in the EU. Where Customer Personal Data is transferred to the United Kingdom or the United States (for example, via Sub-processors), Outcraft AI relies on appropriate legal safeguards required by applicable law, including the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum.

10.2 Hosting and Primary Processing Location

Customer Personal Data is primarily hosted and Processed within the European Union (Germany) on AWS infrastructure.

10.3 Transfers to Third Countries

Customer Personal Data may be transferred to, or accessed from, countries outside the EU/EEA in the following circumstances:

(a) Sub-processor access: Certain Sub-processors are located in, or may access Customer Personal Data from, third countries including the United States ;

(b) Legal requirements: Outcraft AI may be required by law to transfer or provide access to Customer Personal Data to authorities in third countries.

10.4 Safeguards for International Transfers

Where Customer Personal Data is transferred outside the EU/EEA to countries not subject to an adequacy decision under GDPR Article 45, Outcraft AI ensures that appropriate safeguards are in place as required by GDPR Article 46.

10.5 Standard Contractual Clauses (SCCs)

10.5.1 To the extent required by applicable Data Protection Laws, Outcraft AI will include European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) into agreements with Sub-processors located in third countries.

10.5.2 Where Outcraft AI transfers Customer Personal Data to Sub-processors in third countries and SCCs are used:

(a) Module 3 (Processor to Processor) of the SCCs shall apply, as appropriate.

(b) Outcraft AI (as data exporter) and the Sub-processor (as data importer) will be parties to the SCCs;

10.6 EU-US Data Privacy Framework

Where Sub-processors participate in the EU-US Data Privacy Framework and are certified under that framework, Outcraft AI may rely on that framework as an appropriate safeguard for transfers to those Sub-processors instead of SCCs.

10.7 Transfers in Connection with Corporate Transactions

If Outcraft AI is involved in a merger, acquisition, reorganisation, or sale of all or substantially all of its assets, Customer Personal Data may be transferred to the acquiring or successor entity as part of such transaction. In such event, Outcraft AI shall: (a) notify Customer of such transfer prior to or promptly following the completion of the transaction; (b) ensure that the acquiring or successor entity agrees to be bound by obligations no less protective than those set forth in this DPA; and (c) inform Customer of any choices Customer may have regarding the continued Processing of Customer Personal Data by the acquiring or successor entity.

10.8 Notification of Government Requests

If Outcraft AI or a Sub-processor receives a legally binding request from a government authority or law enforcement agency for access to Customer Personal Data, Outcraft AI (or the Sub-processor, where contractually required) shall:

(a) Notify Customer promptly, unless legally prohibited;

(b) Attempt to redirect the requesting authority to Customer;

(c) Challenge the request if Outcraft AI has reasonable grounds to believe it is unlawful;

(d) Provide only the minimum data required to comply with the request.

11. RETENTION AND DELETION

11.1 Retention During Services Term

11.1.1 During the term of the Principal Agreement, Outcraft AI shall retain Customer Personal Data in accordance with Customer's instructions and the following default retention periods:

(a) Call recordings and transcripts: Retained for 6 months from the date of the call, unless:

(i) Customer instructs earlier deletion (which Customer may do via the Services' user interface or by contacting support@outcraft.ai); or

(ii) Customer instructs longer retention (up to a maximum of 24 months, subject to agreement and additional fees).

(b) Contact details and customer data: Retained for the duration of Customer's active use of the Services.

(c) Account and usage data: Retained for the duration of the Principal Agreement.

11.1.2 Customer may delete Customer Personal Data at any time through the Services' user interface or by instructing Outcraft AI in writing.

11.2 Retention for Legal and Regulatory Purposes

Notwithstanding Clause 11.1, Outcraft AI may retain Customer Personal Data to the extent required by applicable law, including:

(a) Financial and billing records (retained for up to 10 years as required by tax and accounting laws);

(b) Data necessary to defend or pursue legal claims (retained until the expiry of applicable limitation periods);

(c) Data required to be retained by court order or regulatory authority.

11.3 Return or Deletion Upon Termination

11.3.1 Upon termination or expiry of the Principal Agreement, Outcraft AI shall, at Customer's choice:

(a) Option 1 - Return: Return Customer Personal Data to Customer in a commonly used, machine-readable format (e.g., CSV, JSON) where technically feasible. Customer must make this request within 30 days of termination; or

(b) Option 2 - Deletion: Delete all Customer Personal Data from Outcraft AI's systems and instruct Sub-processors to do the same.

11.3.2 Timeframe for deletion:

(a) Production systems: Customer Personal Data deleted within 30 days of termination or receipt of deletion instruction;

(b) Backup systems: Customer Personal Data deleted from backups within 90 days of termination, in the ordinary course of backup rotation.

