Data Processing Addendum

Fluentworks, Inc.

Last updated February 28, 2026
Version 1.0

This Data Processing Addendum (“DPA”) supplements the Master Subscription Agreement / Terms of Service (the “Agreement”) between Fluentworks, Inc. (“Fluent” or “Processor”) and the Customer (“Customer” or “Controller”). This DPA applies only to the extent Fluent processes Personal Data on behalf of Customer that is subject to European Data Protection Laws.

1. Definitions

“Data Protection Laws” means, as applicable: (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection; and (d) any other applicable data protection laws to the extent they apply to the processing under this DPA.

“Personal Data” means any information relating to an identified or identifiable natural person that Fluent processes on behalf of Customer in connection with the Service.

“Subprocessor” means any third party engaged by Fluent to process Personal Data on behalf of Customer.

Terms such as “processing,” “controller,” “processor,” “data subject,” and “supervisory authority” have the meanings given in the GDPR.

2. Scope and Roles

Customer is the Controller and Fluent is the Processor with respect to Personal Data processed in the Service on Customer’s behalf. Fluent will process Personal Data only on documented instructions from Customer (which include the Agreement and this DPA), unless processing is required by applicable law, in which case Fluent will inform Customer of that legal requirement unless prohibited by law.

3. Processing Details

  • Subject matter: Provision of the Service as described in the Agreement.
  • Duration: For the term of the Agreement, plus any retention period described in the Agreement or required by law.
  • Nature and purpose: Scheduling and appointment management, notifications, reporting and analytics within the Service, customer support, and related operational services.
  • Categories of data subjects: Customer’s staff, contractors, end users, clients/patients (if applicable), and other individuals whose data is entered into the Service.
  • Types of Personal Data: Names, contact information, user/account identifiers, appointment and scheduling details, communications and notes entered by Customer and Authorized Users, and other data submitted to or generated in the Service by or on behalf of Customer.

4. Obligations of Fluent

Fluent will:

  • process Personal Data only on documented instructions from Customer, unless required by law;
  • ensure personnel authorized to process Personal Data are bound by confidentiality obligations;
  • implement appropriate technical and organizational measures to protect Personal Data, as described in Fluent’s security documentation made available at the Trust Center (https://www.fluentworks.com/trust/), and as further described in the Agreement;
  • assist Customer, taking into account the nature of the processing, in responding to data subject requests (access, rectification, erasure, portability, restriction, and objection) to the extent required by Data Protection Laws;
  • assist Customer in fulfilling its obligations regarding data protection impact assessments and prior consultations with supervisory authorities, where applicable and to the extent Customer does not otherwise have access to relevant information;
  • notify Customer without undue delay after becoming aware of a Personal Data breach and, where feasible, within seventy-two (72) hours, and provide information reasonably available to support Customer’s compliance obligations;
  • delete or return Personal Data upon termination of the Agreement, subject to the retention and backup provisions in the Agreement; and
  • make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits as described in Section 8.

5. Subprocessors

Customer authorizes Fluent to engage Subprocessors to process Personal Data, including those listed at: https://www.fluentworks.com/trust/subprocessors/ (the “Subprocessor List”), which may be updated from time to time.

Notice of changes. Fluent will provide at least thirty (30) days’ advance notice before engaging a new Subprocessor, except where a shorter period is required due to urgent security needs, legal requirements, or service continuity needs, in which case Fluent will provide notice as soon as reasonably practicable.

Objection. Customer may object to a new Subprocessor by providing written notice to Fluent within the notice period, describing reasonable grounds related to data protection. If the parties cannot resolve Customer’s objection in good faith, Customer may terminate the affected portion of the Service (or, if not reasonably separable, the Agreement) without penalty by providing written notice before the new Subprocessor is engaged.

Fluent will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than this DPA.

6. International Transfers

Personal Data may be transferred to and processed in the United States and other locations where Fluent or its Subprocessors operate.

SCCs (EEA). For transfers of Personal Data from the EEA to countries not deemed adequate by the European Commission, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) as adopted by Commission Implementing Decision (EU) 2021/914 (“SCCs”) are incorporated by reference and apply to such transfers.

UK transfers. For transfers of Personal Data from the UK to countries not deemed adequate under UK GDPR, the SCCs apply as modified by the UK International Data Transfer Addendum (the “UK Addendum”), incorporated by reference.

Swiss transfers. For transfers of Personal Data subject to Swiss data protection law, the SCCs apply with modifications required by Swiss law, as applicable.

Annexes. The annexes required by the SCCs are completed as follows:

  • (a) Annex I (Parties and Description of Transfers): completed by the Agreement and Section 3 of this DPA;
  • (b) Annex II (Technical and Organizational Measures): described at the Trust Center (https://www.fluentworks.com/trust/) and/or provided by Fluent upon request;
  • (c) Annex III (Subprocessors): the Subprocessor List.

7. Data Subject Requests

Fluent will promptly notify Customer if it receives a request from a data subject regarding Personal Data processed under this DPA (unless prohibited by law). Fluent will not respond to such requests directly unless instructed by Customer. Fluent will provide reasonable assistance to Customer in fulfilling its obligations to respond.

8. Audit Rights

Upon Customer’s written request and subject to reasonable advance notice (not less than 30 days), Fluent will make available information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct or commission an audit no more than once per 12-month period, at Customer’s expense, and subject to a mutually agreed scope and confidentiality obligations.

Fluent may satisfy audit requests by providing relevant security documentation, summaries, and third-party reports if available, and may limit audits to protect confidential information and the security of other customers.

9. Term

This DPA is effective for the term of the Agreement. The obligations of Fluent regarding the processing of Personal Data will survive termination until all Personal Data is deleted or returned in accordance with the Agreement and this DPA.

10. Conflict

In the event of a conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data subject to Data Protection Laws. Where a BAA is also in effect, the BAA governs PHI, and this DPA governs non-PHI Personal Data subject to Data Protection Laws.