Client Data Processing Addendum (DPA)
Effective date: April 21, 2026
This Data Processing Addendum and its applicable appendices (“DPA” or “Addendum”) forms part of the agreement between Customer and VoltPay AI, Inc., a Delaware corporation with its principal offices at 390 NE 191st St STE 8061, Miami, FL 33179, United States (“VoltPay”), and any of its Affiliates (each a “VoltPay Group Member” and collectively, “VoltPay Group”), and the user of the VoltPay Group Services (“Customer”), unless Customer has entered into a superseding written subscription agreement, in which case it forms part of such agreement (in either case, the “Agreement”).
VoltPay Group and Customer shall be individually referred to as a “Party” and collectively as the “Parties.” Upon acceptance of this DPA on the VoltPay Platform or upon first using the VoltPay Group Services, the Customer agrees to be bound by its terms.
This Addendum applies to the Processing of Personal Data by Customer and VoltPay Group subject to the Data Protection Laws in order to provide the Services.
1. Definitions
“Affiliates” means any entity which is: (a) directly or indirectly controlled by or under common control with VoltPay AI, Inc., (b) operates with VoltPay Group under a separate written agreement, or (c) incorporated by the Customer on the VoltPay Platform as a Customer Affiliate, upon approval by VoltPay Group.
“VoltPay Services” (or “Services”) means any services provided by VoltPay Group under the Agreement.
“VoltPay Platform” means the software-as-a-service solution available on our website and through our applications, through which VoltPay Services are provided.
“VoltPay Group Privacy Policy” means the VoltPay Group statement that describes how Personal Data is processed in connection with the provision of services. Available at: Privacy Policy.
“Authorized Personnel” means personnel certified by VoltPay Group that are acting under the direct authority of VoltPay Group to perform the services pursuant to the Agreement.
“Data Protection Laws” means all data protection laws and regulations applicable to a party’s processing of Customer’s Personal Data under the Agreement, including, where applicable, EU/UK Data Protection Laws, Non-EU Data Protection Laws, and any other applicable data protection laws.
“EU/UK Data Protection Laws” means: (i) Regulation 2016/679 (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under or in conjunction with any of the foregoing; in each case as may be amended or superseded.
“Non-EU Data Protection Laws” means any other applicable laws to the processing of Customer’s Personal Data, including applicable data protection laws described in Appendix 5 (Jurisdiction-Specific Terms).
“Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the EEA or Switzerland to a country without an adequacy determination; (ii) where the UK GDPR applies, a transfer from the UK to a country without an adequacy decision; and (iii) where other applicable laws apply, a cross-border transfer where the receiving jurisdiction does not provide adequate data protection.
“Standard Contractual Clauses” means standard contractual clauses approved by competent authorities for the transfer of personal data, including the EU SCCs (Commission Implementing Decision 2021/914). Incorporated by reference into this DPA.
“UK Addendum” means the addendum to the Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022). Incorporated by reference into this DPA.
Capitalized terms not defined herein shall have the meanings given under the EU/UK GDPR unless a different meaning is given under applicable Data Protection Laws.
2. Duration and Termination
- The duration of this DPA is coextensive with the term of the Agreement.
- Notwithstanding termination, the Parties may continue to process Personal Data as long as necessary to comply with legal or regulatory obligations.
- Either Party may terminate this Addendum early by written notice if the other Party commits a serious breach of data protection obligations.
- Termination does not exempt either Party from its obligations under applicable Data Protection Laws.
3. Relationship of the Parties
3.1. VoltPay Group will process Personal Data as Controller to the extent relevant to: (a) managing the relationship with Customer; (b) carrying out core business operations; (c) detecting, preventing, or investigating security incidents, fraud, and misuse; (d) performing identity verification; (e) complying with legal or regulatory obligations; and (f) as otherwise permitted under Data Protection Laws and in accordance with the VoltPay Group Privacy Policy.
3.2. The roles of VoltPay Group with respect to each Service are defined in Appendix 1. Where VoltPay Group acts as a Controller, the Customer operates as a separate Controller, and the Parties are not Joint Controllers. Where VoltPay Group acts as a Processor, the Customer acts as Controller, determining purpose and means of processing.
