Flowstate exists to make businesses AI-native. That means AI is not a bolt-on for us. It is how we think, how we operate, and how we deliver results for our clients.
Being AI-first comes with a responsibility. If we are going to champion AI as the way forward for business, we need to use it well. That means using it safely, ethically, and with full transparency about how it works inside our own business.
This document sets out our AI policy and internal guardrails. It covers how we use AI, what tools we rely on, how we keep your data safe, and the standards we hold ourselves to. It is written for our clients, our partners, and our team.
We are unashamedly AI-first. Not because it is a trend, but because we believe it is the best way to get great outcomes for our clients. The goal has always been to free people to do the work that matters.
AI makes that possible.
What it means to operate as an AI-native business, and why we do it
AI-native means AI is embedded into how we work, not layered on top. Our team uses AI tools daily to assist with research, analysis, content, client work, internal operations, and decision-making. We do not use AI to replace human judgement. We use it to sharpen it.
We believe wasted human potential is one of the most costly problems in business today. Great people spend too much time on work that AI can handle. Our own operations reflect the same principle we bring to our clients: your best people should spend their time on the work only they can do.
AI assists our team. It does not replace our accountability. Every piece of client-facing work, every recommendation, and every deliverable is reviewed, owned, and signed off by a human. AI accelerates the process. Humans own the outcome.
An overview of the AI platforms and tools that power our operations.
We use a range of AI tools across our business. These fall into three broad categories.
We use leading large language models including Claude (Anthropic), ChatGPT (OpenAI), and Grok (xAI) to support reasoning, analysis, drafting, research, and a wide range of client and internal work. Each of these platforms is developed by organisations at the frontier of AI research, with enterprise-grade security programmes and published compliance credentials.These platforms are operated by US-based organisations. Data processed through them may be subject to US law and jurisdiction. We configure these platforms to opt out of model training on our data and our clients' data wherever that option is available. Enterprise data processing agreements (DPAs) with these providers are being progressively put in place; current status is tracked in Outstanding Confirmations at the end of this document.
Viktor is Flowstate's internal AI agent, operating within our Slack workspace. Viktor supports CRM-style functions, client communications, workflow coordination, internal operations, and day-to-day business management, acting as our system of record for operational workflows.Like every tool in our stack, Viktor is subject to the same data handling, access control, and ethical use principles that apply across our entire operation. Confirmation of any formal third-party security certification held by Viktor, or by the infrastructure it runs on, is in progress
Many of the software platforms we use day-to-day include AI assistants built directly into the product. We use these where they help our team work more effectively. Any AI capability we use, whether standalone or embedded in another product, is subject to the same data handling principles we apply across our entire operation.
We are selective. Every tool we add to our stack is evaluated against the following criteria before it is used in our business or recommended to a client.
If a tool cannot satisfy these criteria, we do not use it. This applies to tools we use internally and tools we recommend to clients. A current register of approved AI tools is maintained internally and is available to clients on request.
The certifications and standards that underpin how we handle data.
The platforms we use hold independent, third-party verified security certifications. These are not self-assessments. They are formal audits conducted by qualified external parties against internationally recognised standards.
- SOC 2 Type II: Continuous security controls, independently audited
- ISO 27001:2022: International information security management standard
- ISO/IEC 42001:2023: AI management system certification
SOC 2 Type II is worth explaining in plain terms. It is not a one-time tick. It requires an independent auditor to verify that security controls are not just in place, but operating effectively over an extended period of time, typically six to twelve months of continuous monitoring. The platforms we rely on hold this certification. That matters. Which specific certification applies to which named platform is confirmed in Outstanding Confirmations before being attributed individually.
All data that passes through the tools we use is encrypted. In transit, that means TLS 1.2 or higher on every network request. At rest, that means AES-256 encryption. These are the industry benchmarks for secure data handling.
We configure the platforms we use to ensure our data, and our clients' data, is not used to train AI models. For enterprise and API-level configurations, this is the default position of the major platforms we work with. Where additional agreements are available to reinforce this, we put them in place.
Access to data within our platforms is limited to team members who need it to do their work. Staff at the platforms we use cannot access our conversations or data by default. Our own internal access is managed on the same basis: minimum necessary access, clearly defined.
Our team uses integrations that allow AI tools to connect with other business systems, such as project management, communication, and document platforms. When these integrations are active, data from connected systems is accessed only for the purpose of completing the task at hand. The same data minimisation principles apply.
Our team is trained to connect only what is necessary, and to understand what data is in scope when an integration is in use. Client-sensitive data is not passed through integrations unless the data agreement covering that platform has been confirmed.
Flowstate is an Australian business and our primary compliance obligations are under Australian law. Some of the AI platforms and tools we use are operated by organisations based in the United States or other jurisdictions. When data is processed by these platforms, it may be transferred internationally.
We manage this by ensuring all platforms we use have published privacy policies and data processing terms that meet or exceed Australian Privacy Principle (APP) 8 requirements for cross-border disclosures, and by not passing sensitive client data through platforms that cannot demonstrate adequate data protection.
For clients operating under the EU General Data Protection Regulation (GDPR), Flowstate applies additional protections in line with GDPR requirements. This includes:
DPAs with current GDPR-affected clients are being progressed on a rolling basis. Full confirmation of coverage, and legal verification that our cross-border transfer mechanisms are adequate for each relevant jurisdiction, is tracked in Outstanding Confirmations.
How we manage data across all tools, platforms, and engagements.
Not all data is equal. We apply a simple classification framework to guide how data is handled across our operations.
Flowstate operates in Australia and complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This governs how we collect, use, disclose, and store personal information.
