Outset — Data Processing Agreement (Template)
Last updated: 2026-05-26 Template version: 1.0
This template is offered to law firms ("the Firm") engaging Outset Pty Ltd ("Outset") as a data processor for the client information the Firm collects in the course of providing legal services. It supplements the Subscription Agreement and binds both parties to:
- APP-equivalent obligations under the Privacy Act 1988 (Cth); and
- confidentiality obligations equivalent to those the Firm owes its clients under the Legal Profession Uniform Law and applicable solicitors' professional-conduct rules. Outset will not access, use or disclose the Firm's client information except as required to provide the service, and will not assert any independent relationship with the Firm's clients.
To adopt this DPA, the Firm and Outset sign the version of this document attached as a schedule to the Subscription Agreement. The authoritative version of the template is in the Outset repository at docs/DPA-TEMPLATE.md.
1. Definitions
- "Privacy Act" — Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs) in Schedule 1.
- "Personal Information" — has the meaning given in section 6 of the Privacy Act.
- "Sensitive Information" — has the meaning given in section 6 of the Privacy Act (including, where relevant to the matter type the Firm configures, health information, criminal-record information, and other categories listed in that definition).
- "Processing" — any operation performed on Personal Information including collection, recording, storage, alteration, retrieval, use, disclosure, deletion.
- "Controller" — the Firm. The Firm decides the purposes and means of the Processing.
- "Processor" — Outset. Outset Processes Personal Information on behalf of the Controller and only on the Controller's documented instructions.
- "Sub-processor" — any third party engaged by Outset to Process Personal Information on behalf of the Controller. The current list is at
SUBPROCESSORS.md. - "Notifiable Data Breach" — an eligible data breach under Part IIIC of the Privacy Act.
2. Subject matter and duration
Outset Processes Personal Information for the purpose of providing the Outset legal-technology platform to the Firm — specifically:
- Intake of new-client enquiries via the embedded widget
- Guided-intake notes and structured extraction during phone calls
- Matter-type detection, routing, fit assessment, and statutory deadline checks (where applicable to the matter type)
- Booking, follow-up communications, and PMS push
- Customer support relating to the above
Outset will not use the Firm's client information to train AI models, build aggregate datasets, market to the Firm's clients, or for any purpose outside this DPA.
Duration: for the term of the Subscription Agreement, plus the return / deletion period in section 11.
3. Nature, scope, and types of Personal Information
| Category | Examples |
|---|---|
| Contact details | Name, email, phone, address |
| Matter narrative | Free-text description of the matter, as given by the prospective client |
| Matter-specific facts | Fields the Firm configures in its intake schema (varies by matter type) |
| Legal context | Prior solicitor contact, statutory limitation dates, opposing party / insurer details |
| Behavioural metadata | Submission timestamps, IP address (audit only), call notes |
Depending on the matter types the Firm configures, fields collected may include information that falls within the Privacy Act's definition of Sensitive Information — for example, health information for a personal-injury or medical-negligence matter, information about criminal record for a criminal-law matter, or information about racial or ethnic origin for a discrimination matter. The Firm warrants that the individuals providing the information have consented to its Processing under APP 3.3(a) as part of contacting the Firm about the relevant matter, and that the Firm has provided the APP 5 collection notice at the point of collection.
4. Outset's obligations as Processor
Outset will:
a) Process Personal Information only on the documented instructions of the Firm (as defined in the Subscription Agreement and the configurations of the platform);
b) Ensure persons authorised to Process Personal Information are bound by confidentiality;
c) Take the technical and organisational measures described in section 6 (Security);
d) Not engage a Sub-processor without the prior consent of the Firm. The Firm has given general written consent to the Sub-processors listed in SUBPROCESSORS.md. Outset will give the Firm 30 days' written notice before adding or materially changing a Sub-processor that touches Personal Information; the Firm may object in writing within that window;
e) Assist the Firm in fulfilling its APP obligations in respect of requests from individuals (access, correction, deletion) — via the platform's data export and per-row deletion endpoints, with support escalation to nathan@outsetlegal.com where the platform does not cover the request;
f) Notify the Firm of any Notifiable Data Breach affecting the Firm's Personal Information within 72 hours of becoming aware. Notification will include the nature of the breach, the approximate number of records affected, the likely consequences, and the steps Outset is taking or proposes to take to address it;
g) Make available to the Firm — on reasonable request and with reasonable notice — the information necessary to demonstrate compliance with this DPA, and contribute to audits conducted by the Firm or an auditor mandated by the Firm (the parties will agree the scope and cost in good faith);
h) Return or delete all Personal Information at the end of the Subscription Agreement per section 11.