3.3. Customer acknowledges that they are the data controller and are solely responsible for any processing of personal data carried out by the Contractor in the course of performing duties under the applicable Statement of Work.
3.4. For Integrations, VoltPay Group acts as a Processor and may, on Customer instructions, transfer Personal Data to third parties. Customer is responsible for entering into separate contractual arrangements with such third parties. Such third parties are not sub-processors of VoltPay Group.
4. Controller-to-Controller Clauses
The following provisions apply where both Parties are separate Controllers pursuant to Appendix 1.
Each Party will:
(a) Ensure Authorized Personnel are bound by appropriate confidentiality obligations;
(b) Comply promptly with lawful requests from the other Party for access to, copies of, or amendment, transfer, or deletion of Personal Data;
(c) Notify the other Party without undue delay of any complaint from data subjects, supervisory authorities, or others relating to Personal Data processing;
(d) Notify the other Party immediately of any breach of this clause;
(e) Provide reasonable assistance in fulfilling data protection obligations;
(f) Both parties may engage third parties in connection with the Services and agree to comply with applicable requirements under Data Protection Laws.
5. Controller-to-Processor Clauses
The following provisions apply where VoltPay Group is a Processor pursuant to Appendix 1.
VoltPay Group will:
(a) Process Personal Data only on Customer’s written instructions, unless required by law;
(b) Process Personal Data only to the extent necessary for the purposes of the Agreement, including processing anonymized and aggregated data for analytics and development;
(c) Ensure Authorized Personnel are bound by confidentiality obligations and have undergone privacy and security training;
(d) Keep accurate records of processing;
(e) Comply promptly with lawful requests for access, amendment, transfer, or deletion of Personal Data;
(f) Notify Customer promptly of any complaint, notice, or communication relating to data processing;
(g) Inform Customer without undue delay (within 48 hours) of any Personal Data Breach;
(h) Promptly provide Customer with full cooperation and information regarding any Personal Data Breach, including:
- Possible cause and consequences
- Categories and approximate number of data subjects involved
- Measures taken to mitigate damage
(i) Inform Customer promptly of data subject rights requests and provide reasonable cooperation;
(j) Not disclose Personal Data to any third party except at Customer’s request or as required by the Agreement;
(k) Provide reasonable assistance with security, breach notifications, data protection impact assessments, and consultations with authorities;
(l) Provide Customer with information necessary to monitor compliance. VoltPay Group may satisfy audit requirements by providing an independent audit report no older than 18 months. VoltPay Group may refuse audit requests from competitors;
(m) Delete or return Personal Data at the end of the processing duration. If return or destruction is impracticable, VoltPay Group shall block such data from further processing and continue to protect it;
(n) Customer authorizes VoltPay Group to engage Affiliates and Sub-Processors as necessary. Customer provides general written authorization to engage Sub-Processors;
(o) A list of current Sub-Processors is available on the VoltPay Platform. VoltPay Group will provide a notification mechanism for new Sub-Processors and will endeavor to give 30 days’ notice prior to changes. Customer may object within 15 days of notice, provided the objection is in writing and based on reasonable data protection grounds;
(p) If Customer reasonably objects and VoltPay Group cannot provide a commercially reasonable alternative, Customer may discontinue the affected Service;
(q) If Customer does not object within 15 days, the Sub-Processor is deemed approved;
(r) VoltPay Group will enter into written agreements with Sub-Processors imposing comparable data protection obligations. VoltPay Group remains liable for Sub-Processor performance.
6. Technical and Organizational Measures
VoltPay Group shall take suitable technical and organizational measures appropriate to the risk to ensure the security, confidentiality, and integrity of Personal Data. These measures are subject to the current state of technology. VoltPay Group may implement adequate alternative measures, provided they do not provide a lower level of security.
Measures include but are not limited to:
- Encryption of Personal Data in transit and at rest
- Access controls and authentication mechanisms
- Regular security assessments and penetration testing
- Incident response and breach notification procedures
- Employee training on data protection and security
- Physical security measures for data processing facilities
- Backup and disaster recovery procedures
7. Cross-Border Data Transfers
7.1. The Parties agree that Restricted Transfers shall be subject to the appropriate Standard Contractual Clauses or the UK Addendum.
