Security
Strong Security for Your Peace of Mind
Protecting your data is our first priority. Our security program is ingrained in how we design our products, the operational security practices we put in place, and the layers of protection we provide. It’s not only how we gain customer trust, but it’s how we ensure our customers can earn and keep the trust of their customers, users, and partners.
Outreach is built to secure your most sensitive data
Data Security
Data at rest and in transit
Data is encrypted both at rest and in transit using industry-leading encryption standards. Outreach employs a top-tier Security Incident and Event Monitoring (SIEM) solution to monitor protected information. The Outreach platform also provides additional controls, such as governance capabilities, to further protect our customers’ users and their data.
Cloud datacenter security
Outreach’s production infrastructure is hosted on Amazon Web Services as our primary Infrastructure as a Service (IaaS) provider. In addition to AWS’s extensive list of security and privacy certifications, Outreach also implements and attests to its own set of policies and practices to secure your data.
Compute security
Outreach services run primarily as Kubernetes-controlled containers. Outreach’s policies and standards also govern the management of our container infrastructure.
Data recovery
All data you store in Outreach is fully backed up with tested and certified disaster recovery processes in place. Outreach handles data backup and disaster recovery. Our current RTO and RPO times are within 24 hours.
Product Security
Vulnerability prevention
Outreach follows OWASP guidelines and makes use of both automated (SAST/SCA) and manual security controls as part of the Security Development Lifecycle. Outreach's SDLC is audited by an independent third party and is attested to in our SOC 2 Type II report.
Security software development lifecycle standard
The Outreach Software Development Lifecycle (SDLC) standard incorporates security practices throughout our platform’s planning, development, and release processes.
Cloud security
Outreach leverages industry-leading Cloud Security Posture Management capabilities further securing our robust and resilient cloud infrastructure.
Penetration testing
Outreach contracts with industry-leading penetration testing providers to examine our production architecture at least once a year through more scoped, formal probing.
Single sign-on (SSO)
When a user connects to Outreach, they use a web browser over an enforced Transport Layer Security (TLS) 1.2 or higher connection. The Outreach platform supports federated access via SAML 2.0 in order to provide SSO by any number of Identity Providers (IdP). Learn More
Bug bounty program
Outreach employs a private bug bounty program that enables a large pool of security researchers to test our platform on a continuous basis. Report a Security Issue.
Enterprise Security
Endpoint security
All corporate desktops and laptops are managed with enterprise device management and endpoint protection software.
Personnel security
Security starts with the people Outreach employs. We implement security controls for employees and contractors before, during, and after their tenure at Outreach. These controls include security and privacy training and automated deprovisioning of both logical and physical access to Outreach resources.
Business continuity and disaster recovery
Outreach maintains a Business Continuity Policy, which mandates that the Business Continuity Plan (BCP), testing, and procedures are updated and performed at least annually.
System status transparency
Frequently asked questions
We will inform you if there are any important changes to the service with respect to security, privacy, and compliance. This information is delivered via our in-app notification system as well as via email to your Outreach admin. We also promptly notify you if your data has been accessed improperly.
Access to customer data is strictly controlled and logged, and sample audits are performed by both Outreach and third parties to attest that access is only for appropriate business purposes. We recognize the extra importance of our customers' content. If someone such as Outreach support personnel or your own administrators access your content on the service, we can provide you with a report on that access upon request. Further details on important aspects of data storage, such as where your data resides in terms of geographic location, who at Outreach can access it, and what we do with that information internally can be found in the data processing terms of your agreement.
As a customer of Outreach, you own and control your data. We do not use your data for anything other than providing you with the service to which you have subscribed. As a service provider, we do not scan your email or documents for advertising purposes.
Yes. Outreach develops our platform with privacy in mind and provides granular governance settings, self-serve data controls, and opt-out options across our platform.
Outreach maintains SOC 2 Type II, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certifications. Many of these measures are detailed in the data processing terms and/or DPA of your agreement. We also execute DPAs, including EU/UK standard contractual clauses, with our vendors who process customer data. For more information, please visit the Compliance section.
We apply best practices in design and operations, such as redundancy, resiliency, distributed services, and monitoring—to name a few. For more information and to subscribe to service alerts, please visit our System Status page.