5. Firm's obligations as Controller
The Firm will:
a) Ensure it has a lawful basis (under the Privacy Act, the Legal Profession Uniform Law, and any other applicable law) for the Personal Information it instructs Outset to Process;
b) Provide individuals with the privacy notices required by APP 5 at the point of collection — the Firm may rely on Outset's PRIVACY.md as part of those notices;
c) Configure the platform settings (retention windows, routing rules, integration credentials) appropriately for its obligations under the Legal Profession Uniform Law — including client-file retention (typically 7 years post-matter-closure);
d) Use the platform's deletion and export tools to fulfil individuals' APP 12 / 13 requests where the request relates to data held in Outset.
6. Security (APP 11)
Outset implements the following technical and organisational measures:
- Data residency — all storage and Processing in AWS Sydney (ap-southeast-2). No cross-border transfers (APP 8).
- Encryption at rest — RDS Postgres KMS encryption at the disk layer, plus AES-256-GCM column-level encryption on Personal-Information columns (notes, contact details, extracted values, verification targets, PMS credentials).
- Encryption in transit — TLS 1.2+ on all external and internal network paths.
- Access controls — RBAC via Clerk SSO; separate scopes for read / write / admin operations; per-firm tenancy enforced at the database query layer.
- Audit logging — every privileged action (read, write, delete, sub-processor change) recorded with actor identity, timestamp, scope. Logs in CloudWatch Sydney with KMS-encrypted log groups.
- PII redaction in AI prompts — emails, phone numbers, and ID-shaped numbers are redacted from notes before being sent to the matter-type classifier (defence-in-depth over the Bedrock Zero Data Retention contract).
- Production isolation — production environment has
NODE_ENV=productionenforced at startup; the inference resolver hard-forces Bedrock and ignores any Anthropic API key that might leak into the prod env. - Sub-processor diligence — every Sub-processor on the list in
SUBPROCESSORS.mdis bound by a DPA with APP-equivalent obligations.
These measures are reviewed at least annually and after any incident.
7. Sub-processors
The current Sub-processor list is at SUBPROCESSORS.md. The Firm acknowledges they have reviewed and consented to that list.
Outset gives the Firm 30 days' written notice before adding or materially changing a Sub-processor. The Firm may object in writing during the notice period; if Outset cannot accommodate the objection, the Firm may terminate the affected service per the Subscription Agreement.
8. International transfers (APP 8)
Outset does not transfer Personal Information outside Australia. All Sub-processors that Process Personal Information operate in AWS Sydney or carrier networks (Twilio SMS) under arrangements that keep the content within Australia.
9. Individuals' rights (APP 12, APP 13)
The Firm will action individuals' access and correction requests directly via the Outset platform. Where the Firm needs Outset's assistance — e.g. to retrieve historical audit-log entries — Outset will respond within 10 business days at no charge.
If an individual sends an access / correction / deletion request to Outset directly, Outset will refer the request to the Firm without acting on it (other than acknowledging receipt) within 5 business days.
10. Notifiable Data Breaches
Outset will notify the Firm of any breach affecting the Firm's Personal Information within 72 hours of becoming aware. The notification will be sent to the Firm's primary admin contact and will include:
- The nature of the breach
- The categories and approximate number of records affected
- The likely consequences for affected individuals
- The measures Outset is taking or proposes to take
This timeline is designed to allow the Firm to meet the 30-day OAIC notification obligation under Part IIIC of the Privacy Act.
11. Return or deletion of Personal Information
On termination of the Subscription Agreement:
a) The Firm may export all data via the platform's export tools at any time up to and including 30 days after termination;
b) After 30 days post-termination, Outset will permanently delete all Personal Information held on behalf of the Firm, including in backups (rolling encrypted backups expire within 35 days);
c) Outset will provide a written certificate of destruction to the Firm on request.
The Firm may instruct Outset to retain specific data for a specified period beyond termination if required for a legal obligation (e.g. limitation-period evidence). In that case, the retention is governed by a written extension to this DPA.
12. Liability and indemnity
Liability for breaches of this DPA is governed by the limitation- of-liability provisions of the Subscription Agreement.
13. Governing law
This DPA is governed by the laws of New South Wales, Australia. The parties submit to the exclusive jurisdiction of the courts of New South Wales.
Signed for the Firm: Name: _________________________ Position: _________________________ Date: _________________________ Signature: _________________________
Signed for Outset: Name: _________________________ Position: _________________________ Date: _________________________ Signature: _________________________