OneLead by Alexium Data Security & Processing Policy

Last Updated: October 2025

1. Data Processing Addendum (DPA) Commitments

This section outlines the legally binding obligations and responsibilities between the Client (the business, referred to as the Controller) and Alexium (the provider of the OneLead Service, referred to as the Processor). This Addendum is integral to the overarching Service Agreement.

1.1 Roles and Instructions

1. Controller Responsibility: The Client (Controller) determines the purposes and means of the processing of Customer Personal Data.

2. Processor Obligation: Alexium (Processor) agrees to process Customer Personal Data only on the documented instructions of the Client. The provision of the OneLead Service, as defined in the Service Agreement, constitutes the Client's primary instructions to Alexium.

3. Restriction: Alexium will not process Customer Personal Data for any other purpose, including for its own commercial benefit, unless required to do so by applicable Australian law, in which case Alexium will inform the Client of that legal requirement before processing, unless that law prohibits such notification.

1.2 Confidentiality and Personnel

Alexium shall take reasonable steps to ensure the reliability of any employee, agent, or contractor who may have access to Customer Personal Data. Alexium shall ensure that all persons authorised to process the data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access is strictly limited to those individuals who require it to perform the Service.

1.3 Sub-processors (Third-Party Vendors)

1. Authorisation: Alexium shall not appoint any third-party sub-processors (e.g., hosting providers, specific analytics services) without the Client's general written authorisation (as documented in our privacy policy and communicated updates).

2. Contractual Requirements: Where Alexium engages a sub-processor, it shall do so only by written contract that imposes on the sub-processor the same data protection obligations as set out in this policy and the Service Agreement.

3. Liability: Alexium remains fully responsible for the performance of the sub-processor’s obligations.

1.4 Assistance with Data Subject Rights

OneLead shall, considering the nature of the processing, assist the Client in fulfilling the Client’s obligation to respond to requests from Data Subjects (your customers) regarding their rights (e.g., right of access, right to correction, right to deletion) under applicable privacy laws. Where a Data Subject contacts OneLead directly with such a request, OneLead will promptly inform the Client.

1.5 Personal Data Breach Notification

In the event OneLead becomes aware of a Personal Data Breach affecting Customer Personal Data, OneLead shall notify the Client without undue delay (and where feasible, within 48 hours) after becoming aware of the breach. OneLead will cooperate and assist the Client in managing the breach, including providing details of the breach, the affected data subjects, and the steps taken to mitigate the effects.

1.6 Deletion or Return of Data

Upon the termination or expiry of the Service Agreement, OneLead shall, at the Client's direction, either delete or return all Customer Personal Data to the Client, and delete all existing copies, unless Australian law requires the continued storage of the data. OneLead will certify this deletion/return upon request.

1.7 Audit Rights and Compliance

OneLead shall make available to the Client all information necessary to demonstrate compliance with the obligations set out in this DPA. The Client (or an independent auditor mandated by the Client) shall have the right to conduct an audit of OneLead data processing and security measures, subject to a reasonable prior notice, once per year, and adhering to OneLead security and confidentiality procedures.

2. Technical and Organisational Security Measures

The following section details the specific, ongoing security measures OneLead implements to protect Customer Personal Data.

Our Security Foundation

Our security approach is like a strong fortress with multiple layers of defence:

• Multi-layered Protection: We secure data at every stage – on your device, during transfer, on our servers, and within our databases.

• Zero-Trust: We don't automatically trust any request. Every interaction with our system is carefully checked and verified.

• Defence in Depth: We use multiple, overlapping security controls so if one layer somehow fails, others are there to pick up the slack.

• Compliance-First: Our entire system is designed to meet strict requirements from Google and Apple platforms and various privacy regulations.

How We Protect Your Data Through Encryption

Encryption is like locking your data in a secure vault, making it unreadable to anyone without the right key. OneLead uses advanced encryption methods to protect your information.

2.1 Encrypting Data in Our Database

Sensitive information stored in our database, such as customer names, emails, and phone numbers, as well as user phone numbers and push notification tokens, are all encrypted.

• Automatic Protection: When data is saved or retrieved, it's automatically encrypted or decrypted.

• Strong Encryption Standard: We use AES-256 encryption, which is a widely recognised and a very secure method for protecting data.

• Secure Keys: The keys used for encryption are stored in a highly secure environment, separate from the data itself.

2.2 Secure Storage on Your Mobile Device

Data stored directly on your phone by the OneLead app is also encrypted. This includes:

• Authentication tokens.

• Your user profile data.

• Business information.

• Temporary customer data (cache).

• Data specific to your device.

We integrate with your device's built-in security features, like the iOS Keychain and Android Keystore, to use hardware-backed encryption whenever possible. This means your sensitive data is never stored in plain, readable text on your device.