In the normal course of business, we may collect contact information, business information shared during client engagements, and usage information from our website and digital tools. We do not sell personal information. We do not share it with third parties for marketing purposes.
You have the right to request access to the personal information we hold about you, to correct inaccurate information, and to ask us to delete it where there is no legal reason for us to retain it. Contact us at hello@flowstateai.com.au to make a request.
As a lifecycle and email marketing agency, Flowstate's work directly intersects with the Australian Spam Act 2003 (Cth). AI plays a role in how we draft, optimise, and in some cases automate email communications on behalf of clients.
Our commitments under the Spam Act are non-negotiable:
Alignment between these commitments and our day-to-day email production SOPs is checked as part of our quarterly spot-check (section 7.3).
Who owns AI-assisted work and how we handle it.
All work delivered to clients by Flowstate, including work produced with AI assistance, is delivered under the terms of the relevant client agreement. Unless otherwise specified in writing, intellectual property in deliverables passes to the client upon full payment.
AI tools used in the production of that work do not acquire rights in the output. The legal position on AI-generated content continues to evolve in Australia and internationally. Flowstate monitors this and will update its position as the law develops
AI-assisted tools, systems, frameworks, and internal processes developed by Flowstate remain the intellectual property of Flowstate. This includes proprietary workflows, prompt libraries, automation configurations, and operational systems built for internal use or reused across client engagements.
At Flowstate, AI works alongside our team to extend our capacity, speed, and quality across the workflow. We build and use AI-assisted tools, systems, and frameworks to support the brands we work with, and we continually refine these against our own performance benchmarks.
AI is a collaborator in our process. It does not replace human ownership of the work, and final accountability for every deliverable sits with a named member of our team.
When AI plays a material role in the work we deliver, we are transparent about that with clients. We do not present AI-generated work as entirely human-authored where the distinction is relevant. ‘Material’ means AI contributed substantively to the strategy, structure, or content of a deliverable, not incidental use such as a single AI-assisted subject line variant within an otherwise human-led campaign. This threshold is applied consistently by the team and documented in the Staff AI SOP.
Who owns AI-assisted work and how we handle it.
We believe AI should be used to create better outcomes for people, not to exploit, manipulate, or deceive. As a business that advocates for AI adoption, we hold ourselves to a higher standard than most. Our credibility depends on it.
AI models can reflect biases present in the data they were trained on. We take this seriously, particularly in the context of personalisation, audience segmentation, and content generation across diverse customer bases.
Our team is trained to review AI outputs with a critical eye for content that could be discriminatory, stereotypical, or unfair. Before AI-assisted segmentation, targeting, or personalisation logic is applied, a human team member reviews the underlying logic and output. This review is recorded and checked as part of our quarterly spot-check (section 7.3).
AI outputs are not infallible. Large language models can produce confident-sounding content that is factually incorrect, outdated, or unsuitable for a specific context. This is a known characteristic of current AI technology.
Flowstate's position is that AI output is always a draft, not a final product. Every AI-generated output is reviewed by a qualified team member before it reaches a client or goes live. We do not warrant that AI tools will produce error-free results, but we do warrant that our review processes are designed to catch and correct errors before they cause harm.
The AI landscape moves fast. Our internal standards evolve with it. We review our tool stack, our data practices, and this policy on a regular basis to ensure we remain aligned with current best practice, emerging regulation, and the expectations of the clients we serve.
How this policy is owned, maintained, and enforced.
This policy is owned and approved by Simon Chin, CEO. The policy owner is responsible for:
This policy applies to all Flowstate team members, including permanent employees and contractors. All personnel are required to:
Contractor agreement templates are being updated to explicitly reference this policy by name and bind contractors to its terms. This is being progressed with our legal adviser; current status is tracked in Outstanding Confirmations.
Flowstate maintains a structured, lightweight approach to monitoring how AI tools are used across the team. The process is as follows:
How we govern AI use inside our own team.
Every Flowstate team member and contractor is trained on responsible AI use before they use AI tools as part of their role. Training covers data hygiene, appropriate use cases, prompt discipline, and the limits of AI outputs. We treat AI literacy as a core professional standard, not an optional extra.
Completion of this training is logged through a written acknowledgement, signed by each team member and contractor when training is completed, and held on file by the policy owner.
AI-generated content and outputs are always reviewed by a human before they are delivered to a client or published publicly. AI is used to assist and accelerate. The person who sends the work owns it.
Our team is trained to treat prompts as inputs that reach external systems. We apply structured prompting practices and maintain shared guidance that helps our team get consistent, high-quality results while keeping data handling appropriate at every step.
When AI plays a material role in the work we deliver, this is disclosed to the client through a standing clause in the Statement of Work (SOW) at the start of the engagement, covering AI-assisted work for the duration of that engagement.
When Flowstate makes a material change to its AI tool stack, for example changing the primary LLM used in client work or replacing a core platform, affected clients will be notified in writing in advance of the change taking effect. The specific notice period is being finalised; see Outstanding Confirmations.
If a team member identifies a data handling issue, a security concern, or an ethical breach related to AI use, they are expected to raise it immediately with Simon Chin, CEO.
Flowstate will:
Alignment of these timelines with our professional indemnity and cyber insurance obligations is tracked in Outstanding Confirmations.
This policy is reviewed at minimum every six months, or sooner if there are material changes to our tools, operations, or the regulatory environment.
If you have questions about this policy, how we use AI, or how we handle your data, please contact us:
We are not AI-first because it is fashionable. We are AI-first because we have seen what it does when it is used well. It gives people their time back. It makes businesses more capable. It creates space for the work that actually matters. That is what we are here to do, and this policy reflects how seriously we take the responsibility that comes with it.