(a) EU GDPR Transfers. For Personal Data protected by the EU GDPR:
- Module One (Controller to Controller) applies where both Parties are Controllers
- Module Two (Controller to Processor) applies where Customer is Controller and VoltPay Group is Processor
- Clause 7: optional docking clause applies
- Clause 9: Option 2 applies for sub-processors
- Clause 11: optional language does not apply
- Clause 13(a): Option 1 applies
- Clause 17: Option 1, governed by the law of the Republic of Ireland
- Clause 18(b): disputes resolved before the courts of the Republic of Ireland
(b) UK GDPR Transfers. For Personal Data protected by the UK GDPR, the UK Addendum applies with the same underlying SCCs.
(c) Swiss FADP Transfers. For Personal Data protected by the Swiss FADP, the EU SCCs apply with appropriate Swiss-specific modifications, including references to Swiss law and the Swiss Federal Data Protection and Information Commissioner.
7.2. If any provision of this Addendum contradicts the Standard Contractual Clauses or UK Addendum, the Standard Contractual Clauses and UK Addendum shall prevail.
7.3. If Standard Contractual Clauses are deemed invalid by a governmental entity, the Parties agree to work in good faith to find a compliant alternative.
8. Final Provisions
- If individual provisions become ineffective, the Parties shall replace them with legally valid provisions closest to the original purpose.
- In the event of contradictions between this Addendum and other agreements, this Addendum shall take precedence with respect to data protection matters.
Appendix 1: Description of Processing
A. List of Parties
Data Exporter (Customer/Controller):
- Name: As specified in the Agreement or Order Form
- Activities: Uses VoltPay Services to manage contractor relationships, payroll, and payouts
Data Importer (VoltPay Group):
- Name: VoltPay AI, Inc.
- Address: 390 NE 191st St STE 8061, Miami, FL 33179, United States
- Activities: Provides the VoltPay platform and related contractor payroll and payout services
B. Description of Processing
| Element | Details |
|---|---|
| Data Subjects | Client employees and administrators; Contractors; Client beneficial owners and representatives; End users of the VoltPay platform |
| Categories of Personal Data | Contact information (name, email, phone, address); Identification data (government ID, tax ID, passport, date of birth, selfie/biometric for KYC); Financial data (bank account details, payment method details, cryptocurrency wallet addresses); Transactional data (payment amounts, dates, currencies, payout methods); Contractual data (contract terms, statements of work, deliverables); Professional data (job title, qualifications, work history); Technical and usage data (IP address, browser data, platform activity logs); Communications data (support messages, in-platform communications) |
| Special Categories of Data | Biometric data for identity verification (facial recognition via Persona/Bridge.xyz); Race, ethnicity, or religion only where inadvertently present on government identification documents |
| Processing Operations | Account creation and management; Identity verification (KYC/KYB) via Persona through Bridge.xyz; Contractor onboarding and compliance checks; Contract generation and management; Payment processing and cross-border payouts; Invoice generation and tax form preparation; AI-powered conversational workflows and agent operations; Customer support and communications; Fraud detection and prevention; Analytics and platform improvement (anonymized/aggregated only) |
| Frequency of Processing | Continuous, for the duration of the Agreement |
| Retention Period | As described in the Privacy Policy; generally for the duration of the contractual relationship plus any period required by applicable law for tax, regulatory, or compliance purposes |
C. Controller/Processor Roles by Service
| VoltPay Service | VoltPay Role | Basis |
|---|---|---|
| Platform account management | Controller | Managing relationship with Customer, identity verification, fraud prevention, legal compliance |
| Contractor onboarding and KYC/KYB | Controller | Regulatory obligation for identity verification and anti-money laundering compliance |
| Contract and document management | Processor | Processing on Customer’s instructions to generate and manage contracts |
| Payment processing and payouts | Controller (payment operations) / Processor (payment instructions) | Controller for regulatory payment obligations; Processor for executing Customer’s payment instructions |
| Tax form generation (W-9, W-8BEN, etc.) | Processor | Processing on Customer’s instructions to generate tax documentation |
| AI Products and Services | Processor | Processing Customer inputs and generating outputs on Customer’s instructions |
| Analytics and reporting | Processor (Customer-specific reports) / Controller (aggregated/anonymized analytics) | Processor for Customer dashboards; Controller for platform-wide anonymized analytics |
| Customer support | Controller | Managing support relationship and service quality |
| Marketing and communications | Controller | Consent-based or legitimate interest marketing |
| Integrations with Third-Party Products | Processor | Transferring data to third parties on Customer’s instructions |
Appendix 2: Technical and Organizational Measures
VoltPay Group implements the following technical and organizational measures to protect Personal Data:
Access Control
- Role-based access control (RBAC) enforced across all platform systems
- Multi-factor authentication (MFA) required for all internal personnel accessing Personal Data
- Principle of least privilege applied to all system access
- Unique user credentials for all personnel; no shared accounts
- Access reviews conducted quarterly; access revoked promptly upon role change or termination
- Customer data logically segregated per account
Encryption
- All Personal Data encrypted in transit using TLS 1.2 or higher
- All Personal Data encrypted at rest using AES-256 or equivalent
- Encryption keys managed through dedicated key management services with regular rotation
- Database-level encryption for all production data stores
Network Security
- Network segmentation between production, staging, and development environments
- Web application firewall (WAF) protecting all public-facing endpoints
- Intrusion detection and prevention systems (IDS/IPS) monitoring network traffic
- DDoS protection on all public-facing infrastructure
- VPN or equivalent secure access required for internal administrative access
Application Security
- Secure software development lifecycle (SDLC) with security reviews at each stage
- Regular vulnerability scanning and penetration testing (at least annually by an independent third party)
- Dependency scanning for known vulnerabilities in third-party libraries
- Input validation and output encoding to prevent injection attacks
- Session management with secure token handling and automatic timeout
Data Integrity and Availability
- Automated daily backups with encryption; tested restoration procedures
- Redundant infrastructure across multiple availability zones
- Disaster recovery plan with defined recovery time objective (RTO) and recovery point objective (RPO)
- Monitoring and alerting for system health, performance, and security events
- Incident response plan with defined roles, escalation procedures, and communication protocols
Personnel Security
- Background checks for all personnel with access to Personal Data
- Mandatory data protection and security awareness training upon hire and annually thereafter
- Confidentiality agreements (NDA or equivalent) for all personnel and contractors
- Disciplinary procedures for data protection policy violations
Physical Security
- Production infrastructure hosted in SOC 2 Type II and/or ISO 27001 certified cloud data centers
- Physical access to data center facilities controlled by the cloud service provider with multi-layer physical security
Incident Response
- Documented incident response plan covering detection, containment, eradication, recovery, and post-incident review
- Personal Data Breach notification to Customer within 48 hours of becoming aware
- Post-incident root cause analysis and remediation tracking
Vendor Management
- Due diligence assessment of all sub-processors prior to engagement
- Data processing agreements with all sub-processors imposing equivalent protections
- Periodic review of sub-processor compliance
Appendix 3: Transfer Impact Assessment and Supervisory Authority
A. List of Parties
As set forth in Appendix 1, Section A.
B. Competent Supervisory Authority
| Scenario | Competent Supervisory Authority |
|---|---|
| Customer established in the EEA | The supervisory authority of the EEA Member State in which the Customer is established |
| Customer established in the UK | The UK Information Commissioner’s Office (ICO) |
| Customer not established in the EEA or UK but EU/UK GDPR applies | The Irish Data Protection Commission (DPC) |
C. Transfer Impact Assessment
VoltPay Group has assessed the legal framework of the countries to which Personal Data may be transferred and has determined that the following safeguards are in place:
- Standard Contractual Clauses (EU SCCs) and/or UK Addendum are executed for all Restricted Transfers
- Supplementary measures include encryption in transit and at rest, access controls, and pseudonymization where feasible
- VoltPay Group will promptly notify the Customer if it becomes aware of any government access request for Customer Personal Data, to the extent permitted by law
- VoltPay Group has not received any national security orders or government surveillance requests for Customer Personal Data as of the effective date of this DPA
Appendix 4: Sub-Processors
Current Sub-Processors
VoltPay Group uses the following sub-processors to provide the Services:
| Sub-Processor | Purpose | Location of Processing |
|---|---|---|
| Bridge.xyz | Cross-border payment processing, cryptocurrency offramp services, KYB/KYC identity verification (via Persona) | United States |
| Persona (via Bridge.xyz) | Identity verification (KYC/KYB), document verification, facial recognition | United States |
| Stripe, Inc. | Subscription billing, payment card processing | United States |
| Payoneer, Inc. | Contractor payout method | United States / Israel |
| PayPal Holdings, Inc. | Contractor payout method | United States |
| Microsoft Azure (Azure AI Foundry) | Cloud infrastructure, AI model inference, data storage | United States / EU (configurable) |
| Checkr, Inc. | Background checks and contractor verification | United States |
| Microsoft Azure | Platform hosting, data storage, compute infrastructure | United States / EU (configurable) |
| Cloudflare, Inc. | CDN, DNS, DDoS protection, email routing | United States |
| Resend, Inc. | Transactional email delivery | United States |
Subscribing to Sub-Processor Change Notifications
To receive notifications of changes to VoltPay’s sub-processor list:
- Log in to your VoltPay account
- Navigate to Settings > Privacy & Compliance > Sub-Processor Notifications
- Enable email notifications
Alternatively, send a request to dpo@voltpay.ai with the subject line “Sub-Processor Change Notifications” and we will add you to the notification list.
VoltPay will provide at least 30 days’ prior written notice before engaging a new sub-processor, in accordance with Section 5 of this DPA.
Appendix 5: Jurisdiction-Specific Terms
The following additional terms apply where the specified Data Protection Laws govern the processing of Personal Data under this DPA.
United States — California (CCPA/CPRA)
Where the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”), applies:
- For purposes of the CCPA, VoltPay is a “Service Provider” when processing Personal Information on behalf of Customer as a Processor under this DPA.
- VoltPay shall not sell or share (as defined under the CCPA) any Personal Information received from Customer.
- VoltPay shall not retain, use, or disclose Personal Information for any purpose other than providing the Services, as permitted under the CCPA.
- VoltPay shall not combine Personal Information received from Customer with Personal Information received from other sources, except as permitted by the CCPA.
- VoltPay grants Customer the right to take reasonable and appropriate steps to help ensure VoltPay uses Personal Information in a manner consistent with Customer’s obligations under the CCPA.
- VoltPay shall notify Customer if it determines that it can no longer meet its obligations under the CCPA.
European Economic Area and Switzerland (EU GDPR)
Where the EU GDPR applies, the Standard Contractual Clauses as referenced in Section 7 of this DPA shall govern Restricted Transfers. The specific modules, clauses, and options selected are set forth in Section 7.1(a).
United Kingdom (UK GDPR)
Where the UK GDPR applies, the UK Addendum as referenced in Section 7.1(b) of this DPA shall govern Restricted Transfers from the United Kingdom.
Brazil (LGPD)
Where the Brazilian General Data Protection Law (Lei Geral de Protecao de Dados, “LGPD”) applies:
- VoltPay shall process Personal Data in accordance with the LGPD and the instructions of the Customer.
- VoltPay shall appoint a Data Protection Officer (Encarregado) and make their contact information available upon request.
- VoltPay shall assist Customer in responding to data subject rights requests under the LGPD, including rights of confirmation, access, correction, anonymization, portability, deletion, and information about sharing.
- VoltPay shall implement security measures in accordance with Article 46 of the LGPD.
Colombia (Law 1581 of 2012)
Where Colombian data protection law (Law 1581 of 2012 and Decree 1377 of 2013) applies:
- VoltPay shall process Personal Data in accordance with the purposes authorized by the data subject and the instructions of the Customer.
- VoltPay shall implement appropriate technical, human, and administrative measures to protect Personal Data against unauthorized access, loss, alteration, or destruction.
- VoltPay shall assist Customer in responding to data subject rights of access, correction, and deletion (habeas data).
- VoltPay shall maintain a record of processing activities in accordance with applicable requirements.
Other Jurisdictions
For Personal Data subject to data protection laws of other jurisdictions not specifically addressed above, VoltPay shall process such data in accordance with the general terms of this DPA and shall comply with any additional requirements of such laws to the extent applicable. Customer may contact dpo@voltpay.ai for jurisdiction-specific inquiries.
Contact
For questions regarding this Data Processing Addendum, contact: dpo@voltpay.ai