Data Processing Addendum

1. Definitions

For purposes of this DPA:

"Applicable Privacy Laws" means all data protection and privacy laws applicable to the Processing of Personal Data, including without limitation: the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"); An Act respecting the protection of personal information in the private sector (Quebec) ("Law 25"); the Personal Health Information Protection Act (Ontario) ("PHIPA"); Canada's Anti-Spam Legislation ("CASL"); the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"); the EU and UK General Data Protection Regulation ("GDPR"); and the U.S. Telephone Consumer Protection Act ("TCPA").

"Controller", "Processor", "Data Subject", "Personal Data", "Processing", and other capitalized data-protection terms have the meanings given in the GDPR and equivalent meanings under PIPEDA, Law 25, and the CCPA.

"End-Consumer" means a Data Subject whose Personal Data is Processed by FluxFront on behalf of the Tenant — typically the Tenant's customer.

"Sub-Processor" means any third party engaged by FluxFront to Process Personal Data on behalf of the Tenant.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor), as may be amended.

2. Subject Matter, Duration, Nature, and Purpose

Subject matter and duration of Processing: the term of the Agreement, and any period thereafter during which FluxFront retains Personal Data subject to this DPA.
Nature of Processing: as described in Annex A (Description of Processing).
Purpose of Processing: to deliver the Services, including AI-automated voice and SMS communications, scheduling, CRM, payment facilitation, and ad-integration reporting.
Categories of Data Subjects: End-Consumers (the Tenant's customers).
Categories of Personal Data: as described in Annex A.

3. Roles of the Parties

The parties acknowledge and agree:

The Tenant is the Controller of End-Consumer Personal Data.
FluxFront is the Processor of End-Consumer Personal Data.
For Personal Data of the Tenant's own staff or account holders (e.g., the Tenant's employees who log in to the FluxFront portal), FluxFront and the Tenant may each act as Controllers of their respective Processing.

FluxFront shall Process Personal Data only on the documented instructions of the Controller, as expressed through (a) the Agreement and this DPA, (b) the Controller's configuration and use of the Services, and (c) any other written instructions delivered to FluxFront by an authorized representative of the Controller.

If FluxFront is required by Applicable Privacy Laws to Process Personal Data otherwise than on the Controller's instructions, FluxFront shall notify the Controller of that legal requirement before Processing, unless that law prohibits notification on important grounds of public interest.

4. Controller Obligations

The Controller represents and warrants that:

It has established a lawful basis (including consent where required) for the collection, use, and Processing of all Personal Data submitted to the Services.
It has obtained all necessary consents from Data Subjects, including (without limitation) express written consent for marketing SMS where required by TCPA, express opt-in consent under CASL for commercial electronic messages, two-party consent for voice recording where required by jurisdictional law, and BIPA-compliant disclosures where applicable.
Where Personal Data includes personal health information governed by PHIPA, Quebec Law 25's health-information provisions, or equivalent legislation, the Controller has independently determined that the Services meet its regulatory obligations and has executed any required Electronic Service Provider Addendum or equivalent.
Its instructions to FluxFront are lawful and consistent with Applicable Privacy Laws.

5. FluxFront's Obligations

5.1 Confidentiality

FluxFront shall ensure that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.

5.2 Security measures

FluxFront shall implement and maintain appropriate technical and organizational measures to protect Personal Data, as detailed in Annex B. Measures include encryption in transit, access controls, one-way credential hashing, multi-tenant isolation enforced at the application layer, and Sub-Processor due diligence.

5.3 Assistance with Data Subject Requests

FluxFront shall provide reasonable technical assistance to enable the Controller to respond to requests from Data Subjects to exercise their rights under Applicable Privacy Laws (including access, rectification, erasure, portability, and objection). Where FluxFront receives a Data Subject request directly, FluxFront shall promptly forward it to the Controller and shall not respond directly except to acknowledge receipt and direct the Data Subject to the Controller, unless authorized in writing.

5.4 Assistance with Data Protection Impact Assessments

FluxFront shall provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments and consulting with regulators where required by Applicable Privacy Laws.

5.5 Records of Processing

FluxFront maintains records of its Processing activities as required by Applicable Privacy Laws and will make them available to the Controller upon reasonable request.

6. Personal Data Breaches

FluxFront shall notify the Controller of a confirmed Personal Data Breach affecting the Controller's End-Consumer data without undue delay, and in any event within 72 hours of becoming aware of the breach. The notification shall include, to the extent known:

The nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
The likely consequences of the breach.
The measures taken or proposed to address the breach and mitigate its possible adverse effects.
A point of contact for further information.

