Trust Center

Security, compliance, and data stewardship

Outreach OS is designed for self-hosted or single-tenant deployments: you retain custody of the database, encryption keys, and integration credentials. This page summarizes the posture buyers typically review before legal and security sign-off.

Procurement

Request the automated compliance bundle (encryption, RBAC, retention, audit) from your workspace admin via GET /api/ops/procurement-fast-lane.

Defense in depth

JWT session material is isolated from DATA_ENCRYPTION_KEY. Webhook signing secrets never share the JWT namespace.

Least privilege RBAC

Six built-in roles with explicit API permissions enforced in middleware — no silent super-user paths in tenant APIs.

Operational evidence

Correlated event ledger, n8n action traces, webhook delivery receipts, and audit entries export as signed evidence packs.

Compliance certifications & posture

Status reflects product controls and documentation readiness — not a substitute for your counsel or your auditor’s opinion letter.

SOC 2 Type II

Readiness program

Controls mapped to Trust Services Criteria; formal audit engagement is customer-scheduled.

GDPR

Processor-ready

DSAR hooks, configurable retention, and DPA-aligned subprocessors list (deployment-specific).

ISO 27001

Inherited controls

Leverage your cloud provider’s ISO scope; application controls documented in procurement pack.

Data handling practices

  • PostgreSQL holds tenant workflow state; classify tables per your record-of-processing.
  • LLM / CRM / enrichment keys are stored encrypted; prompts should run through redaction utilities before model calls.
  • Audit metadata avoids raw PII where possible; correlate investigations via stable IDs and correlation headers.
  • Webhooks use replay windows, nonce tracking, and dead-letter queues with operator-visible reprocess trails.

Subprocessors (typical)

  • Managed PostgreSQL (region per deployment)
  • Application host / CDN (e.g. Vercel, AWS, Azure — your stack)
  • Optional: LLM provider, Apollo or similar enrichment, Stripe for billing

Update this list for your production footprint and attach it to your DPA annex. The in-app procurement bundle includes a templated subprocessor section you can customize.

Contact

Security reviews, RFP questionnaires, and DPA routing.

Set NEXT_PUBLIC_SECURITY_EMAIL (or NEXT_PUBLIC_SALES_EMAIL) in your environment to surface a contact address here.

Scope & pricing · Sign in