11.3.3 Certification of deletion: Upon request, Outcraft AI shall provide written certification that Customer Personal Data has been deleted in accordance with Clause 11.3.1

11.3.4 Exceptions: Outcraft AI may retain copies of Customer Personal Data to the extent required by law (as described in Clause 11.2). Such retained data shall remain subject to confidentiality obligations and shall be deleted once the legal retention period expires.

12. PERSONAL DATA BREACH NOTIFICATION

12.1 Personal Data Breach Notification

Outcraft AI will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably necessary for Customer to meet its legal obligations.

12.2 Notification to Customer

If Outcraft AI becomes aware of a Personal Data Breach affecting Customer Personal Data, Outcraft AI shall:

(a) Notify Customer promptly: Without undue delay, and in any event within 24 hours of becoming aware of the breach, Outcraft AI shall notify Customer via email to the email address associated with Customer's account.

(b) Provide details: The notification shall include, to the extent known at the time of notification:

(i) Description of the nature of the Personal Data Breach, including (where possible) the categories and approximate number of affected Data Subjects and data records;

(ii) Name and contact details of Outcraft AI's Data Protection Officer or other contact point;

(iii) Description of the likely consequences of the breach;

(iv) Description of measures taken or proposed by Outcraft AI to address the breach and mitigate its adverse effects.

(c) Provide updates: Outcraft AI shall provide Customer with updates and additional information about the breach as it becomes available.

12.3 Customer's Notification Obligations

12.3.1 Customer acknowledges that, as the Controller, Customer is responsible for determining whether the Personal Data Breach must be notified to the relevant Supervisory Authority (under GDPR Article 33) or to affected Data Subjects (under GDPR Article 34 or other applicable Data Protection Law).

12.3.2 Outcraft AI shall provide reasonable cooperation and assistance to Customer in complying with these obligations, including by providing the information described in Clause 12.2.

12.4 Outcraft AI's Remediation

12.4.1 Outcraft AI shall take reasonable steps to:

(a) Investigate the Personal Data Breach;

(b) Contain and remediate the breach;

(c) Prevent future similar breaches;

(d) Mitigate harm to Data Subjects.

12.4.2 Customer may request information about the remediation measures taken by Outcraft AI.

12.5 No Acknowledgement of Fault

Notification of a Personal Data Breach under this Clause 12 does not constitute an acknowledgement by Outcraft AI of any fault or liability with respect to the breach.

13. AUDITS AND INSPECTIONS

13.1 Audit Rights

Customer (or a third-party auditor mandated by Customer) may, upon reasonable written notice (at least 30 days in advance) and during regular business hours, audit Outcraft AI's compliance with this DPA, subject to the following conditions:

(a) Frequency: No more than once per year, unless:

(i) Expressly required by a Supervisory Authority or applicable law; or

(ii) A confirmed Personal Data Breach has occurred that materially affects Customer Personal Data, and Customer has reasonable grounds to believe that an audit is necessary to verify Outcraft AI's remediation measures..

(b) Scope: Audits shall be limited to verification of Outcraft AI's compliance with its obligations under this DPA and Data Protection Laws.

(c) Confidentiality: Customer and any third-party auditor shall execute a confidentiality agreement acceptable to Outcraft AI before commencing the audit.

(d) Non-disruption: Audits shall be conducted in a manner that does not unreasonably interfere with Outcraft AI's business operations or the privacy and security of other customers' data.

(e) Costs: Customer shall bear all costs associated with the audit, including Outcraft AI's reasonable internal costs and any fees charged by Outcraft AI for staff time and assistance (charged at Outcraft AI's then-current professional services rates).

13.2 Alternative Audit Mechanisms

13.2.1 In lieu of an on-site audit, Customer may:

(a) Request and review relevant portions of Outcraft AI's SOC 2 Type II report (or equivalent third-party audit report), if available;

(b) Request written responses to a standardised information security questionnaire;

(c) Request documentation evidencing compliance with specific provisions of this DPA.

13.2.2 Outcraft AI shall provide such alternative audit mechanisms at no additional charge once per calendar year. Additional requests or extensive requests may be subject to reasonable fees at Outcraft AI's then-current professional services rates.

13.3 Supervisory Authority Inspections

Outcraft AI shall cooperate with Supervisory Authority inspections and investigations concerning Customer Personal Data, to the extent required by Data Protection Laws. Where such inspection or investigation relates to Customer or Customer's Processing activities, Customer shall bear all reasonable costs incurred by Outcraft AI in connection with such cooperation.

14. LIABILITY AND INDEMNIFICATION

14.1 Limitation of Liability

14.1.1 Except as expressly set forth in this DPA, the limitations and exclusions of liability set out in the Principal Agreement shall apply to any claims arising under or in connection with this DPA.

14.1.2 Each party's liability, taken together under the Principal Agreement and this DPA, shall be subject to the limitations of liability set out in the Principal Agreement.

