1. Purpose and Scope
This Data Protection Policy sets out the technical and organisational measures that VoltaServices Ltd ("the Company") implements to protect personal data processed through the VoltaAI platform. It applies to all personal data processed by the Company, whether in electronic or physical form, and covers all systems, processes, and personnel involved in data processing activities.
This policy is maintained in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. It should be read alongside our Privacy Policy and GDPR Policy.
- Company: VoltaServices Ltd
- Company Number: 16178827 (England and Wales)
- ICO Registration: ZB874097
- Data Protection Officer: Mr Emre Dalar (emre.dalar@voltaservices.uk)
2. Data Protection Principles
In accordance with Article 5 of the UK GDPR, all processing of personal data by VoltaServices Ltd adheres to the following principles:
- Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and in a transparent manner. We provide clear information about how data is collected, used, and shared through our Privacy Policy and GDPR Policy.
- Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
- Data Minimisation: Personal data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. We do not collect data that is not required for the operation of our services.
- Accuracy: Personal data is kept accurate and up to date. Users can update their account information directly through profile settings, and inaccurate data is rectified or erased without delay upon request.
- Storage Limitation: Personal data is retained only for as long as necessary for the purposes for which it was collected, or as required by law. Defined retention periods are enforced and documented in our GDPR Policy.
- Integrity and Confidentiality: Personal data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical and organisational measures.
- Accountability: VoltaServices Ltd is responsible for, and able to demonstrate compliance with, all of the above principles. We maintain records, conduct audits, and implement policies to evidence our compliance.
3. Roles and Responsibilities
The following roles carry specific data protection responsibilities within VoltaServices Ltd:
- Data Protection Officer (DPO): Mr Emre Dalar is responsible for overseeing the Company's data protection strategy and its implementation, monitoring compliance with the UK GDPR and the Data Protection Act 2018, advising on Data Protection Impact Assessments, acting as the point of contact for the ICO and data subjects, maintaining the Record of Processing Activities, and managing data breach response procedures.
- System Administrators: Responsible for implementing and maintaining technical security measures, managing access controls and user permissions, applying security patches and updates, monitoring system logs for security incidents, and managing encryption keys and certificates.
- All Personnel: All individuals with access to personal data are responsible for processing data only in accordance with this policy and applicable law, reporting any suspected data breaches to the DPO immediately, maintaining the confidentiality of authentication credentials and access keys, and completing any required data protection training.
4. Data Classification
VoltaServices Ltd classifies data into the following categories to determine the appropriate level of protection:
- Public Data: Information that is freely available and intended for public access. Examples include published pricing information, model availability, and service status. No special protection is required beyond integrity controls.
- Internal Data: Information used for internal operations that is not intended for public disclosure. Examples include anonymised usage analytics, aggregated statistics, and internal configuration settings. Protected by standard access controls.
- Confidential Data: Personal data and sensitive business information that requires strong protection. Examples include user account details (name, email), conversation content, API usage logs, support ticket content, and uploaded knowledge base documents. Protected by encryption, access controls, and audit logging.
- Restricted Data: Highly sensitive data requiring the strongest level of protection. Examples include password hashes, API key hashes, OAuth tokens, TOTP secrets, payment provider identifiers, and phone numbers. Protected by encryption at rest, strict access controls, and enhanced monitoring.
5. Technical Security Measures
The following technical measures are implemented to protect personal data in accordance with Article 32 of the UK GDPR:
- Encryption in Transit: All communications between clients and VoltaAI servers are encrypted using TLS 1.2 or higher. This applies to web interface access, API requests, webhook callbacks, and connections to third-party services. Unencrypted HTTP connections are redirected to HTTPS.
- Encryption at Rest: Sensitive data stored in the database is encrypted at rest. Passwords are hashed using PBKDF2-SHA256 with a unique salt per user, or bcrypt for migrated accounts. API keys are stored as irreversible cryptographic hashes; full keys are displayed only once at creation and are never stored or recoverable. Microsoft OAuth tokens and TOTP secrets are encrypted before storage.
