OUTSQUID
GLOBAL DATA PROCESSING AGREEMENT (DPA) & SECURITY POSTURE
Effective Date: May 3, 2026
Document Classification: Public / Legal / Technical Compliance
1. INTRODUCTION AND COMPLIANCE MANDATE
This public-facing Data Processing Agreement (“DPA”) outlines the rigid compliance frameworks and technical architectures deployed by OutSquid. Governed by the mandates of our Office of the Chief Compliance Officer, this document details our obligations when processing data on behalf of our enterprise clients, particularly those within the European Union (EU).
In the logistics, maritime, and financial sectors, data sovereignty and operational security are baseline prerequisites. OutSquid operates under a strict Zero-Trust security paradigm. Our infrastructure is engineered to ensure that your proprietary operational data never resides on our local hardware.
This DPA operates as a binding addendum to the Master Services Agreement (“MSA”) executed between the Enterprise Client and OutSquid.
2. JURISDICTION AND ROLES
Under the definitions established by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and equivalent international frameworks:
- The Client acts strictly as the Data Controller, retaining absolute authority over the purposes and means of processing.
- OutSquid acts strictly as the Data Processor, executing back-office logistics, maritime, and accounting workflows explicitly documented in the governing Statement of Work (SOW).
OutSquid shall not process, mine, or utilize Controller Data for any purpose outside the explicit, documented instructions of the Controller.
3. ZERO-TRUST ARCHITECTURE AND VDI ISOLATION
OutSquid deploys a categorically uncompromising Zero-Trust Security Protocol across all global Operational Pods. To guarantee data sovereignty and mitigate endpoint vulnerabilities, OutSquid’s access to Controller Data is governed by the following technical mandates:
- Virtual Desktop Infrastructure (VDI): All OutSquid operators access Controller systems, applications, and data streams exclusively through isolated, encrypted VDI gateways (e.g., Citrix, Azure Virtual Desktop, or AWS WorkSpaces) provisioned or approved by the Controller.
- Zero Local Persistence: OutSquid enforces a strict “dumb terminal” hardware policy at its offshore facilities. No Controller Data, including temporary cache files, workflow outputs, or personally identifiable information (PII), is ever downloaded, hosted, or stored on local OutSquid physical drives, USB endpoints, or local area networks.
- Ephemeral Sessions: All operational sessions are ephemeral. Upon termination of an operator's shift or session, the VDI instance is scrubbed, ensuring no residual data footprint exists in our physical jurisdictions.
- Access Controls: Access requires Multi-Factor Authentication (MFA), role-based access control (RBAC), and conditional access policies restricted strictly to the static IP addresses of OutSquid's secured facilities.
4. INTERNATIONAL DATA TRANSFERS & SCCs
OutSquid operates a distributed network of global hubs, locating our Operational Pods in strategic, non-EU jurisdictions including Vietnam, the Philippines, Senegal, and India. Because visual access and interaction with Controller Data via VDI constitutes “processing” under the GDPR, these actions qualify as cross-border data transfers.
To ensure absolute legal compliance for these transfers to third countries lacking an adequacy decision from the European Commission, OutSquid mandates the following:
- Standard Contractual Clauses (SCCs): The execution of this DPA automatically incorporates by reference the EU Standard Contractual Clauses (Module Two: Transfer controller to processor) as annexed to Commission Implementing Decision (EU) 2021/914.
- Technical and Organizational Measures (TOMs): OutSquid guarantees that the TOMs implemented in our hubs across Vietnam, the Philippines, Senegal, and India meet or exceed the rigorous standards demanded by the GDPR and the supplementary measures required by the European Data Protection Board (EDPB).
5. SECURITY INCIDENT AND BREACH NOTIFICATION PROTOCOL
In the event of a confirmed or reasonably suspected Personal Data Breach, or any compromise of the VDI infrastructure utilized by OutSquid personnel, we operate under a critical-priority escalation matrix:
- 24-Hour SLA: OutSquid shall notify the Controller’s designated Data Protection Officer (DPO) or security liaison without undue delay, and in no event later than twenty-four (24) hours after becoming aware of the breach.
- Information Provision: The initial notification shall include, at minimum: the nature of the breach, the categories of data potentially exposed, the operational hubs involved, and the immediate containment measures deployed by OutSquid’s internal SecOps team.
- Forensic Cooperation: Because OutSquid does not host the data locally, our primary role in a breach scenario is forensic cooperation. We commit to providing full, unhindered access to our VDI access logs, network telemetry, and operator activity reports to assist the Controller in fulfilling its 72-hour reporting obligations to the relevant EU Supervisory Authority.
6. SUB-PROCESSING
OutSquid relies on its wholly-owned global subsidiaries to execute the Services. The Controller grants general written authorization for OutSquid to utilize these intra-group entities as Sub-processors. OutSquid remains fully liable to the Controller for the performance of its Sub-processors' data protection obligations.
OutSquid shall not engage any third-party, external Sub-processor to handle Controller Data without providing the Controller a minimum of thirty (30) days prior written notice and the explicit opportunity to object.
7. RIGHT TO AUDIT
To verify compliance with the Zero-Trust and VDI stipulations of this DPA, the Controller retains the right to conduct annual remote audits of OutSquid’s physical and network security protocols, provided thirty (30) days written notice is given. OutSquid shall make available all necessary attestations, penetration test summaries, and enterprise compliance certifications to satisfy the Controller's regulatory requirements.