The Outreach Security team is tracking recent development of a zero-day vulnerability in the Log4j Java library. Learn More →

Outreach’s Commitment to Trust

Providing a secure platform for our customers is fundamental to Outreach’s mission. It’s one of many reasons why over 5,000 customers trust Outreach with their data.


Protecting your data is our first priority

Protecting our customers’ data is the cornerstone of our security and privacy program. It is ingrained in how we design our products, the operational security practices we put in place, the layers of protection we provide, and the key certifications and attestations that we meet.

Workflow Governance

Cloud Datacenter Security

Outreach’s production infrastructure is hosted on Amazon Web Services as our primary Infrastructure as a Service (IaaS) provider. In addition to AWS’s extensive list of security and privacy certifications, Outreach also implements and attests to its own set of policies and practices to secure your data.

Compute Security

Outreach services run primarily as Kubernetes-controlled containers. Outreach’s policies and standards also govern the management of our container infrastructure.

Data Security

Data is encrypted both at rest and in transit using the industry-leading encryption standards. Outreach employs a top-tier Data Loss Prevention (DLP) solution to monitor protected information. The Outreach platform provides additional controls, such as governance capabilities, to further protect our customers’ users and their data.

Learn More

Endpoint Security

All corporate desktops and laptops are managed with enterprise device management and endpoint protection software.

Business Continuity and Disaster Recovery

Outreach maintains a Business Continuity Policy, which mandates that the Business Continuity Plan (BCP), testing, and procedures are updated and performed at least annually.

Security Software Development Lifecycle Standard

The Outreach Software Development Lifecycle (SDLC) standard incorporates security practices throughout our platform’s planning, development, and release processes.

Vulnerability Prevention

Outreach follows OWASP guidelines in our Security Development Lifecycle. Outreach's SDLC is audited by an independent third party and is attested to in our SOC 2 Type II report.

Bug Bounty Program

Outreach employs a private bug bounty program that enables a large pool of security researchers to test our platform on a continuous basis.

Report a Vulnerability

Penetration Testing

Outreach contracts with industry-leading penetration testing providers to examine our production architecture at least once a year through more scoped, formal probing.


When a user connects to Outreach, they use a web browser over an enforced Transport Layer Security (TLS) 1.2 or higher connection. The Outreach platform supports federated access via SAML 2.0 in order to provide SSO by any number of Identity Providers (IdP).

Status Transparency

Outreach’s system status is publicly available and uptime is continuously monitored.

View Platform Status

Personnel Security

Security starts with the people Outreach employs. We implement security controls for employees and contractors before, during, and after their tenure at Outreach. These controls include security and privacy training and automated deprovisioning of both logical and physical access to Outreach resources.

Data Privacy

Privacy is critical to our customers and we take it seriously. Outreach does not sell, share, or export your data to third parties we gather from the use of our platform for our own purposes. We only provide data to our subprocessors in support of processing of your data as dictated by your MSA.

Privacy & Safety Features

Our product offers the ability to configure the product to your operational needs including granular governance controls.

Data Recovery

We regularly back up your data and provide a maximum 24-hour RTO and RPO.

Data Deletion

Customers can delete users, emails, and other associated prospect data directly from our Compliance Request service within the platform. If customers want to terminate their relationship with Outreach, all their data will be removed from our systems within 60 days.

Learn More


Our third-party attestations and certifications serve to demonstrate Outreach’s commitment to exceeding our customers’ security and privacy needs.

SOC 2 Type II

Outreach achieved SOC 2 Type II accreditation in December 2016. Outreach was first in its category to achieve this milestone, demonstrating continuous effectiveness of our security controls. To obtain a copy of our most recent Type II report please reach out to your Outreach contact.

Learn More


Please click on the seal for more details.

Learn More

ISO 27001

Outreach was first in its category to achieve ISO 27001. This certification lays the groundwork for our security program and policies.

Learn More

EU-U.S. Privacy Shield

Outreach serves companies around the world and was an early adopter of The EU-U.S. Privacy Shield Framework.

Learn More

Cloud Security Alliance

Our customers want to know about how we secure their data. As a Cloud Security Alliance STAR registrant, Outreach's security practices are available for anyone to review.

Learn More

ISO 27701

Outreach was first in its category to achieve ISO 27701. This is an industry standard certification for privacy and demonstrates compliance with internal controls attested to by an external auditor. The scope of the audit includes key controls from GDPR and CCPA.

Learn More



Download security documentation and information about how our platform works.

