Data Processing Addendum

Last updated:

This Data Processing Addendum (“DPA”) forms part of the Terms of Servicebetween you (“Controller”) and VoltAI, L.L.C. (“Processor”, “we”) when we process personal data on your behalf in the course of providing the Service. For enterprise customers it is incorporated by reference; for all other customers, a signed, customer-specific copy is available on request to privacy@voltai.one.

1. Definitions

“GDPR” means Regulation (EU) 2016/679 and the UK GDPR. “Personal Data” has the meaning given in the GDPR. “Sub-processor” means any third party engaged by us to process Personal Data on the Controller's behalf. Other capitalized terms have the meanings given in the Terms.

2. Subject matter, nature, and duration

  • Subject matter: proxying API requests to Upstream Providers and returning responses.
  • Nature: transient storage, forwarding, metering, and short-term logging as described in the Privacy Policy.
  • Categories of data subjects:the Controller's end users, employees, or other individuals whose data the Controller chooses to include in requests to the Service.
  • Categories of Personal Data: whatever the Controller includes in request bodies. The Service has no knowledge of specific categories in advance.
  • Duration:for the life of the Controller's account, plus the retention windows in the Privacy Policy.

3. Processor obligations

  • Process Personal Data only on documented instructions from the Controller (the Terms, the Service configuration, and requests submitted by authenticated API keys constitute such instructions);
  • Ensure staff authorized to process Personal Data are bound by written confidentiality obligations;
  • Implement the technical and organizational measures in Annex II (see Section 7);
  • Assist the Controller with data subject requests and regulatory inquiries, at cost;
  • Notify the Controller of a Personal Data breach without undue delay and in any event within 48 hours of becoming aware;
  • On termination, return or delete Personal Data in accordance with the Privacy Policy's retention table, unless retention is required by law.

4. Sub-processors

The Controller authorizes us to engage the sub-processors listed at /sub-processors. We will give the Controller at least 30 days' notice (by email and site update) of any intended change, and the Controller may object for legitimate reason; if we cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service with a pro-rata refund.

5. International transfers

Where we transfer Personal Data outside the EEA/UK/Switzerland to a country without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (Decision 2021/914/EU), with the relevant module selected based on the role of each party, and by the UK International Data Transfer Addendum where applicable. Those instruments are incorporated into this DPA by reference.

6. Audits

On reasonable written request, no more than once per year (unless required by a supervisory authority), we will make available the information necessary to demonstrate compliance with this DPA, including our most recent security-review summary. In-person audits are available to enterprise customers subject to a mutually agreed scope and NDA.

7. Annex II — Technical and organizational measures

  • TLS 1.3 for all transport; HSTS on all public hostnames;
  • Argon2id for password hashing; HMAC-SHA256 for API key storage; encrypted backups at rest;
  • Principle of least privilege; mandatory 2FA for all staff;
  • Separate production / staging networks; no shared secrets across environments;
  • Quarterly security review, annual third-party penetration test (from 2026 Q4 onward);
  • Incident response plan with a 48-hour breach notification commitment;
  • Data minimization: we do not log request Authorization headers; we do not persist plaintext upstream keys.

8. Conflict and contact

In case of conflict between this DPA and the Terms, this DPA controls with respect to the processing of Personal Data. For DPA execution (enterprise) or questions: privacy@voltai.one.