This Data Processing Addendum ("DPA") forms part of the Voltr Terms of Service between Voltr, Inc. ("Voltr," "we," "us," or "our") and the customer that uses the Subscription Services ("Customer"). This DPA applies when Voltr processes personal data on behalf of Customer in connection with the Subscription Services. Capitalized terms not defined in this DPA have the meanings given in the Terms of Service.
For Customer Personal Data processed on Customer's behalf, Customer is the controller, business, or equivalent entity under applicable privacy law, and Voltr is the processor, service provider, contractor, or equivalent entity. Customer Personal Data may include Customer Content, Platform Data, creator data, Shopify or other e-commerce end-customer data, campaign data, outreach data, and other personal data processed at Customer's direction.
Voltr may process personal data as an independent controller/business for account administration, billing, security, fraud prevention, abuse prevention, legal compliance, website analytics, service improvement, business communications, and other business purposes described in the Privacy Policy.
The subject matter of processing is Voltr's provision, support, security, improvement, and operation of the Subscription Services. The duration of processing is the term of Customer's account and any post-termination retention period described in the Terms of Service, Privacy Policy, Data Deletion Instructions, or applicable law. Data subjects may include Customer personnel, Authorized Users, creators, affiliates, prospective creators, merchant end customers, support contacts, and other individuals whose personal data is processed through the Subscription Services.
Voltr will process Customer Personal Data only to provide, secure, maintain, troubleshoot, and support the Subscription Services; to comply with Customer's documented instructions; to comply with applicable law; and as otherwise permitted by the Terms of Service, this DPA, and applicable platform terms. The Terms of Service, Customer's use of the Subscription Services, Customer's configuration of integrations, and Customer's use of administrative controls are Customer's documented instructions to Voltr.
Customer is responsible for providing all notices, obtaining all consents, and having all rights and legal bases necessary for Voltr to process Customer Personal Data as instructed by Customer. Customer will not instruct Voltr to process Customer Personal Data in violation of applicable law, platform terms, or this DPA. If Voltr reasonably believes an instruction violates applicable law, Voltr may suspend the affected processing and notify Customer where legally permitted.
Voltr will not sell Customer Personal Data. Voltr will not retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer or for any purpose other than the purposes described in this DPA, the Terms of Service, the Privacy Policy, and Customer's documented instructions, except as permitted by applicable law.
Voltr will not combine Customer Personal Data with personal data received from another customer or collected from Voltr's own interaction with an individual except as permitted by applicable law, such as for security, fraud prevention, abuse prevention, debugging, analytics in aggregated or de-identified form, or providing the Subscription Services.
To the extent the GDPR, UK GDPR, Swiss data protection law, the California Consumer Privacy Act as amended by the California Privacy Rights Act, or similar laws apply, Voltr will process Customer Personal Data as a processor, service provider, contractor, or equivalent role and will provide the commitments required for that role under applicable law.
Voltr will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations. Voltr will maintain administrative, technical, and organizational safeguards designed to protect Customer Personal Data against unauthorized access, destruction, loss, alteration, or disclosure.
These safeguards include encryption in transit, encryption at rest for primary database storage, access controls, least-privilege production access, credential and token protection, audit logging, rate limiting, vulnerability management, backup controls, incident response procedures, and vendor security review appropriate to the nature of the Customer Personal Data and the Subscription Services.
Customer is responsible for securely configuring its account, managing Authorized Users, protecting credentials, reviewing Customer Content and outreach instructions, and using the Subscription Services in accordance with Customer's own legal and security obligations.
Customer authorizes Voltr to use sub-processors to provide the Subscription Services. Voltr's current sub-processors include Supabase for database, authentication, and file storage; Vercel for application hosting and edge delivery; Resend for transactional and lifecycle email; Anthropic for AI-enabled features; OpenAI for audio transcription and related AI-enabled features; Sentry for error monitoring and diagnostics; and Stripe for payment processing.
Voltr will require sub-processors to protect Customer Personal Data under written obligations that are no less protective in substance than this DPA. Voltr remains responsible for its sub-processors' processing of Customer Personal Data to the extent required by applicable law.
Voltr may add or replace sub-processors from time to time. Voltr will provide notice of material sub-processor changes by updating the Privacy Policy, this DPA, a public sub-processor list, or by another reasonable method. Customer may object to a new sub-processor on reasonable data protection grounds within ten (10) days after notice. If the parties cannot resolve the objection, Customer may stop using the affected feature or terminate the affected Subscription Services as Customer's exclusive remedy.
Voltr will notify Customer without undue delay after becoming aware of a security incident involving unauthorized access to, acquisition of, disclosure of, or loss of Customer Personal Data. Voltr will provide information reasonably available to Voltr to help Customer meet its legal obligations, taking into account the nature of the incident and the information available to Voltr. Notification is not an admission of fault or liability.
Voltr will provide reasonable assistance to Customer in responding to requests from individuals to exercise privacy rights, taking into account the nature of the processing and the information available to Voltr. If Voltr receives a request directly from an individual relating to Customer Personal Data, Voltr may respond directly where legally required or permitted and may direct the requester to Customer where Customer is the appropriate responding party.
Voltr will record verified deletion, redaction, access, deauthorization, and platform privacy requests in an internal privacy request queue and will process Shopify privacy webhooks and other platform deletion or redaction requests as described in the Privacy Policy and Data Deletion Instructions. Some requests may require verification, retention review, or Customer assistance before destructive action is taken.
Upon termination of the Subscription Services or upon Customer's written request, Voltr will delete, de-identify, or return Customer Personal Data in accordance with the Terms of Service, Privacy Policy, and Data Deletion Instructions, unless retention is required or permitted by applicable law, platform policy, security, fraud prevention, accounting, tax, dispute resolution, or backup integrity needs.
Deleted Customer Personal Data may remain in encrypted backups until those backups are overwritten or expire in the ordinary course. Backup data is isolated from active systems and is not restored except for disaster recovery, security, legal, or compliance purposes.
If Customer Personal Data is transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction that requires a transfer mechanism, the parties will rely on the European Commission's Standard Contractual Clauses ("SCCs"), the UK International Data Transfer Addendum, the UK International Data Transfer Agreement, the Swiss addendum or adaptations, or another lawful transfer mechanism as applicable.
For transfers from the EEA where Customer is a controller and Voltr is a processor, the parties incorporate Module Two of the SCCs. For transfers where Customer is a processor and Voltr is a sub-processor, the parties incorporate Module Three of the SCCs. For Clause 17 and Clause 18 of the SCCs, the governing law and forum will be Ireland unless another jurisdiction is required by applicable law. Annex I is completed by the descriptions in Sections 1, 2, and 7 of this DPA. Annex II is completed by the security measures in Section 4. Annex III is completed by the sub-processor information in Section 5.
Upon reasonable written request, Voltr will make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and operational limits. Customer may not conduct testing that disrupts the Subscription Services or compromises Voltr's systems, other customers, or third-party platforms.
Any audit must be limited to information reasonably necessary to verify Voltr's compliance with this DPA, occur no more than once per calendar year unless required by law or following a confirmed Security Incident, and be conducted in a manner that protects Voltr's confidential information, security controls, and other customers' data.
If there is a conflict between this DPA and the Terms of Service with respect to the processing of Customer Personal Data, this DPA controls to the extent of the conflict. The Terms of Service otherwise remain in effect.
For DPA questions, privacy questions, or security issues, contact contact@getvoltr.com.