2.3 Protecting Passwords and One-Time Passcodes (OTPs)

We take extra steps to secure your passwords and any one-time passcodes you receive:

• Strong Password Hashing: Your passwords are never stored in plain text. Instead, we convert them into a complex, irreversible code using a process called bcrypt with a high level of security.

• Secure OTPs: One-time passcodes are generated using secure methods, then converted into a unique, one-way code (hashed) before being stored. They are also designed to expire quickly (within 30 minutes) and our system won't reveal information if an incorrect OTP is entered too many times.

3. Authentication and Authorisation

We ensure only authorised users can access your data and that they only access what they're allowed to see.

3.1 Secure Login (JWT-Based Authentication)

We use JSON Web Tokens (JWTs), a standard method for securely verifying your identity when you log in. • These tokens are securely signed and automatically expire after 24 hours to keep your session secure. • We use a role-based system to ensure that, for example, a user can only access the data relevant to their role and customers.

3.2 Protecting Our Systems (API Route Protection)

Every interaction with our core system (APIs) is protected. This means that operations involving customer data, user management, file uploads, and administrative functions all require proper authentication before they can proceed.

3.3 Multi-Factor Authentication (MFA)

For added security, we use OTP-based verification for critical actions like: • Password resets. • Account verification. • Confirming sensitive operations. These OTPs are sent to your email address.

4. Network Security

We protect your data as it travels between your device and our servers.

4.1 Secure Communication (HTTPS Enforcement)

All communication with the OneLead Service happens over HTTPS, which uses the latest encryption standard, TLS 1.3. This ensures that any data exchanged is encrypted and protected from eavesdropping. We also use HSTS (HTTP Strict Transport Security) to ensure your browser always connects to our site securely.

4.2 Content Security Policy (CSP)

Our app has a Content Security Policy in place. This helps protect you from common web threats like: • Cross-site scripting (XSS): Prevents malicious scripts from running. • Data injection attacks: Guards against unauthorised data being inserted. • Clickjacking: Stops malicious sites from tricking you into clicking hidden elements.

5. Protecting Against Overloads and Attacks (Rate Limiting & DDoS Protection)

We have measures in place to prevent our systems from being overwhelmed by too many requests.

Smart Rate Limiting: We limit how many times certain actions can be performed within a specific timeframe. For example:

Login attempts: Limited to 5 attempts per email/IP address every 5 minutes.
OTP verification: Limited to 10 attempts every 5 minutes.
Password reset: Limited to 3 attempts every 10 minutes.
File uploads: Limited to 10 uploads every 5 minutes.

Global Protection: These limits apply across our entire system, protecting all our services.

6. Ensuring Valid Data (Input Validation & Sanitisation)

We ensure that all data entering our system is clean, safe, and in the correct format to prevent errors and security vulnerabilities.

• Strict Validation: Every piece of information you enter is checked against strict rules to ensure it's valid and safe.

• SQL Injection Prevention: We use secure programming practices that prevent "SQL injection."

• XSS Prevention (Cross-Site Scripting): We actively prevent XSS attacks by ensuring that any data displayed in the app is properly encoded.

7. Secure File Uploads

When you upload files through OneLead, we have strict controls in place:

• Authentication: Only authenticated users can upload files.

• File Type and Size Limits: We only allow specific image types (JPEG, PNG, WebP, GIF) and limit file sizes to a maximum of 10MB.

• Secure Storage: All uploaded files are stored securely in cloud storage with robust access controls and designed to automatically scan for viruses.

8. Compliance and Monitoring

8.1 Automated Security Monitoring

We continuously monitor our systems for any unusual activity or potential threats. • Regular Checks: We run automated checks to verify our security settings and rate limits. • Event Logging: We monitor for things like failed login attempts, rate limit violations, and unusual access patterns.

8.2 Compliance and Standards

OneLead by Alexium is committed to adhering to relevant industry standards and privacy regulations:

• Store Compliance: We meet all the Google and Apple Store requirements for data encryption, secure key management, and avoiding plain text storage of sensitive data.

• Privacy Regulations: Our practices align with key privacy regulations, including the Australian Privacy Principles, GDPR, and CCPA principles, covering encrypting personal data, supporting user consent, and clear data retention policies.

• Industry Standards: We follow best practices from recognised security frameworks like OWASP Top 10 and NIST Cybersecurity Framework.

8.3 Ongoing Security Testing

We regularly test our systems to find and fix any vulnerabilities:

• Automated Testing: We run automated security tests to check our headers, rate limiting, and API protections.

• Manual Testing: Our team performs manual security checks.

• Penetration Testing: We utilise penetration testing (simulated cyberattacks) to identify weaknesses and ensure our resilience.

Data Security and Processing Policy