Last updated: November 13, 2025

1. Definitions

"Controller" means the entity that determines the purposes and means of processing personal data.

"Processor" means InfoFlo, Inc., which processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.

2. Scope and Purpose

This Data Processing Agreement (DPA) governs the processing of personal data by InfoFlo in connection with the provision of our AI voice agent services for expert interviews. The processing activities include:

• Conducting AI-powered expert interviews

• Generating and storing interview transcripts

• Creating structured takeaways and insights

• Implementing compliance and audit controls

• Detecting and redacting MNPI (Material Non-Public Information)

• Maintaining security and access controls

3. Data Processing Details

Categories of Personal Data

• Expert contact information (name, email, phone number, company)

• Interview responses and transcripts

• User account information (name, email, organization)

• Interview briefs and objectives

• Usage analytics and system logs

• Compliance and audit trail data

Categories of Data Subjects

• Expert interviewees

• Client users and administrators

• Authorized personnel

Processing Purposes

• Conducting expert interviews via AI voice agents

• Generating private, compliance-ready transcripts

• Creating structured insights and takeaways

• Ensuring regulatory compliance and audit readiness

• Maintaining security and preventing unauthorized access

• Improving service quality and functionality

4. Processor Obligations

InfoFlo agrees to process personal data only on documented instructions from the Controller and in accordance with applicable data protection laws, including GDPR, CCPA, and other relevant regulations.

Security Measures

• Encryption of data in transit and at rest

• Access controls and authentication mechanisms

• Regular security assessments and monitoring

• Incident response and breach notification procedures

• Staff training on data protection

• Physical and logical security controls

Confidentiality

All personnel with access to personal data are bound by confidentiality obligations and will process personal data only as necessary to provide our services.

Sub-processors

InfoFlo may engage sub-processors to assist in providing services. We will:

• Maintain a list of sub-processors

• Ensure sub-processors are bound by equivalent data protection obligations

• Notify Controller of any changes to sub-processors

• Remain liable for sub-processor compliance

5. Controller Rights and Obligations

The Controller retains control over the personal data and is responsible for:

• Ensuring lawful basis for processing personal data

• Obtaining necessary consents from data subjects

• Providing accurate and up-to-date instructions

• Responding to data subject requests

• Ensuring compliance with applicable data protection laws

• Notifying relevant authorities of data breaches when required

6. Data Subject Rights

InfoFlo will assist the Controller in fulfilling data subject rights requests, including:

• Right of access to personal data

• Right to rectification of inaccurate data

• Right to erasure ("right to be forgotten")

• Right to restrict processing

• Right to data portability

• Right to object to processing

• Rights related to automated decision-making

7. Data Retention and Deletion

Personal data will be retained only as long as necessary for the purposes outlined in this DPA or as required by applicable law. Upon termination of services or at the Controller's request, InfoFlo will:

• Return all personal data to the Controller

• Delete personal data from our systems

• Provide certification of deletion upon request

• Retain data only where required by law

9. Data Breach Notification

In the event of a personal data breach, InfoFlo will:

• Notify the Controller without undue delay and within 72 hours where feasible

• Provide detailed information about the breach

• Assist in investigating and mitigating the breach

• Cooperate with regulatory authorities as required

• Implement measures to prevent similar breaches

10. Audits and Compliance

InfoFlo will:

• Maintain records of processing activities

• Conduct regular security assessments

• Provide audit reports upon request

• Cooperate with supervisory authority investigations

• Implement corrective measures as needed

11. Liability and Indemnification

Each party shall be liable for damages caused by its breach of this DPA. InfoFlo's liability is limited to the extent permitted by applicable law and shall not exceed the total fees paid by the Controller in the 12 months preceding the claim.

12. Term and Termination

This DPA remains in effect for the duration of the service agreement and continues to apply to any personal data retained after termination until such data is deleted or returned.

13. Contact Information

For questions about this Data Processing Agreement, please contact us at support@infoflo.com.