Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between Recovery VR PTY LTD trading as RecovrFlow, ABN 83 633 066 163 (“RecovrFlow”, “we”, “us”, or “Processor”) and the entity or individual identified in the Agreement (“Customer”, “you”, or “Controller”).

This DPA applies to the processing of Personal Data by RecovrFlow on behalf of the Customer in connection with the RecovrFlow platform and services. It is enacted in accordance with our obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, and applicable state and territory health records legislation.

In the event of any conflict between the Agreement and this DPA regarding the processing of Personal Data, this DPA prevails.

2. Definitions

3. Roles and Responsibilities

3.1 Customer (Controller)

The Customer is the Controller and is solely responsible for:

• ●Determining the lawful basis for collecting and processing patient data and Health Data.
• ●Obtaining all necessary consents from patients before recording clinical sessions or submitting data to the platform, including consent required under applicable Surveillance Devices Acts.
• ●Disclosing the use of AI-assisted documentation to patients in accordance with AHPRA Principle 3 (Transparency).
• ●Reviewing, verifying, and approving all AI-generated outputs before use, submission, or reliance.
• ●Ensuring the accuracy of Personal Data submitted to the platform.
• ●Responding to data subject access, correction, and deletion requests.
• ●Complying with all Controller obligations under the Privacy Act and applicable state health records legislation.

3.2 RecovrFlow (Processor)

RecovrFlow is the Processor and will process Personal Data only:

• ●On documented instructions from the Customer as set out in this DPA and the Agreement.
• ●As required by applicable Australian law (in which case RecovrFlow will inform the Customer before processing, unless prohibited by law).
• ●For no other purpose. RecovrFlow does not use Customer data for training AI models, marketing, profiling, or any purpose other than providing the contracted services.

4. Processing Details

5. Data Residency and Infrastructure

All Customer data — including Health Data, Government Identifiers, ambient audio recordings, and all derived outputs — is stored exclusively on Microsoft Azure (Australia East — Sydney region) via our Supabase database infrastructure.

We do not store Customer data outside Australia. Data remains in the ap-southeast-2 (Sydney) region at all times during storage.

6. Security Measures

RecovrFlow implements and maintains the following technical and organisational measures in accordance with APP 11 (security of personal information) and the objective “reasonable steps” standard established in Australian Information Commissioner v Australian Clinical Labs [2025] FCA 1224:

6.1 Technical measures

• ●Encryption in transit: TLS 1.2+ for all data transmissions between the Customer, RecovrFlow, and Sub-Processors.
• ●Encryption at rest: AES-256 encryption for all stored data on Microsoft Azure infrastructure.
• ●Access controls: Role-based access control (RBAC) with principle of least privilege. Multi-factor authentication for all administrative access.
• ●Audit logging: Comprehensive logging of all access to Health Data, including user, timestamp, action, and data accessed.
• ●Row-level security: Database-level isolation ensuring each Customer can only access their own data (Supabase RLS policies).
• ●Error monitoring: Sentry integration with sendDefaultPii: false — no personal data is transmitted to error monitoring services.

6.2 Organisational measures

• ●Confidentiality obligations in all employment contracts and contractor agreements.
• ●Regular security reviews of infrastructure, access controls, and Sub-Processor arrangements.
• ●Documented incident response and data breach notification procedures.
• ●Separation of Health Data from marketing and analytics data at the application layer.

7. Sub-Processors

RecovrFlow engages the following categories of Sub-Processors to deliver the services. All Sub-Processors are bound by data processing terms at least as protective as this DPA.

* Specific AI provider names, their data processing locations, and zero-retention commitments are available on request. All AI providers operate under contractual terms that prohibit the use of Customer data for model training, and require immediate deletion of input and output data after processing.

7.1 Sub-Processor changes

RecovrFlow will provide the Customer with at least 30 days’ prior written notice before engaging a new Sub-Processor that processes Health Data or Government Identifiers. The notice will include the Sub-Processor’s identity, the nature of processing, and the data location. If the Customer objects on reasonable data protection grounds within that 30-day period, RecovrFlow will work with the Customer to address the concern. If the concern cannot be resolved, the Customer may terminate the affected services without penalty.

7.2 Flow-down obligations

RecovrFlow imposes data protection obligations on all Sub-Processors that are at least as protective as those in this DPA. RecovrFlow remains fully liable for the acts and omissions of its Sub-Processors in relation to the processing of Personal Data.

8. Data Breach Notification

In the event of a Data Breach affecting Customer data, RecovrFlow will:

• ●Within 48 hours: Notify the Customer of the breach, including the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to contain the breach.
• ●Within 30 days: Complete a full assessment of whether the breach constitutes an “eligible data breach” under Part IIIC of the Privacy Act (NDB scheme) and provide the Customer with all information required to prepare notifications to the OAIC and affected individuals.
• ●Ongoing: Cooperate with the Customer in investigating the breach, implementing remediation measures, and responding to OAIC inquiries.