FluxFront shall provide the Controller with sufficient information to enable the Controller to meet its own breach-notification obligations under Applicable Privacy Laws (including PIPEDA's Real Risk of Significant Harm assessment, Quebec Law 25's reporting requirements, and GDPR Articles 33-34).

7. Sub-Processors

7.1 General authorization

The Controller grants FluxFront general authorization to engage Sub-Processors to Process Personal Data, subject to the conditions of this Section 7.

7.2 Current Sub-Processors

The categories of Sub-Processors engaged by FluxFront, and the functions they perform, are described in Annex C. FluxFront will, on the Controller's reasonable written request, provide further detail sufficient for the Controller to assess its own compliance obligations.

7.3 Notification and objection

FluxFront shall notify the Controller by email at least 30 days before engaging a new Sub-Processor or replacing an existing one in a way that materially changes the categories in Annex C. The Controller may object to a new Sub-Processor on reasonable data-protection grounds within 30 days of the notification. If the parties cannot agree on a resolution, the Controller may terminate the Agreement and this DPA with respect to the Services that cannot be provided without the new Sub-Processor.

7.4 Sub-Processor obligations

FluxFront shall enter into a written agreement with each Sub-Processor that imposes data-protection obligations no less protective than those in this DPA. FluxFront remains liable to the Controller for the acts and omissions of its Sub-Processors.

8. International Data Transfers

Where Personal Data is transferred from a jurisdiction with cross-border transfer restrictions (including the EEA, UK, and Quebec) to a jurisdiction not covered by an adequacy decision (including the United States):

The parties shall rely on the Standard Contractual Clauses (Module Two: Controller to Processor), which are incorporated into this DPA by reference. Where executed copies of the SCCs are required, the parties will execute them as a separate annex.
For Quebec Personal Data transferred to Sub-Processors outside Canada, FluxFront has conducted Transfer Impact Assessments documenting the contractual and technical safeguards in place. These assessments are available to the Controller on request.
For data subject to PIPEDA, FluxFront ensures comparable protection through contractual agreements with Sub-Processors.

9. Audits and Compliance

The Controller may, at its own expense and with reasonable advance notice (no less than 30 days), audit FluxFront's compliance with this DPA. Audits shall be conducted during business hours, in a manner that does not unreasonably interfere with FluxFront's operations, and subject to reasonable confidentiality obligations.

In place of an on-site audit, FluxFront may satisfy this obligation by providing the Controller with: (a) a current compliance attestation or certification (such as SOC 2, ISO 27001) where available; or (b) responses to a reasonable security questionnaire.

10. Deletion or Return of Personal Data

Upon termination of the Agreement, FluxFront shall, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies, subject to:

A reasonable grace period of up to 30 days for export.
Backup retention as described in the Privacy Policy.
Legal retention obligations (such as financial records under CRA requirements).

11. Liability

The liability of each party under this DPA is governed by the limitations and exclusions set out in the Agreement, except where Applicable Privacy Laws prohibit such limitations.

12. Conflicts and Order of Precedence

In the event of a conflict between this DPA, the Standard Contractual Clauses, and the Agreement, the order of precedence is:

The Standard Contractual Clauses (where applicable).
This DPA.
The Agreement.

13. Term and Termination

This DPA is effective on the same date as the Agreement and shall remain in effect for the duration of the Agreement and for any period thereafter during which FluxFront retains Personal Data subject to this DPA.

14. General

Amendments. This DPA may be amended only by written agreement of the parties or by FluxFront's notice of update with at least 30 days' advance notice for material changes.
Governing law. This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable in Ontario.
Independent contractors. The parties are independent contractors. Nothing in this DPA creates a partnership, joint venture, agency, or employment relationship.

15. Contact

Processor — Malleo Jafari, operating as FluxFront

Email: support@fluxfront.ca

Mailing address: 509 Rideau Street, Ottawa, Ontario K1N 5Z5, Canada

Annex A — Description of Processing

Subject matter: Provision of the FluxFront platform.

Duration: Term of the Agreement plus retention periods specified in the Privacy Policy.

Nature and purpose: AI-automated voice (Aria), SMS, and chat communications; appointment scheduling; CRM; payment facilitation through Stripe; and integration with advertising and calendar-sync platforms.

Categories of Data Subjects: End-Consumers (the Tenant's customers); Tenant staff users.

