Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Master Services Agreement (“MSA”) between:

RJP Group Ltd (trading as Flow Smart Suite)

and

The Client identified in the applicable Order Form.

1. Purpose

This DPA governs the processing of Personal Data by Flow Smart Suite on behalf of the Client in connection with the provision of the Service.

This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (“UK GDPR”).

2. Roles of the Parties

The parties acknowledge that:

• The Client acts as the Data Controller.

• Flow Smart Suite acts as the Data Processor.

Flow Smart Suite shall process Personal Data only on documented instructions from the Client, including as set out in the MSA and Order Form.

3. Nature & Purpose of Processing

Processing activities may include:

• Receiving and transcribing inbound calls

• Processing voice data via AI systems

• Storing call recordings (if enabled)

• Capturing contact details

• Sending notifications (SMS, WhatsApp, email)

• Logging CRM records

Processing is carried out for the purpose of providing AI-driven call handling and automation services.

4. Categories of Data Subjects

Personal Data may relate to:

• The Client’s customers

• Prospective customers

• Employees or representatives of the Client

• Third-party callers

5. Categories of Personal Data

May include:

• Names

• Telephone numbers

• Email addresses

• Call recordings

• Transcriptions

• Message content

• Booking information

• Any information voluntarily provided by callers

Flow Smart Suite does not intentionally process special category data unless configured by the Client.

a) such processing is explicitly configured or instructed by the Client; and

b) the Client confirms that it has a lawful basis under Article 9 UK GDPR for such processing.

6. Processor Obligations

Flow Smart Suite shall:

• Process Personal Data only on documented instructions

• Ensure personnel are subject to confidentiality obligations

• Implement appropriate technical and organisational security measures

• Not sell or use Personal Data for its own purposes

• Notify the Client without undue delay upon becoming aware of a Personal Data Breach and shall provide reasonable assistance to the Client in investigating, mitigating, and complying with applicable breach notification obligations.

7. Sub processors

The Client provides general authorisation for Flow Smart Suite to engage sub processors as necessary to provide the Service.

Flow Smart Suite maintains an up-to-date list of approved sub processors at:

https://flowsmartsuite.com/subprocessors

Flow Smart Suite shall ensure that any sub processor is subject to data protection obligations no less protective than those set out in this DPA.

Flow Smart Suite may update its list of sub processors from time to time and will provide reasonable notice of material changes. The Client may object to the appointment of a new sub processor on reasonable data protection grounds. In such case, the parties shall work in good faith to resolve the objection.

8. International Transfers

Where Personal Data is transferred outside the United Kingdom, Flow Smart Suite shall ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

This may include the use of International Data Transfer Agreements (IDTAs) or other lawful transfer mechanisms.

9. Security Measures

Flow Smart Suite implements appropriate technical and organisational measures designed to protect Personal Data against:

• Unauthorised access

• Accidental loss

• Alteration

• Disclosure

Appropriate measures include, where applicable:

• Access controls

• Encryption in transit

• Secure hosting environments

• Audit logging

10. Processing of Special Category Data

Where the Client configures or instructs the Service to process special category data, including health-related information:

• The Client warrants that it has obtained all necessary consents or has another valid lawful basis under UK GDPR;

• Flow Smart Suite shall implement appropriate additional security measures proportionate to the sensitivity of such data;

• The Client acknowledges that it remains responsible for determining whether the Service is appropriate for processing such data within its regulatory environment.

11. Data Subject Rights

Flow Smart Suite shall assist the Client, where reasonably possible, in responding to:

• Access requests

• Rectification requests

• Erasure requests

• Objection requests

Such assistance may be subject to reasonable charges where requests require significant effort.

12. Data Retention & Deletion

Upon termination of the Service, Flow Smart Suite shall:

•         Provide the Client with access to retrieve its data for a reasonable period; and

•         Delete or anonymise Personal Data thereafter, unless retention is required by law.

13. Audit

Flow Smart Suite shall make available information reasonably necessary to demonstrate compliance with this DPA.

Formal audits shall require reasonable prior notice and may be subject to confidentiality and security controls.

14. Liability

Liability arising under this DPA shall be subject to the limitations set out in the MSA.

15. Precedence

In the event of conflict between this DPA and the MSA, this DPA shall prevail with respect to data protection matters.

16. Survival

The obligations under this DPA shall survive termination of the MSA for so long as Flow Smart Suite processes Personal Data on behalf of the Client.

Version 1.4

Updated: 24^th February 2026