Our Commitment to Data Protection
OutSystems is committed to ensuring you can trust our platform and services, and our approach to privacy, security, and compliance is a principled one. Nothing is more important than the success of our customers and the protection of their data. Our security compliance portfolio is one of the most extensive in our industry, and it includes adhering to key standards such as ISO 27001, ISO 22301, and SSAE SOC 2 Type 2. We have also adopted the Cloud Security Alliance Code of Conduct, and we have an appointed Data Protection Officer (DPO).
“Data processing” is a broad term. Basically, it means anything that is done to or with personal data. For example, there are customers who use OutSystems in the cloud to build and manage an application addressed to its end-users. OutSystems processes the data on behalf of these customers. According to GDPR, OutSystems should also process the data exclusively for the purpose set out by those customers. In this scenario, end-users are the data subjects, OutSystems is the data processor, and our customers are the data controllers.
Because we process personal data that our customers collect, we are responsible for:
- Following our customers’ instructions in accordance with the data processing agreement in place.
- Providing detailed information about the security controls we implement in the OutSystems Cloud.
- Fulfilling our record-keeping obligations.
- Notifying our customers if we receive requests from their customers that they are exercising their GDPR rights as data subjects for data access and erasure.
- Notifying our customers if we receive requests from EU data privacy authorities (unless prohibited by law enforcement).
You can take advantage of OutSystems capabilities to meet your GDPR obligations. Built-in security features and available component libraries help implement access control, monitoring, logging, and encryption. OutSystems includes and integrates with tools that offer capabilities such as the discovery of personal data, data anonymization, rules-based data access, and static code analysis. Many of these tools are designed with GDPR compliance in mind.