Outreach Security Whitepaper

This whitepaper outlines Outreach's approach to security and compliance for the Outreach core platform, and the underlying infrastructure of our products and services. It explains how Outreach protects data, via organizational and technical controls. Please request a copy from your Account Executive.

Our Views on CCPA

Since Outreach is already GDPR compliant, adjusting to the new regulations of the CCPA was fairly straightforward. A lot of similarities exist between these two regulations, which allowed us to leverage the compliance pieces we already have in place.

Learn More

CCPA Validation Letter

Outreach engaged TRUSTe to evaluate our readiness and compliance with CCPA. After conducting an assessment and reviewing of our policies and practices TRUSTe determined that Outreach is able to meet its CCPA obligations as of December 23, 2019. This letter has since been superseded by our ISO 27701 certification.


Our Views on GDPR

Outreach prepared well in advance to be GDPR-compliant. You can read about our journey to compliance at the link below.

Learn More

Securing Buy-in for Sales Tools

A guide to help sales teams effectively influence and speed up their sales tool procurement process.


Outreach-Salesforce Sync Overview

All you need to create a granular, truly bi-directional sync and protect your Salesforce data.



Frequently Asked Questions

  • Where is our data stored?

    Your data is stored on Outreach servers in your own, separate database instance. The core Outreach platform is hosted in multiple Amazon Web Services (AWS) data centers in various AWS regions across the United States.

  • Do you encrypt data at rest and in transit?

    Yes. For data at rest, Outreach databases containing customer data are either encrypted using AWS RDS Cluster Encryption or stored on encrypted AWS EBS volumes using AES 265. Outreach also encrypts its virtual machine images. For data in transit, Outreach encrypts that data using TLS 1.2 or higher with Strict Transport Layer Security across public networks. Within our Virtual Private Clouds (VPCs), all connections to S3 buckets or databases containing customer data are also encrypted using TLS 1.2 or above.

  • What is your approach to security incidents? When and how are customers notified in the event of a confirmed incident involving their data?

    Outreach established an incident management process led by our dedicated Security Team. System operations staff implements monitoring technology and procedures to ensure the timely detection of and to support the rapid response to security incidents. In the event of a confirmed incident involving customers’ data, we will notify the customer within the time frame required under applicable by law or as contractually agreed between Outreach and its customers.

  • Can we get our data out of your service?

    You own your data and retain all rights, title, and interest in the data you store with Outreach. During and for 60 days after your subscription, you may migrate your data at any time and for any reason, without assistance from Outreach.

  • Will you inform us when things change in the service, and will you let us know if our data is compromised?

    We inform you if there are any important changes to the service with respect to security, privacy, and compliance. This information is delivered via our in-app notification system as well as via email to your Outreach admin. We also promptly notify you if your data has been accessed improperly.

  • What procedures are in place to restrict unauthorized access to our data?

    Access to customer data is strictly controlled and logged, and sample audits are performed by both Outreach and third parties to attest that access is only for appropriate business purposes. We recognize the extra importance of our customers' content. If someone such as Outreach support personnel or your own administrators access your content on the service, we can provide you with a report on that access upon request.

    Further details on important aspects of data storage, such as where your data resides in terms of geographic location, who at Outreach can access it, and what we do with that information internally can be found in the data processing terms of your agreement.

  • Is our data used to sell or build advertising products?

    As a customer of Outreach, you own and control your data. We do not use your data for anything other than providing you with the service to which you have subscribed. As a service provider, we do not scan your email or documents for advertising purposes.

  • Do you offer privacy controls in your service?

    Yes. Outreach develops our platform with privacy in mind and provides granular governance settings, self-serve data controls and opt-out options across our platform.

  • What kind of commitments do you have with respect to security and privacy?

    Outreach includes data processing terms in our customer agreements. We are SOC 2, ISO 27001, ISO 27701, EU-U.S. Privacy Shield, and TRUSTe certified. Many of these measures are detailed in the data processing terms and/or DPA of your agreement. We are also attached to an EU Data Protection Addendum (including model clauses) through AWS. For more information, please visit the Certifications section above.

  • How do you ensure that your service is reliable?

    We apply best practices in design and operations, such as redundancy, resiliency, distributed services, and monitoring—to name a few. For more information and to subscribe to service alerts, please visit our System Status page.

  • Is our data backed up? Are there disaster recovery tools in place?

    All data you store in Outreach is fully backed up with tested and certified disaster recovery processes in place. Outreach handles data backup and disaster recovery. Our current RTO and RPO times are within 24 hours.

  • What are your commitments regarding keeping my service up?

    We provide a promise of 99.9% uptime as part of our customer agreement.