Voltra - Terms & Conditions

Voltra Data Processing Addendum

Last updated: January 10th, 2026

This Data Processing Addendum ("DPA") is incorporated into and made part of the Voltra Business Master Service Agreement, Cloud Services Master Service Agreement, or Platform Terms of Service (the "Agreement") between Customer and Voltra Energy Inc. or Voltra Energy U.S. Inc. (as applicable, "Voltra"). This DPA applies to the extent Customer is a business that provides Personal Data to Voltra through the Platform.

1. Definitions

"Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including:

In the United States: the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable state privacy laws
In Canada: the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation
In the European Economic Area: the General Data Protection Regulation (GDPR)
In the United Kingdom: the UK GDPR and Data Protection Act 2018

"Controller" means the entity that determines the purposes and means of Processing Personal Data.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person that Customer provides to Voltra or that Voltra Processes on behalf of Customer in connection with the Services.

"Process" or "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

"Processor" means an entity that Processes Personal Data on behalf of a Controller.

"Security Incident" means any unauthorized access to, or acquisition, disclosure, or destruction of, Personal Data.

"Subprocessor" means a third party engaged by Voltra to Process Personal Data on behalf of Customer.

2. Roles and Responsibilities

2.1 Relationship of the Parties

The parties acknowledge that:

(a) Customer as Controller: With respect to End User Data and other Personal Data that Customer provides to Voltra or directs Voltra to Process, Customer is the Controller and Voltra is the Processor.

(b) Voltra as Controller: With respect to Personal Data that Voltra collects directly (such as Customer's account administrator information), Voltra is the Controller and will Process such data in accordance with the Voltra Privacy Policy.

(c) Independent Controllers: For certain Processing activities (such as aggregated analytics), the parties may act as independent Controllers, each responsible for their own compliance with Applicable Data Protection Law.

2.2 Customer Obligations

Customer shall:

(a) Ensure it has obtained all necessary consents, authorizations, and legal bases required under Applicable Data Protection Law to transfer Personal Data to Voltra and authorize the Processing described in this DPA.

(b) Ensure that its instructions to Voltra comply with Applicable Data Protection Law.

(d) Provide notice to Data Subjects regarding Voltra's Processing of their Personal Data as required by Applicable Data Protection Law.

2.3 Voltra Obligations

Voltra shall:

(a) Process Personal Data only on documented instructions from Customer, unless required by law.

(b) Ensure that persons authorized to Process Personal Data have committed to confidentiality.

(d) Assist Customer in responding to Data Subject requests, to the extent required by Applicable Data Protection Law.

(e) Delete or return Personal Data upon termination as specified in the Agreement.

3. Details of Processing

3.1 Subject Matter

Voltra will Process Personal Data as necessary to provide the Platform and Services under the Agreement.

3.2 Duration

Voltra will Process Personal Data for the duration of the Agreement, plus any retention period specified in the Agreement or required by law.

3.3 Nature and Purpose

Voltra Processes Personal Data to:

Provide the Platform and Services
Authenticate users and manage accounts
Process payments and transactions
Provide customer support
Generate aggregated and de-identified analytics
Comply with legal obligations

3.4 Types of Personal Data

Personal Data Processed may include:

Identifiers (name, email, phone number, user ID)
Account credentials (hashed passwords, authentication tokens)
Payment information (processed by third-party payment processors)
Usage data (session logs, device interactions)
Location data (with consent, where applicable)
Device identifiers and technical data

3.5 Categories of Data Subjects

Data Subjects may include:

Customer's employees and authorized users
End Users of Customer's services
Operators of Connected Equipment

4. Security

4.1 Security Measures

Voltra implements and maintains appropriate technical and organizational security measures, including:

(a) Encryption: Encryption of Personal Data in transit using TLS 1.2 or higher. Encryption of Personal Data at rest using industry-standard encryption.

(b) Access Controls: Role-based access controls limiting access to Personal Data to authorized personnel on a need-to-know basis.

(d) Monitoring: Logging and monitoring of access to systems containing Personal Data.

(e) Incident Response: Documented incident response procedures for Security Incidents.

(f) Business Continuity: Regular backups and disaster recovery procedures.

(g) Personnel Security: Background checks and confidentiality agreements for personnel with access to Personal Data.

4.2 Security Certifications

Upon request, and subject to Customer's service tier and execution of Voltra's standard confidentiality agreement, Voltra will make available its SOC 2 Type II report or equivalent third-party audit report. On-site audit rights are available only to Enterprise customers under separate agreement.

5. Subprocessors

5.1 Authorization

Customer authorizes Voltra to engage Subprocessors to Process Personal Data. A current list of Subprocessors is available at Voltra's Trust Center: https://trust.voltra.com.

5.2 Subprocessor Requirements

Voltra shall:

(a) Enter into written agreements with Subprocessors imposing data protection obligations substantially similar to those in this DPA.

(b) Remain liable for Subprocessors' compliance with this DPA.

6. Data Subject Rights

6.1 Assistance with Requests

Voltra will assist Customer in responding to Data Subject requests to exercise rights under Applicable Data Protection Law (access, deletion, correction, portability, etc.) by:

(a) Providing self-service tools where available to enable Customer to respond to requests directly.

(b) Promptly forwarding to Customer any requests received directly from Data Subjects.

6.2 Response Time

Voltra will respond to Customer's requests for assistance regarding data subject rights within ten (10) business days.

7. Security Incidents

7.1 Notification

Voltra will notify Customer of any Security Incident without undue delay and in any event within seventy-two (72) hours of becoming aware of the incident.

7.2 Content of Notice

The notification will include, to the extent known:

Description of the nature of the Security Incident
Categories and approximate number of Data Subjects affected
Categories and approximate number of Personal Data records affected
Contact point for further information
Likely consequences of the Security Incident
Measures taken or proposed to address the Security Incident

7.3 Cooperation

Voltra will cooperate with Customer in investigating the Security Incident and will provide reasonable assistance to Customer in meeting its own notification obligations under Applicable Data Protection Law.

7.4 Customer Responsibility

Customer is solely responsible for notifying Data Subjects and regulatory authorities of Security Incidents as required by Applicable Data Protection Law.

8. Data Transfers

8.1 Transfer Locations

Customer acknowledges that Personal Data may be transferred to and Processed in the United States and Canada.

8.2 Transfer Mechanisms

For transfers of Personal Data from jurisdictions requiring specific transfer mechanisms (such as the EEA or UK), Voltra relies on:

(a) Standard Contractual Clauses: The European Commission's Standard Contractual Clauses for Controller-to-Processor transfers (Module Two), which are incorporated by reference into this DPA.

(b) Supplementary Measures: Additional technical and organizational measures as necessary to ensure an adequate level of protection.

8.3 Customer Assistance

Customer will provide reasonable assistance to Voltra in complying with transfer requirements, including executing necessary documentation.

9. Audits

9.1 Audit Rights

Upon Customer's written request and subject to Customer's service tier and execution of Voltra's standard confidentiality agreement, and no more than once per year (unless required by regulatory investigation), Voltra will:

(a) Provide Customer with Voltra's then-current SOC 2 Type II report or equivalent third-party audit report.

(b) Respond to reasonable security questionnaires.

9.2 On-Site Audits

On-site audits may be conducted:

(a) Upon at least sixty (60) days advance written notice.

(b) During normal business hours.

(d) At Customer's expense, unless the audit reveals a material breach of this DPA.

10. Deletion and Return of Data

10.1 Upon Termination

Upon termination of the Agreement:

(a) Customer may export Personal Data for sixty (60) days using the Platform's export functionality.

(b) Voltra will delete Personal Data within ninety (90) days of termination, except as required by law or permitted under the Agreement for Aggregated Data.

10.2 Certification

Upon Customer's request, Voltra will provide written certification of deletion.

11. Liability

11. Indemnification

11.1 Liability Cap

Voltra's liability under this DPA is subject to the limitations set forth in the Agreement.

11.2 Exclusions

Each party's liability for data protection violations caused by the other party's failure to comply with its obligations under this DPA shall be excluded from the liability limitations to the extent required by Applicable Data Protection Law.

12. Governing Law