olano

Data processing addendum

Last updated June 1, 2026

This Data Processing Addendum (“DPA”) describes how Volano processes personal data on behalf of a customer organization (“Customer”) in connection with the Services. It supplements and is incorporated into the agreement between Customer and Volano governing the Services (the “Agreement”). Terms not defined here have the meaning given in the Agreement, our terms of use, and our privacy policy.

This is a stub. It outlines the structure of our DPA so you know what to expect. To execute a DPA for your organization, contact privacy@volano.app.

1. Roles of the parties

For personal data contained in Customer Content, Customer is the controller (or business) and Volano is the processor (or service provider), processing such data only on Customer’s documented instructions, including as set out in the Agreement and this DPA. For account, billing, and operational data, Volano acts as a controller as described in our privacy policy.

2. Scope and purpose of processing

  • Subject matter:Volano’s provision of the Services.
  • Duration: the term of the Agreement, plus any post-termination period needed to return or delete data.
  • Nature and purpose: hosting, storing, transmitting, and otherwise processing Customer Content to deliver and support the Services, including routing inputs to the AI models and tools Customer enables.
  • Types of data: the personal data Customer and its authorized users choose to submit, which Customer controls.
  • Categories of data subjects:Customer’s personnel and any individuals referenced in Customer Content.

3. Volano’s obligations

  • process personal data only on Customer’s documented instructions, and inform Customer if an instruction appears to violate applicable law;
  • ensure personnel authorized to process personal data are bound by confidentiality;
  • not sell or share personal data, and not retain, use, or disclose it for any purpose other than providing the Services or as permitted by applicable law;
  • implement and maintain the technical and organizational security measures described in Section 6; and
  • assist Customer, taking into account the nature of processing, with data-subject requests, security, breach notification, and impact assessments.

4. Subprocessors

Customer authorizes Volano to engage subprocessors to provide the Services, including infrastructure hosting, AI model access, payments, communications, analytics, and security. Volano will impose data protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance. Volano will maintain a current list of subprocessors and provide a mechanism to receive notice of changes, with a reasonable opportunity to object.

Subprocessor list

TODO(volano): publish and maintain the current subprocessor list (name, purpose, processing location) here or at a linked URL.

5. Data-subject requests and assistance

Volano will, to the extent legally permitted, promptly notify Customer if it receives a request from a data subject to exercise rights under applicable privacy law, and will not respond except on Customer’s instructions. Volano will provide reasonable assistance and the self-service tools needed for Customer to respond to such requests.

6. Security measures

Volano maintains administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit, encryption of stored credentials, access controls, logging, and tenant isolation between organizations. Volano regularly reviews and updates these measures and will not materially reduce their overall protection during the term.

7. Personal-data breach notification

Volano will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Content, and will provide information reasonably available to help Customer meet its own notification obligations. Volano’s notification is not an acknowledgment of fault or liability.

8. International transfers

Volano is operated from the United States and may process personal data there and in other countries where its subprocessors operate. Where Customer’s use involves personal data subject to laws requiring a transfer mechanism (for example, EU/UK data), the parties will put in place an appropriate mechanism, such as the Standard Contractual Clauses, which would be incorporated by reference. TODO(volano): attach the SCCs / UK IDTA and a transfer-impact assessment if EU/UK personal data is in scope.

9. Audits

On reasonable request and no more than once per year (unless required by a supervisory authority or following a breach), Volano will make available information necessary to demonstrate compliance with this DPA, which may take the form of third-party audit reports or completed security questionnaires, subject to confidentiality.

10. Return and deletion of data

On termination or expiry of the Agreement, Volano will, at Customer’s choice, return or delete Customer Content, except where retention is required by law. Some residual copies may persist in backups for a limited period before being overwritten on the normal cycle.

11. Order of precedence and contact

In the event of a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA controls. To request an executed copy, or with questions about this DPA, contact privacy@volano.app.