9. Data Subject Rights Assistance

RecovrFlow will assist the Customer in responding to data subject rights requests under the APPs, including:

• ●Access (APP 12): Providing the Customer with copies of Personal Data held on the platform upon request.
• ●Correction (APP 13): Enabling the Customer to correct or annotate Personal Data, including AI-generated content.
• ●Deletion: Deleting Personal Data in accordance with Section 10 below.
• ●Data portability: Exporting Personal Data in a structured, machine-readable format upon request.
• ●Restriction: Enabling the Customer to flag and restrict processing of disputed data.

10. Data Retention and Deletion

10.1 During the Agreement

RecovrFlow retains Customer data for the duration of the Agreement. The Customer may delete individual records at any time through the platform interface.

10.2 On termination

Upon termination or expiry of the Agreement:

• ●Export window: The Customer has 30 days from termination to export all data in a structured, machine-readable format.
• ●Deletion: After the 30-day export window, RecovrFlow will securely delete all Customer Personal Data, including Health Data, Government Identifiers, ambient audio recordings, and all derived outputs. Deletion will be confirmed to the Customer in writing.
• ●Exceptions: RecovrFlow may retain data where required by Australian law or to defend legal claims, but only for the minimum period necessary and with appropriate safeguards.

10.3 AI provider data

All AI providers operate under zero-retention agreements. Clinical data transmitted for AI processing is not stored, cached, or retained by any AI provider after the processing request is completed.

11. Cross-Border Disclosure (APP 8)

RecovrFlow acknowledges that the transmission of Personal Data to AI providers may constitute a “disclosure” to an overseas recipient under APP 8, even where the data is processed in real time and not stored. In accordance with APP 8.1, RecovrFlow takes the following “reasonable steps” to ensure overseas recipients handle Personal Data consistently with the APPs:

• ●Contractual obligations requiring each AI provider to handle data consistently with the APPs.
• ●Zero-retention, zero-training contractual terms with all AI providers.
• ●Due diligence assessments of each AI provider’s security measures and data handling practices.
• ●Ongoing monitoring of AI provider compliance with contractual terms.
• ●Disclosure of cross-border transmission in our Privacy Policy and this DPA, enabling informed consent under APP 8.2(b).

RecovrFlow remains accountable under s 16C of the Privacy Act for any acts or practices of overseas recipients that would breach the APPs.

12. Audit and Compliance

RecovrFlow will:

• ●Maintain all records necessary to demonstrate compliance with this DPA and the Privacy Act.
• ●Make such records available to the Customer on reasonable request (no more than once per 12-month period, except in the event of a Data Breach).
• ●Cooperate with audits conducted by the Customer or a qualified independent auditor nominated by the Customer, subject to reasonable notice and scope limitations to protect the confidentiality of other customers’ data.
• ●Promptly inform the Customer if any Customer instruction infringes applicable privacy law.
• ●Notify the Customer of any request or inquiry from the OAIC or other regulatory authority in relation to the Customer’s Personal Data.

13. R&N Feature — Contextual Reference Tool

For the avoidance of doubt, the R&N (Reasonable and Necessary) feature is a contextual reference overlay. It cross-references your clinical documentation against published funding scheme criteria (for example, the NDIS s 34 “reasonable and necessary” criteria) and highlights which criteria appear to be addressed and which may require further detail.

The R&N feature:

• ●Uses only clinician-entered documentation as its input.
• ●Maps that documentation against publicly available legislative and scheme criteria.
• ●Does not generate new clinical information, diagnoses, or treatment recommendations.
• ●Does not determine or validate funding eligibility.
• ●Produces output equivalent to a clinician manually checking a report against published criteria.

The clinician retains full professional responsibility for interpreting the output and deciding what action, if any, to take. This feature operates as exempt clinical decision support software under the TGA’s CDSS exemption determination.

14. Liability and Indemnification

RecovrFlow’s liability under this DPA is subject to the limitation of liability provisions in the Agreement, except that:

• ●Liability for Data Breaches caused by RecovrFlow’s failure to implement the security measures described in Section 6 is not subject to any contractual cap.
• ●Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Australian law, including consumer guarantees under the Australian Consumer Law.
• ●Each party indemnifies the other against losses arising from a breach of this DPA, including negligence (per Andar Transport v Brambles [2004] HCA 28).

15. Term and Termination

This DPA commences on the date the Customer first accesses the RecovrFlow platform and continues for as long as RecovrFlow processes Personal Data on behalf of the Customer. It survives termination of the Agreement to the extent necessary to give effect to the data deletion obligations in Section 10 and any ongoing confidentiality or liability provisions.

16. Governing Law and Dispute Resolution

This DPA is governed by the laws of New South Wales, Australia. Any dispute arising under this DPA will be resolved in accordance with the dispute resolution provisions in the Agreement (notice, escalation, mediation, then litigation in the courts of New South Wales).

17. Changes to This DPA

RecovrFlow may update this DPA from time to time to reflect changes in our processing activities, Sub-Processors, or applicable law. We will provide at least 30 days’ notice of material changes. Continued use of the platform after the notice period constitutes acceptance of the updated DPA.

18. Contact

For questions about this DPA, to request audit records, or to report a data protection concern: