Security & Trust

Your patients' data is safe.
We built this from day one.

FlowLeads is built on enterprise-grade infrastructure used by some of the world's largest companies. Every design decision we made prioritised the security of your clinic and your patients.

Download Security Summary → View Policy Hub
SOC 2 Type II Infrastructure
Data hosted in Australia/NZ
NZ Privacy Act 2020 Compliant
Health Info Privacy Code 2020
Cyber Liability Insured
Infrastructure
Enterprise-certified across every layer
Every component of the FlowLeads platform — hosting, database, authentication, telephony, payments, and AI — is operated by providers holding independent third-party security certifications. We don't manage bare metal. We build on infrastructure that has already passed the audits.
Application Hosting
SOC 2 Type II Certified
Serverless architecture with no persistent servers exposed to the internet. Automatic scaling, zero-downtime deployments, and global edge distribution.
SOC 2 Type II
Database & Data Storage
SOC 2 Type II · ANZ Jurisdiction
All clinic and call data stored on certified cloud database infrastructure hosted in Australia (Sydney region) — data never leaves ANZ jurisdiction.
SOC 2 Type IIANZ Data Residency
Authentication
SOC 2 Type II Certified
All logins, sessions, and MFA managed by a dedicated identity platform. Passwords are never stored by FlowLeads — authentication is fully delegated.
SOC 2 Type II
Voice & AI Processing
SOC 2 Type II Certified
Aria's call handling runs in isolated per-call sessions. No persistent audio or conversation data is retained at the AI processing layer beyond the immediate call.
SOC 2 Type II
Telephony & Communications
SOC 2 Type II · ISO 27001
Phone number infrastructure and SMS delivery managed by an enterprise communications platform used by the world's largest organisations.
SOC 2 Type IIISO 27001
Payment Processing
PCI DSS Level 1 · SOC 2 Type II
All billing is handled by a PCI DSS Level 1 certified payment processor. FlowLeads never sees, stores, or touches card numbers.
PCI DSS Level 1SOC 2 Type II
Technical Security
What we do to protect your data
Encryption everywhere
All data encrypted in transit (TLS 1.2+) and at rest. Credentials stored in encrypted environment variables, never in code.
Complete tenant isolation
Every clinic's data is logically separated. One client can never access another's calls, contacts, or transcripts.
AI prompts server-side only
Aria's system instructions never reach the caller's device. All AI processing happens server-side in isolated sessions.
MFA & access controls
Multi-factor authentication available for all admin accounts. Access is role-based and session-limited.
Minimum data collection
We collect only what's needed: caller name, phone number, and what they say during the booking call. No medical records, ever.
72-hour breach notification
In the event of any incident affecting your data, we notify you within 72 hours and assist with any obligations to the Privacy Commissioner.
Data Practices
What we store — and what we don't
What FlowLeads stores
  • Caller name and phone number
  • Call transcript (the conversation with Aria)
  • AI-generated call summary and triage
  • Appointment details provided by the caller
  • Clinic admin login credentials (managed by Clerk — not us)
  • Billing information (managed by Stripe — not us)
What FlowLeads never stores
  • Medical records or clinical notes
  • Diagnoses or treatment histories
  • Health fund or ACC details
  • Payment card numbers
  • Passwords or authentication secrets
  • Any data that isn't necessary to deliver the service
Compliance
Built for NZ & Australian healthcare
We designed FlowLeads specifically around the obligations that matter to NZ and Australian allied health providers.
NZ Privacy Act 2020
FlowLeads operates as a data processor under the Privacy Act, with clinics as data controllers. Our Privacy Policy, Terms of Service, and Data Processing Agreement reflect all obligations under the Act — including data subject rights, breach notification, and cross-border transfer requirements.
Health Information Privacy Code 2020
Where FlowLeads processes health information on behalf of allied health clinics, we do so in accordance with the Health Information Privacy Code 2020. The clinic remains the health information agency — FlowLeads processes it solely on their instruction.
Australian Privacy Principles (APP)
Data is stored on AWS Sydney infrastructure and processed in accordance with the Australian Privacy Principles, supporting clinics operating across both New Zealand and Australia.
Data Processing Agreement (DPA)
A full Data Processing Agreement is available to any clinic that requires formal documentation of how we process patient data on their behalf. Countersigned copies are available on request — email support@flowleads.co.nz.
Cyber Liability Insurance
FlowLeads carries cyber liability insurance covering data breaches, system failures, and related incidents. In the unlikely event that something goes wrong, there's a financial safety net in place — not just a promise. Documentation available on request.
Common Questions
Security questions we hear from clinics
Do you have ISO 27001 certification?
We don't hold ISO 27001 directly as a startup — but the infrastructure we're built on does. Vercel, Neon, Clerk, Twilio, and Stripe all hold independent SOC 2 Type II certification (and in Twilio's case, ISO 27001). These are the same platforms used by companies that do hold ISO 27001. As we scale, formal certification is on our roadmap.
Where is patient data stored?
Call transcripts, booking details, and caller information are stored in Neon PostgreSQL, hosted on AWS ap-southeast-2 in Sydney, Australia. Data does not leave ANZ jurisdiction for storage purposes.
What happens to data if we stop using FlowLeads?
We retain your data for 30 days after subscription termination to allow you to request an export. After that, all patient call data is permanently and securely deleted. Written confirmation of deletion is available on request.
Can FlowLeads staff access our call recordings or patient data?
Access to client data is strictly limited to essential operations (support and troubleshooting) and only with documented need. We do not access, review, or use your call data for any purpose other than delivering the service.
What happens if there's a data breach?
We carry cyber liability insurance and have a defined incident response process. In the event of any breach affecting your data, we notify you within 72 hours with details of what happened, what data was affected, and what steps we've taken. We assist with any notification obligations to the Office of the Privacy Commissioner.
Is Aria HIPAA compliant?
HIPAA applies to US healthcare providers. FlowLeads is designed for NZ and Australian allied health, where the relevant frameworks are the NZ Privacy Act 2020, the Health Information Privacy Code 2020, and the Australian Privacy Principles — all of which we're built to comply with.

Still have questions?

Our team is happy to answer security questions, provide documentation for your procurement process, or arrange a call with your IT manager.

Download Security Summary Email us directly