FlowLeads is an AI virtual receptionist service for allied health clinics. This document summarises our security posture, data practices, and compliance frameworks for procurement and due diligence purposes. A full Data Processing Agreement and Privacy Policy are available at flowleads.co.nz/policy-hub.
Infrastructure & Certifications
| Layer |
Description |
Data Location |
Certifications |
| Application Hosting |
Serverless web application infrastructure — no persistent servers exposed to the internet |
Global edge |
SOC 2 Type II |
| Database & Storage |
All clinic and patient call data — encrypted at rest and in transit |
Australia (Sydney) |
SOC 2 Type II |
| Authentication |
User login, session management, and MFA — FlowLeads never stores passwords |
USA |
SOC 2 Type II |
| Telephony & SMS |
Phone number provisioning and patient SMS delivery |
USA |
SOC 2 Type II, ISO 27001 |
| Payment Processing |
All billing — FlowLeads never sees or stores card numbers |
USA |
PCI DSS Level 1, SOC 2 Type II |
| Voice & AI Processing |
Aria's call handling — isolated per-call sessions, no persistent audio retention |
USA |
SOC 2 Type II |
Full sub-processor details available upon request under NDA.
What FlowLeads Stores
- Caller name and phone number
- Call transcript and AI-generated summary
- Appointment details provided by the caller
- Clinic admin account information
- Billing metadata (card numbers never stored — handled by our PCI DSS certified payment processor)
What FlowLeads Never Stores
- Medical records or clinical notes
- Diagnoses or treatment histories
- Health fund or ACC claim details
- Payment card numbers or banking information
- Passwords (managed by Clerk)
Security Measures
- Encryption in transit (TLS 1.2+) and at rest
- Complete multi-tenant data isolation
- MFA support on all admin accounts
- API keys in encrypted environment variables
- AI system prompts server-side only
- Role-based access controls
- 72-hour breach notification commitment
Data Retention
- Call transcripts: 12 months then deleted
- Booking records: subscription term + 12 months
- Clinic account & billing: 7 years (tax obligations)
- On termination: data deleted within 30 days
- Export available on request before deletion
- Written deletion confirmation available
Compliance Frameworks
NZ Privacy Act 2020
Health Information Privacy Code 2020
Australian Privacy Principles (APP)
Data Processing Agreement Available
Sub-processors Disclosed
FlowLeads operates as a data processor — clinics are the data controller and retain full ownership of patient information. Processing occurs solely on the clinic's instruction for the purpose of delivering the FlowLeads service. A countersigned Data Processing Agreement is available on request.
🛡
Cyber Liability Insurance
FlowLeads carries cyber liability insurance covering data breaches, system failures, and related incidents affecting clinic or patient data. Policy documentation is available on request for procurement purposes.