Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service. It forms a legally binding contract between Tarquin Barnsby trading as AgencySoftware.io ("Processor") and the Fostering Agency or registered B2B user ("Controller"). It satisfies the requirements of Article 28 of the UK General Data Protection Regulation (UK GDPR).

1. Roles and Scope

Controller: The Fostering Agency or B2B client who dictates the purpose and means of processing.
Processor: FosterFlow (AgencySoftware.io), acting strictly on the Controller's instructions to provide software infrastructure.
Scope: The processing of Special Category Data (child health/welfare records, audio logs, reports) generated by carers affiliated with the Controller.

2. Processing Instructions

The Processor shall treat Personal Data and Special Category Data as Confidential Information. The Processor will only process Data to provide, secure, and maintain the FosterFlow platform, and will not use it for its own purposes, marketing, or independent AI foundational model training.

3. Sub-Processors

The Controller authorizes the Processor to engage the following sub-processors. The Processor remains fully liable for the performance of its sub-processors:

Sub-Processor	Purpose	Location	Safeguards
Supabase	Primary Database	US / EU	SCCs, Encryption at Rest
Clerk	Authentication & Identity	US	SCCs, SOC 2 Type II
Cloudflare R2	Audio & Object Storage	Global	SCCs, Encrypted Buckets
Google (Gemini)	AI Transcription/Drafts	Global	Zero-Training Enterprise API
Stripe	Payment Processing	US / UK	PCI-DSS L1, SCCs

4. Tenant Security & Isolation

The Processor implements strict Row Level Security (RLS) policies ensuring logical tenant separation. Information cannot be queried across Agency boundaries. All data in transit is encrypted using strictly enforced TLS.

5. Data Breach Notification

In the event of a confirmed Personal Data Breach, the Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach. The Processor will assist the Controller in its obligations to notify the ICO.

6. Deletion and Return of Data

Upon termination of the Controller's subscription, the Processor will automatically delete all Personal Data governed by this DPA from active systems after 90 days, excluding data retained in secure rotational backups (which age out and are overwritten) or where statutory law forbids deletion.

7. Data Subject Rights Assistance

The Processor provides automated export tools (e.g., the 1-Click DSAR Vault) allowing the Controller to fulfill Data Subject Access Requests (DSAR) independently. If direct technical assistance is required, the Processor will provide it within a commercially reasonable timeframe.

8. Governing Law

This DPA is governed by the laws of England and Wales and the exclusive jurisdiction of the English courts.

Data Processing Agreement (DPA)