pinterest-site-verification=70d12a13c4a05433e0d6404c86d6e774
top of page
SB-Only.png

Outbound Engine Data Processing Agreement

Author:

Soufiane Boudarraja

Date:

February 24, 2026

1. Parties and scope

This Data Processing Agreement ("DPA") forms part of the contractual framework between:

1) Customer ("Controller"): the entity that determines the purposes and means of processing personal data, and

2) Soufiane Boudarraja ("Processor"): the service provider processing personal data on behalf of the Customer.

This DPA applies to the Soufiane Boudarraja ecosystem (the "Ecosystem") where, and only where, Soufiane Boudarraja processes personal data on behalf of the Customer as a Processor in connection with the "Services".

If Soufiane Boudarraja acts as an independent Controller (for example, website visitors, direct customers of digital products, or POD buyers), the Privacy Policy applies instead of this DPA. If the parties act as separate Controllers (Controller-to-Controller), this DPA does not apply unless agreed in writing.

2. Definitions

"GDPR" means Regulation (EU) 2016/679.

"Personal Data", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings set out in the GDPR.

"Customer Data" means Personal Data processed by the Processor on behalf of the Customer under this DPA.

"Subprocessor" means a third party engaged by the Processor to process Customer Data on behalf of the Customer.

"Services" means the professional services, software, and deliverables provided under the applicable contract, statement of work, order form, or similar agreement (the "Principal Agreement").

3. Processing details

The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and categories of Data Subjects are described in Annex 1 (Processing Details). The processing will be limited to what is necessary to provide the Services.

4. Processor obligations

The Processor shall:

  1. Process Customer Data only on documented      instructions from the Customer, including with regard to transfers of      Personal Data to a third country or an international organisation, unless      required to do so by Union or Member State law; in such a case, the      Processor shall inform the Customer of that legal requirement before      processing, unless that law prohibits such information on important      grounds of public interest.

  2. Ensure that persons authorised to process      Customer Data have committed themselves to confidentiality or are under an      appropriate statutory obligation of confidentiality.

  3. Implement appropriate technical and      organisational measures ("TOMs") to ensure a level of security      appropriate to the risk, as described in Annex 2, taking into account      Article 32 GDPR.

  4. Respect the conditions for engaging      Subprocessors as set out in Section 6.

  5. Assist the Customer by appropriate      technical and organisational measures, insofar as possible, for the      fulfilment of the Customer’s obligation to respond to requests for      exercising the Data Subject’s rights under Chapter III GDPR.

  6. Assist the Customer in ensuring compliance      with obligations pursuant to Articles 32 to 36 GDPR (security, breach      notification, DPIAs, and prior consultation), taking into account the      nature of processing and the information available to the Processor.

  7. At the choice of the Customer, delete or      return all Customer Data after the end of the provision of Services      relating to processing, and delete existing copies unless Union or Member      State law requires storage.

  8. Make available to the Customer all      information necessary to demonstrate compliance with this DPA and allow      for and contribute to audits, including inspections, conducted by the      Customer or an auditor mandated by the Customer, subject to Section 11.

5. Customer obligations

The Customer shall:

  • Ensure it has a lawful basis for      processing Customer Data and for instructing the Processor to process      Customer Data.

  • Provide documented instructions and ensure      those instructions comply with applicable law.

  • Ensure transparency notices are provided      to Data Subjects where required, including for use of processors and      international transfers.

  • Be responsible for the accuracy, quality,      and legality of Customer Data supplied to the Processor.

  • Configure and use any third-party tools it      selects or controls in a compliant manner, including user permissions and      retention settings.

6. Subprocessors

The Customer grants the Processor general authorisation to engage Subprocessors to process Customer Data for the purposes of providing the Services, subject to the requirements below.

6.1 Subprocessor conditions

  • The Processor shall impose on each      Subprocessor data protection obligations substantially similar to those      set out in this DPA, including appropriate security measures.

  • The Processor remains responsible for the      performance of the Subprocessor’s obligations.

