Flow CX
Data Processing Agreement

Last Updated: April 01, 2020

1. Introduction

This Data Processing Addendum ("Addendum") is an integral part of the Flow CX Terms of Service (the "Terms"), the Professional Services Agreement (if any), and Privacy Policy which together, form the "Agreement" between Flow CX ("Flow") and the customer who entered into the Terms of Service ("Customer"). This Addendum governs the manner in which Flow shall process Customer Personal Data (as defined below) and shall be effective as of the date both parties sign this Addendum. In the event of a conflict between the Agreement, including any exhibits, and this Addendum, the provision imposing the stricter data protection requirements of any conflicting provision shall control. Capitalized terms have the meaning given to them in the Agreement, unless otherwise defined below

2. Definition

For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply

3. Data Handling and Access

a) General Compliance. Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).

b) Flow and Third Party Compliance. Flow agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for Flow’s Third Parties’ (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.

c) Authorization to Use Third Parties. To the extent necessary to fulfill Flow’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes (i) Flow to engage Third Parties and (ii) Third Parties to engage sub-processors. Any transfer of Customer Personal Data shall comply with all Applicable Data Protection Law(s). Flow will provide Customer any records of Processing of Customer Personal Data that Processors are required to maintain and provide under Applicable Data Protection Law(s).

d) Right to Object to Third Parties. Flow shall include a list of approved Third Parties as of the effective date of this Addendum in Schedule 2. Thereafter, upon request, Flow shall make available to customer an updated list of Third Parties. Customer may object to any new Third Party within thirty (30) days of receipt of the updated list, such that Flow will either (a) instruct the Third Party to cease any further processing of Customer Personal Data, in which event this Addendum shall continue unaffected, or (b) allow Customer to terminate the part of the service performed under the Agreement that cannot be performed by Flow without use of the objectionable Third Party. If Customer does not object, the new Third Party shall be deemed accepted and Flow may continue to use it.

e) Following Instructions. Flow shall Process Customer Confidential Data only in accordance with the written instructions of Customer or as specifically authorized by this Addendum, or the Agreement. Flow will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.

f) Confidentiality. Any person authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.

g) Personal Data Inquiries and Requests. Flow agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At Customer’s request and without undue delay, Flow agrees to assist Customer in answering or complying with any Privacy Request.

4. Information Security Program

Flow agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by Applicable Data Protection Law(s) (the “Information Security Program”). Further, Flow agrees to regularly test, assess and evaluate the effectiveness of its Information Security Program to ensure the security of the Processing.

5. Audits

Upon request from Customer and at Customer’s expense, Flow agrees to reasonably cooperate with Customer for the purpose of verifying Flow’s compliance with Applicable Data Protection Law(s)

6. Data Retention and Deletion upon Termination

Upon termination of the Agreement, Customer will be able to (with Flow’s assistance if needed) delete the Customer Personal Data in Flow’s possession or control by removing all Customer Personal Data from the Flow Service and deleting its account. At Customer’s discretion, either directly, or with the assistance of Flow, Customer shall have the opportunity to first export all Customer Personal Data before deleting its account. The foregoing requirement will not apply to the extent Flow is required by applicable law to retain some or all of the Customer Personal Data, or to Customer Personal Data that is archived on Flow’s back-up systems. With regards to such Customer Personal Data on Flow’s back-up systems, Flow will stop Processing and destroy or deidentify such data according to its data retention policies, except to the extent required by applicable law.

7. Security Incident

a) Security Incident Procedure. Flow will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.

b) Notice. Flow agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) to Customer if a known Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.


I3000 Pty Ltd (trading as Flow CX) ABN: 62 119 266 938


Schedule 1

Subject Matter of Processing

The subject matter of Processing is the Flow CX Service pursuant to the Agreement.

Duration of Processing

The Processing will continue until the expiration or termination of the Agreement.

Categories of Data Subjects

Includes the following:

With respect to Data Subjects stored by Customer using the Flow Service - Any type of category of Data Subject stored at the discretion of Customer as allowed under the Agreement

With respect to Customer’s authorized users of the Flow Service, Personal Data may include:- Employees, agents, advisors, partners (any category of authorized users)

Nature and Purpose of Processing

The purpose of Processing of Customer Personal Data by Flow is the performance of the Flow Service pursuant to the Agreement.

Types of Personal Data

Includes the following:

With respect to Personal Data stored by Customer using the Flow Service - Any type of Personal Data stored at the discretion of Customer as allowed under the Agreement

With respect to Customer’s authorized users of the Flow Service, categories of Data Subjects include: - Authorized user identification data (notably account name, user name, payment information, email address. Also may include address and telephone number)

Schedule 2

Third Parties as of the effective date of this Addendum:

Third Parties of the Flow Service which may Process Customer Personal Data on behalf of Flow: