Built for revenue leaders · powered by Anthropic Claude
Home

Legal · Last updated January 1, 2026

Data Processing Addendum

Our standard DPA for customers with GDPR, UK GDPR, CCPA, or comparable processor-obligation requirements.

Need a counter-signed copy for your records?

Email mike@fusion-advisory.com with your legal entity name and we'll counter-sign this DPA (or your standard DPA if it mirrors these terms) within 1 business day.

1. Parties + scope

This Data Processing Addendum ("DPA") supplements the Terms of Service between Outcome Engine AI ("Outcome Engine," the "Processor") and the customer (the "Controller"). It governs the processing of Personal Data on behalf of the Controller in connection with the Outcome Engine service.

This DPA applies whenever Outcome Engine processes Personal Data subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR + Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act ("CCPA") + CPRA, or comparable data-protection laws.

2. Definitions

Capitalized terms not defined here have the meaning set in the GDPR or, where applicable, the equivalent regional regulation. "Personal Data" means Customer Data that identifies or relates to an identifiable natural person. "Processing" means any operation on Personal Data.

3. Subject matter, nature, and duration

  • Subject matter:Outcome Engine's processing of Personal Data to provide the Service described in the Terms.
  • Nature: Storage, retrieval, structuring, AI inference, transmission, deletion, and other operations needed to run the Service.
  • Purpose: Delivery of the Service to the Controller. No secondary purposes.
  • Duration:For the term of the Controller's subscription, plus the retention period set in the Privacy Policy after termination.
  • Categories of Data Subjects: Controller's employees / users; Controller's prospects + customers (contacts and their attributes + interactions).
  • Categories of Personal Data: Names, business email addresses, phone numbers, job titles, meeting transcripts (when Recall.ai opt-in), email content sent through the Service, calendar event metadata.

4. Processor obligations

Outcome Engine will:

  1. Process Personal Data only on documented instructions from the Controller (the Service configuration constitutes such instructions).
  2. Ensure persons authorized to process Personal Data are under appropriate confidentiality obligations.
  3. Implement and maintain the technical and organizational measures in Schedule A (below).
  4. Engage Sub-processors only under Section 6.
  5. Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection).
  6. Assist the Controller with data-protection impact assessments and consultation with supervisory authorities where required by Article 35–36 GDPR.
  7. Make available all information necessary to demonstrate compliance, including the audit rights in Section 9.
  8. Delete or return Personal Data at the end of the processing relationship, per the retention rules in the Privacy Policy.

5. Controller obligations

The Controller will:

  • Ensure it has a lawful basis to provide Personal Data to Outcome Engine for the purposes described
  • Provide notice to Data Subjects as required by GDPR Article 13–14
  • Obtain consents where required by applicable law (e.g., outbound email under CASL, marketing communications under GDPR)
  • Respond to Data Subject rights requests addressed to the Controller, with assistance from Outcome Engine per Section 4

6. Sub-processors

The Controller authorizes Outcome Engine's use of the Sub-processors listed in our Privacy Policy (the same list serves both documents and is the canonical version). Each Sub-processor is bound by contractual obligations no less protective than this DPA.

Outcome Engine will notify the Controller of any intended changes to the Sub-processor list at least 30 days before the change takes effect (the "Objection Period"). The Controller may object in writing to mike@fusion-advisory.com. If we cannot accommodate a reasonable objection, the Controller may terminate the affected portions of the Service with a prorated refund.

7. International data transfers

Where personal data is transferred from the EEA, UK, or Switzerland to a third country not deemed adequate by the European Commission (or applicable authority), the parties rely on the European Commission's Standard Contractual Clauses (SCCs) of 4 June 2021, with Module 2 (Controller-to-Processor) incorporated by reference, and the UK International Data Transfer Addendum where applicable. Outcome Engine's primary infrastructure is in the United States; EU-region hosting is on our 2026 roadmap.

8. Security + breach notification

Outcome Engine maintains the security measures detailed in Schedule A. We will notify the Controller without undue delay (and in any case within 72 hours) of any actual or suspected Personal Data Breach affecting their data, including:

  • The nature of the breach
  • The categories and approximate number of records affected
  • The likely consequences
  • The measures taken or proposed to address the breach
  • Contact details for further inquiries

Breach notifications will be sent to the workspace admin and the security contact on file. We will assist the Controller in meeting its own notification obligations under Article 33–34 GDPR.

9. Audit rights

Outcome Engine will provide the Controller with the information reasonably required to verify compliance, including the security overview at /security, the subprocessor list, and (when available) third-party attestations (SOC 2, ISO 27001 — on our 2027 roadmap).

On reasonable notice and during business hours, and at the Controller's expense, the Controller may audit Outcome Engine's compliance with this DPA no more than once per calendar year (unless a regulator requires more). Audits cannot disrupt the Service for other customers or compromise confidentiality obligations.

10. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

11. Conflict

If a term in this DPA conflicts with a term in the Terms or any other agreement, this DPA controls with respect to processing of Personal Data subject to data-protection law.

12. Changes

We will notify customers of material changes to this DPA at least 30 days before they take effect. Changes required by law (e.g., new SCCs, regulatory updates) take effect on the legally required date.


Schedule A — Technical and organizational measures

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 for all data at rest (Supabase Postgres default)
  • SHA-256 hash storage for typed-name e-signatures

Access control

  • Multi-tenant isolation via Postgres Row-Level Security on every customer-data table; every query automatically scoped to the actor's organization
  • Production access restricted to authorized engineers; MFA required
  • Audit log captures every meaningful action — writes, deletes, access-control changes — with timestamp, actor, IP, user-agent
  • Workspace admins can enforce SAML/Okta SSO and SCIM provisioning (on the 2027 roadmap)

Operational security

  • Backups: 7-day rolling point-in-time recovery via Supabase, encrypted at rest, access-restricted
  • Monitoring: error monitoring (Sentry), uptime monitoring, real-time alerting on anomalies
  • Vulnerability management: dependency scanning, quarterly security review
  • Incident response: documented runbook, 72-hour-or-better breach notification commitment
  • Vulnerability disclosure: email mike@fusion-advisory.com with the subject "Security disclosure"

AI processing safeguards

  • Customer Data is never used to train AI models per our subprocessor agreements
  • AI suggestions are confirmed by a human before being written to the CRM
  • Per-workspace daily AI usage caps enforced automatically
  • Workspace admins can disable AI-driven writes workspace-wide

People + process

  • Background checks for personnel with production data access
  • Confidentiality obligations in every employment and contractor agreement
  • Annual security training for engineers
  • Removal of access within 24 hours of role change or departure