6.2 Subprocessor list and updates

A current list of categories of Subprocessors and tool types used for the Ecosystem is maintained in the Third Party Tools and Data Providers Annex (Policy 14). For customer-specific engagements, the applicable Subprocessors may depend on the Services and the Customer’s chosen tooling.

Where a change introduces a new Subprocessor that will process Customer Data for an ongoing engagement, the Processor will provide advance notice where reasonably possible. The Customer may object on reasonable grounds related to data protection. If the parties cannot resolve the objection, either party may terminate the affected part of the Services, without penalty beyond fees owed for work performed up to termination, unless the Principal Agreement provides otherwise.

7. International transfers

Customer Data should be processed within the European Economic Area ("EEA") by default where the Services and chosen tools allow. Where Customer Data is transferred outside the EEA, the transfer will be subject to an appropriate safeguard under Chapter V GDPR.

7.1 Transfer mechanisms

  • Adequacy decision (Article 45 GDPR), where      applicable.

  • Standard Contractual Clauses      ("SCCs") adopted by the European Commission (Article 46 GDPR),      where applicable.

  • Other lawful mechanisms recognised under      GDPR Chapter V, where applicable.

Where SCCs are required, the parties agree to use the SCCs adopted by Commission Implementing Decision (EU) 2021/914, with the module(s) appropriate to the relationship (typically Controller-to-Processor). The SCCs are incorporated by reference and apply to the extent required for the transfer.

8. Security (Article 32 GDPR)

The Processor shall implement and maintain appropriate TOMs as described in Annex 2. The Processor may update TOMs over time to reflect evolving risks and technology, provided that the overall security level is not materially degraded.

9. Personal data breach notification

The Processor shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include, to the extent available, the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach. The Processor will cooperate with the Customer’s reasonable requests for additional information.

10. Assistance with Data Subject requests

Taking into account the nature of processing, the Processor shall assist the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil requests by Data Subjects to exercise their rights under Chapter III GDPR. If the Processor receives a request directly from a Data Subject relating to Customer Data, the Processor shall, unless legally prohibited, promptly forward the request to the Customer and shall not respond except on the Customer’s documented instructions.

11. Audits and compliance information

The Processor shall make available information necessary to demonstrate compliance with this DPA. Audits may be conducted by the Customer or an independent auditor mandated by the Customer, subject to the following conditions:

  • Audit requests must be reasonable,      proportionate, and limited to processing activities covered by this DPA.

  • Audits shall be scheduled with reasonable      advance notice and during normal business hours, unless a breach or urgent      legal requirement justifies accelerated timing.

  • Audits shall be conducted in a manner that      avoids unnecessary disruption and protects the confidentiality and      security of other customers and the Processor’s systems.

  • The Customer bears its own audit costs and      reimburses the Processor for reasonable time spent supporting the audit,      unless the audit reveals a material breach of this DPA by the Processor.

12. Deletion and return of data

Upon termination or expiry of the Services involving processing under this DPA, the Processor shall, at the Customer’s choice, delete or return Customer Data, and delete existing copies, unless storage is required by Union or Member State law. Where deletion is chosen, the Processor will delete Customer Data from active systems within a commercially reasonable period and may retain limited backups for a limited period consistent with security and disaster recovery practices.

13. Confidentiality

The Processor shall treat Customer Data as confidential and shall ensure that persons authorised to process Customer Data are bound by confidentiality. This obligation is in addition to any confidentiality provisions in the Principal Agreement.

14. Liability

Liability under this DPA follows the liability allocation in the Principal Agreement, unless mandatory law requires otherwise. Nothing in this DPA limits either party’s liability where such limitation is not permitted under applicable law.

15. Order of precedence

In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails with respect to data protection obligations, unless the parties expressly agree otherwise in writing. Annexes form part of this DPA.

16. Contact

Processor contact for data protection matters:

Soufiane Boudarraja

Waldstr. 74, 65451 Kelsterbach, Hesse, Germany

Email: Soufiane.Boudarraja@soufbouda.com

Phone: +49 152 2717 9992

Annex 1: Processing Details (Article 28(3) GDPR)

This Annex describes typical processing details for Ecosystem services where Soufiane Boudarraja acts as a Processor. For a specific engagement, the parties may refine these details in the statement of work or order form.