14.2 Liability Allocation Under Data Protection Laws

To the extent permitted by applicable Data Protection Laws:

(a) Customer liability: Customer shall be liable for Customer's own violations of Data Protection Laws, including failure to have a lawful basis for Processing, failure to provide appropriate notices to Data Subjects, and failure to respond to Data Subject rights requests.

(b) Outcraft AI liability: Outcraft AI shall be liable for Outcraft AI's violations of this DPA or Data Protection Laws in its role as Processor.

(c) Sub-processor liability: Outcraft AI shall be liable for the acts and omissions of its Sub-processors as if they were Outcraft AI's own acts and omissions.

14.3 Data Subject Claims

If a Data Subject brings a claim against Customer or Outcraft AI concerning the Processing of Customer Personal Data:

(a) The party receiving the claim shall promptly notify the other party;

(b) The parties shall cooperate in good faith to defend or settle the claim;

(c) Each party shall bear its own legal costs unless otherwise agreed or required by applicable law.

15. TERM AND TERMINATION

15.1 Term

This DPA shall commence on the effective date stated above and shall continue for as long as Outcraft AI Processes Customer Personal Data on behalf of Customer.

15.2 Termination

This DPA shall terminate automatically upon the termination or expiry of the Principal Agreement, subject to the retention and deletion provisions in Clause 11.

15.3 Survival

The following provisions shall survive termination of this DPA: Clause 5 (Confidentiality), Clause 11 (Retention and Deletion), Clause 14 (Liability and Indemnification), Clause 16 (Governing Law), and any other provisions that by their nature are intended to survive termination.

16. GOVERNING LAW AND JURISDICTION

16.1 Governing Law

This DPA and any non-contractual obligations arising out of or in connection with it shall be governed by the laws of Lithuania (or the governing law specified in the Principal Agreement), except where Data Protection Laws require otherwise.

16.2 Jurisdiction

The courts of Vilnius, Lithuania (or the jurisdiction specified in the Principal Agreement) shall have exclusive jurisdiction to resolve any disputes arising out of or in connection with this DPA, except where Data Protection Laws provide Data Subjects or Supervisory Authorities with additional rights to bring claims in other jurisdictions.

16.3 GDPR Article 82 - Data Subject Claims

Nothing in this DPA affects the rights of Data Subjects under GDPR Article 82 to bring claims and receive compensation for damages resulting from infringements of the GDPR.

17. GENERAL PROVISIONS

17.1 Order of Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Principal Agreement, this DPA shall prevail to the extent of the conflict or inconsistency with respect to the Processing of Customer Personal Data.

17.2 Amendments

17.2.1 Outcraft AI may amend this DPA from time to time to reflect:

(a) Changes in Data Protection Laws;

(b) Guidance or determinations issued by Supervisory Authorities;

(c) Changes to the Services or Processing activities.

17.2.2 Outcraft AI shall notify Customer of material amendments by email at least 30 days before they take effect. Customer's continued use of the Services after such amendments take effect constitutes acceptance of the amended DPA.

17.2.3 If Customer objects to any amendment, Customer shall notify Outcraft AI in writing within fifteen (15) days of receiving notice of the amendment, specifying in reasonable detail the grounds for such objection. Upon receipt of such objection, Outcraft AI shall, within a reasonable timeframe, provide Customer with an explanation of the rationale for the amendment or propose alternative modifications to address Customer's concerns. The parties shall negotiate in good faith to resolve any disagreement. If the parties are unable to reach agreement within thirty (30) days of Customer's initial objection, Customer may terminate this DPA and the Principal Agreement by providing written notice to Outcraft AI, such termination to take effect upon the later of (i) the effective date of the disputed amendment, or (ii) thirty (30) days following Customer's termination notice.

17.3 Severability

If any provision of this DPA is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable whilst preserving the parties' intent.

17.4 Waiver

No failure or delay by either party in exercising any right under this DPA shall constitute a waiver of that right. No waiver shall be effective unless made in writing and signed by the party granting the waiver.

17.5 Entire Agreement

This DPA, together with the Principal Agreement, constitutes the entire agreement between the parties concerning the Processing of Customer Personal Data and supersedes all prior agreements, understandings, and communications (whether written or oral) concerning the same subject matter.

17.6 Third-Party Beneficiaries

This DPA does not confer any rights on any third party, except that Data Subjects are third-party beneficiaries of Clause 6 (Security Measures), Clause 8 (Data Subject Rights), Clause 12 (Personal Data Breach Notification), and Clause 14.3 (Data Subject Claims), and may enforce those provisions directly against Outcraft AI.

18. CONTACT

For any questions, concerns, or requests under this DPA, please contact:

Outcraft AI (Omera MB) V. Nagevičiaus g. 3 LT-08237 Vilnius Lithuania

Email: privacy@outcraft.ai