Categories of Personal Data: Names; phone numbers; email addresses; voice call transcripts and AI summaries; SMS conversation logs; chat logs; appointment metadata; payment metadata (card brand, last four digits only); customer notes (free-text); customer-uploaded documents; (where applicable) health-adjacent notes; (where applicable) vehicle identification numbers.

Annex B — Technical and Organizational Measures

Pursuant to GDPR Article 32 and PIPEDA's safeguards principle, FluxFront implements:

Encryption

Encryption of data in transit, terminated at our reverse proxy.
Strong, industry-standard one-way hashing for user passwords.
One-way cryptographic hashing for session tokens (only the hash is stored).

Access Control

Role-Based Access Control (RBAC) with tiered permission levels.
Multi-tenant isolation enforced at the application layer (every database query is filtered by tenant identifier).
Cross-Site Request Forgery protection via double-submit cookies.

Operational Security

Rate limiting on authentication endpoints.
Audit logging of authentication events.
Sub-Processor due diligence and contractual security commitments.
Secure development lifecycle including code review.

Data Protection

Personal Data is segregated by Tenant identifier.
Card data is never stored on FluxFront's systems (handled exclusively by our payment processor).
Webhook payload retention limited to 90 days.
Retention periods enforced per the schedule in the Privacy Policy.

Incident Response

72-hour Personal Data Breach notification commitment.
Documented breach response procedures.

Annex C — Categories of Sub-Processors

FluxFront engages third-party service providers ("Sub-Processors") to deliver the Services. Each Sub-Processor is bound by a written agreement that includes data-protection obligations consistent with this DPA and the Privacy Policy. The Sub-Processors fall into the following functional categories, with the current named providers listed in each:

Conversational & Voice AI

Providers: Anthropic, PBC (conversational reasoning / Claude — default); OpenAI, L.L.C. (chat, summaries, and an alternate voice LLM); Deepgram, Inc. (real-time speech-to-text); Cartesia, Inc. (real-time text-to-speech); Groq, Inc. (alternate voice LLM, not active by default). ElevenLabs, Inc. is retained only as an inactive failover.
Function: Powers the AI chat, SMS, and voice-agent ("Aria") capabilities, including transcription and summarization.
Data Processed: Caller and contact names, phone numbers, conversation history, appointment history, real-time audio.
Location: United States

Telephony & Messaging

Providers: Twilio Inc.
Function: Voice call routing (Media Streams), SMS delivery, and phone number provisioning.
Data Processed: Phone numbers, call duration, SMS content, sender/recipient pairing.
Location: United States

Transactional Email

Providers: Resend, Inc.
Function: Delivery of booking confirmations, reminders, and receipts.
Data Processed: Email addresses, message content, calendar (.ics) attachments.
Location: United States

Payment Processing

Providers: Stripe, Inc. — including Stripe Connect Express (connected-account payouts) and Stripe Terminal (in-person card payments).
Function: Payment gateway, card tokenization, stored-credential (card-on-file) processing, and subscription billing.
Data Processed: Billing addresses, tokenized payment methods (including cards a customer chose to save on file), masked card metadata, stored-credential authorization records, transaction records.
Location: Canada / United States

Cloud Hosting & Storage

Providers: RackNerd, LLC (application servers and PostgreSQL database); Cloudflare, Inc. (R2 object storage); Let's Encrypt (TLS certificates).
Function: Application servers, the production database, and file/object storage for media and documents.
Data Processed: All Tenant and End-Consumer data stored in the production environment; uploaded files and brand assets.
Location: United States

Third-Party Integrations

Providers: Google LLC (Google Calendar sync); Meta Platforms, Inc. (Lead Ads and ad insights).
Function: Calendar synchronization and advertising / lead-capture platforms, engaged only where the Tenant enables the relevant integration.
Data Processed: Contact names, phone numbers, appointment times; lead form submissions and ad performance metrics.
Location: United States

Annex D — Tenant-Specific Addenda (Where Applicable)

Where the Tenant operates in a regulated vertical (such as health care under PHIPA, or telecommunications under jurisdiction-specific TCPA/CASL frameworks), the parties may execute additional addenda that supplement this DPA with vertical-specific obligations. Such addenda are integrated into this DPA upon execution.

Signature Block

Signed for the Controller (Tenant)

Name: _______________________

Title: _______________________

Date: _______________________

Signature: _______________________

Signed for the Processor (FluxFront)

Name: Malleo Jafari, operating as FluxFront

Date: _______________________

Signature: _______________________