A. Subject matter

  • Provision of consulting, advisory,      operational governance, enablement, training, and transformation services.

  • Provision of software, automation, and      related support services (including Outbound Engine and Outbound      Assistant) where the Customer provides personal data for processing.

  • Provision of research, diagnostics, data      enrichment, outreach enablement, and related deliverables where the      Customer provides personal data or instructs processing of personal data.

B. Duration

For the term of the Principal Agreement and any applicable transition period required to return or delete Customer Data, subject to Section 12.

C. Nature of processing

  • Collecting, receiving, recording,      organising, structuring, storing, adapting, consulting, using, disclosing      by transmission (where instructed), aligning, combining, restricting,      erasing, and destroying Customer Data.

  • User management and access control for      shared workspaces where applicable.

  • Generation of reports, dashboards, and      operational deliverables using Customer Data where instructed.

D. Purpose of processing

  • Deliver the Services as instructed by the      Customer.

  • Operate and secure the service      environment, including authentication, logging, monitoring, and incident      response.

  • Provide support, troubleshooting, and      service improvement related to the Customer engagement.

E. Categories of Data Subjects

  • Customer employees, contractors, and      authorised users.

  • Customer clients, prospects, leads,      suppliers, and business contacts, as provided or instructed by the      Customer.

  • Other individuals whose data the Customer      lawfully provides for processing in connection with the Services.

F. Types of Personal Data

  • Identity and contact data (name, role,      business email, business phone, company, job title, location).

  • Communication and interaction data      (emails, messages, meeting notes, call summaries, responses) as provided      by the Customer.

  • Account and access data (user IDs, login      metadata, permissions) where shared workspaces are used.

  • Business relationship data (account      assignments, pipeline data, outreach status, meeting scheduling metadata).

  • Technical data necessary to operate the      Services (device identifiers, logs, IP addresses, timestamps) where      applicable.

Special categories of data (Article 9 GDPR) are not intended to be processed. If the Customer instructs processing of special categories or criminal offence data (Article 10 GDPR), the parties must agree additional safeguards in writing before such processing occurs.

Annex 2: Technical and Organisational Measures (TOMs)

The TOMs below describe a baseline security posture for the Ecosystem services. Actual measures may vary depending on the Service and tool stack. The Processor maintains measures appropriate to risk and may provide engagement-specific TOM details upon request.

A. Organisational measures

  • Confidentiality commitments for any      authorised persons with access to Customer Data.

  • Access controls based on least privilege      and need-to-know principles.

  • Data minimisation practices for      deliverables and shared files where feasible.

  • Incident response process for identifying,      containing, investigating, and remediating security events.

  • Vendor and tool selection guided by the      Third Party Tools and Data Providers Annex.

B. Technical measures

  • Account security: strong authentication      practices, including multi-factor authentication where supported by the      platform.

  • Encryption in transit using TLS for      web-based services where supported; encryption at rest where supported by      providers.

  • Secure configuration of devices used for      service delivery (OS updates, malware protection, disk encryption where      available).

  • Logging and monitoring appropriate to the      service context, with access controls for logs.

  • Backups and recovery practices appropriate      to the tooling used, with controlled access and retention.

  • Segregation of Customer Data using      separate workspaces, folders, or logical separation measures where      supported.

C. Availability and resilience

  • Use of reputable hosting and cloud      services where applicable.

  • Reasonable continuity planning based on      the scale of the engagement.

D. Testing and improvement

  • Regular updates of software and      dependencies where applicable.

  • Review of access permissions periodically      for active engagements.

Annex 3: Subprocessors

Subprocessors may be used depending on the Services and the Customer’s chosen tools. A description of categories of third-party tools and typical providers used in the Ecosystem is maintained in the Third Party Tools and Data Providers Annex (Policy 14). If the Customer requests a list of the specific Subprocessors used for a particular engagement, the Processor will provide it on request.

bottom of page