Data Processing Agreement

1. Parties

This agreement is between FlowGuard Asset Protection LLC ("Processor," "we," "us") and the Customer who signs a FlowGuard service agreement ("Controller," "you"). Where a service agreement is in place, that agreement's DPA addendum takes precedence over this summary.

2. Nature & Purpose of Processing

FlowGuard processes personal data only to deliver water-leak detection and alerting services to you. Specifically:

• Receive sensor uplinks from your properties and detect leak events
• Send alerts (SMS, email, voice) to contacts you designate
• Track response, escalation, and resolution of each incident
• Generate monthly reports and on-demand insurance packages
• Provide the customer portal (dashboards, incident history, documents)

We do not process personal data for any other purpose. We do not sell, rent, or share personal data with third parties for advertising or marketing.

3. Categories of Data & Data Subjects

Data subjects are typically:

• Property managers, asset managers, and regional managers
• Maintenance technicians and supervisors (alert recipients)
• Installer technicians (when applicable)

Data categories we process:

• Contact details (name, email, phone number, role) for alert delivery and portal access
• Property information (name, address, unit count)
• Sensor metadata (device ID, location, zone, battery level)
• Incident records (detection time, responder, resolution, notes)
• System interaction logs (portal logins, report downloads)

We do not process sensitive categories (health, religion, sexuality, biometric data) or data from children under 18.

4. Sub-processors

Our current sub-processors are listed on our Security page. All are contractually bound to protect personal data to the same standards we commit to here. We will notify you in advance of any new sub-processor and give you a chance to object.

5. Security Measures

We implement technical and organizational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Role-based access control enforced at the database layer
• Passwordless authentication with MFA available
• Access logging and auditable audit trail
• Synthetic monitoring of the alert pipeline and background jobs
• Sentry error tracking with PII redaction

Full detail is published on our Security page.

6. Breach Notification

If we become aware of a personal data breach, we will notify you without undue delay, and in any case within 72 hours of becoming aware. The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

7. Data Subject Rights

Where applicable law grants data-subject rights (access, rectification, erasure, restriction, portability, objection), we will assist you in responding within the timeframes required by law. Forward requests to mazen@flowguardprotection.com and we'll coordinate.

8. International Data Transfers

All customer data is stored in the United States. If you are outside the US and your jurisdiction requires additional safeguards (Standard Contractual Clauses, UK IDTA, Swiss equivalent), we will execute the appropriate mechanism as part of your service agreement.

9. Return & Deletion

On termination of the service agreement, we will, at your option, either return or delete all customer personal data within 90 days, unless retention is required by law. Backups are purged on a rolling schedule.

10. Audit Rights

On reasonable notice, we will make available all information necessary to demonstrate compliance with the obligations in this DPA and allow for, and contribute to, audits including inspections, conducted by you or an auditor mandated by you, no more than once per 12-month period, at your expense.

11. Contact