Data Processing Agreement

1. Definitions

"Controller" means the clinic or business that determines the purposes and means of processing personal data (you, the client).

"Processor" means the entity that processes personal data on behalf of the Controller (FlowLeads Limited).

"Personal data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.

"Data subject" means the individual whose personal data is being processed (in the context of FlowLeads, this is typically a patient or caller).

"Privacy Act" means the New Zealand Privacy Act 2020 and, where applicable, the Health Information Privacy Code 2020.

2. Roles and responsibilities

The parties acknowledge that:

• The Controller (clinic) is the data controller responsible for determining the lawful basis for collecting and processing patient data, and for informing patients about how their information will be used
• FlowLeads Limited (Processor) processes personal data solely on the instructions of the Controller and for the purpose of providing the FlowLeads virtual receptionist service
• FlowLeads does not determine the purpose or means of processing and will not use personal data for any other purpose

3. Subject matter and nature of processing

FlowLeads processes the following categories of personal data on behalf of the Controller:

• Caller name and phone number
• Call transcript (conversation between the caller and Aria)
• Appointment details (requested date, time, service type)
• AI-generated call summary and triage classification

FlowLeads does not process: medical records, clinical notes, diagnoses, treatment histories, or sensitive health information beyond what a caller voluntarily states during a booking call.

4. Duration of processing

FlowLeads will process personal data for the duration of the subscription agreement. Upon termination of the agreement, all personal data will be retained for 30 days to allow the Controller to request an export, after which it will be permanently and securely deleted.

5. Processing instructions

FlowLeads will process personal data only on documented instructions from the Controller, which are established through:

• The configuration settings in the Controller's FlowLeads account
• The Terms of Service agreed to upon signup
• Any written instructions provided by the Controller to FlowLeads support

If FlowLeads is required by law to process data in a manner that conflicts with the Controller's instructions, FlowLeads will notify the Controller before processing, unless prohibited by law.

6. Security measures

FlowLeads implements and maintains the following technical and organisational measures to protect personal data:

• Encryption in transit (TLS 1.2+) and at rest
• Multi-tenant data isolation — each Controller's data is logically separated from all other clients
• Access controls limiting data access to authorised personnel only
• Authentication via Clerk (SOC 2 Type II certified), with MFA support
• Database hosting on Neon (SOC 2 Type II) in AWS ap-southeast-2 (Sydney)
• Application hosting on Vercel (SOC 2 Type II)
• API credentials stored in encrypted environment variables
• Regular review of access rights and security configurations

7. Sub-processors

The Controller authorises FlowLeads to engage sub-processors as listed at flowleads.co.nz/sub-processors. FlowLeads will:

• Impose data protection obligations on sub-processors equivalent to those in this DPA
• Remain liable to the Controller for the performance of sub-processors
• Provide at least 14 days' notice before adding new sub-processors that process personal data

8. Data subject rights

FlowLeads will assist the Controller in responding to data subject requests (access, correction, deletion) by providing the Controller with the relevant data held in the platform within 10 working days of a written request.

Data subjects (patients) should direct requests to the Controller (the clinic), not to FlowLeads directly.

9. Security breach notification

In the event of a personal data breach that affects data processed on behalf of the Controller, FlowLeads will:

• Notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach
• Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• Assist the Controller in meeting any notification obligations to the Office of the Privacy Commissioner

10. Data transfer

Personal data is primarily stored in AWS ap-southeast-2 (Sydney, Australia). Some processing occurs in the United States via sub-processors (including voice AI services). FlowLeads takes reasonable steps to ensure adequate protections are in place for cross-border transfers, consistent with the requirements of the NZ Privacy Act 2020.

11. Audit rights

The Controller may request, no more than once per calendar year and with 30 days' written notice, a written summary of FlowLeads' security practices and compliance documentation. FlowLeads will cooperate in good faith with any such request.

12. Return and deletion of data

Upon written request from the Controller, or upon termination of the subscription, FlowLeads will:

• Provide an export of the Controller's data in a machine-readable format within 14 days
• Permanently delete all personal data processed on behalf of the Controller within 30 days of the export being provided or the subscription ending, whichever is later
• Provide written confirmation of deletion on request

13. Governing law

This DPA is governed by the laws of New Zealand. The parties submit to the non-exclusive jurisdiction of the New Zealand courts.