- Database Security: The MySQL 8.0 database is configured with authentication requirements for all connections, encrypted connections between the application and database server, regular automated backups with encryption, and restricted network access limited to application servers only.
- Redis Security: The Redis 7 cache (used for rate limiting and vector search) is configured with authentication, bound to internal network interfaces, and does not persist sensitive personal data beyond its operational purpose.
- Network Security: Production servers are protected by firewalls restricting access to necessary ports only. SSH access requires key-based authentication. Administrative interfaces are not exposed to the public internet. Intrusion detection systems monitor for suspicious network activity.
- Application Security: The VoltaAI application implements input validation and sanitisation on all user inputs, parameterised database queries to prevent SQL injection, output encoding to prevent cross-site scripting (XSS), CSRF protection through session management, rate limiting to prevent brute-force attacks, and session-based authentication with secure cookie attributes.
- Dependency Management: Third-party dependencies are regularly reviewed and updated. Known vulnerabilities in dependencies are assessed and patched promptly.
6. Organisational Security Measures
The following organisational measures complement our technical controls:
- Access Control Policy: Access to personal data is granted on a need-to-know basis. Administrative access to production systems requires multi-factor authentication. All access to systems containing personal data is logged and auditable. Access permissions are reviewed periodically and revoked when no longer required.
- Change Management: Changes to production systems that affect personal data processing are reviewed before deployment. Database schema changes are managed through a controlled migration process. Configuration changes are version-controlled and auditable.
- Secure Development: The VoltaAI platform is developed following secure coding practices. Code changes are reviewed before deployment. Sensitive configuration (API keys, database credentials, encryption keys) is stored in environment variables, never in source code.
- Supplier Management: Third-party service providers that process personal data on our behalf are subject to due diligence assessment before engagement, data processing agreements in accordance with Article 28 of the UK GDPR, periodic review of their data protection practices, and contractual obligations regarding data security and breach notification.
7. Data Processing Agreements
In accordance with Article 28 of the UK GDPR, VoltaServices Ltd maintains Data Processing Agreements (DPAs) with all third-party processors that handle personal data on our behalf. These agreements specify:
- The subject matter, duration, nature, and purpose of the processing.
- The types of personal data processed and the categories of data subjects.
- The obligations and rights of the controller.
- Requirements for the processor to process data only on documented instructions from the controller.
- Confidentiality obligations on all personnel with access to the data.
- Requirements to implement appropriate technical and organisational security measures.
- Conditions for engaging sub-processors, including prior authorisation and equivalent contractual obligations.
- Obligations to assist the controller in responding to data subject requests.
- Requirements to delete or return all personal data upon termination of the agreement.
- Obligations to make available all information necessary to demonstrate compliance and to allow for audits.
Our current data processors and the personal data they process are documented in our GDPR Policy (Section 6).
8. Data Breach Response Procedure
VoltaServices Ltd maintains a structured procedure for responding to personal data breaches in accordance with Articles 33 and 34 of the UK GDPR:
- Detection and Reporting: All personnel are required to report any suspected or confirmed personal data breach to the Data Protection Officer immediately upon discovery. Reports should include the date and time of discovery, a description of the breach, the types of data and data subjects affected (if known), and the immediate actions taken to contain the breach.
- Assessment: Upon receiving a breach report, the DPO will assess the nature and scope of the breach, identify the categories and approximate number of data subjects affected, determine the categories and approximate volume of personal data records involved, evaluate the likely consequences for affected data subjects, and assess whether the breach is likely to result in a risk to individuals' rights and freedoms.
- Containment and Recovery: Immediate steps will be taken to contain the breach and minimise its impact. This may include isolating affected systems, revoking compromised credentials, patching exploited vulnerabilities, and restoring data from backups where necessary.
- ICO Notification: Where the breach is likely to result in a risk to individuals' rights and freedoms, the DPO will notify the ICO within 72 hours of becoming aware of the breach using the ICO's online breach reporting tool. Where notification cannot be made within 72 hours, reasons for the delay will be provided.
- Data Subject Notification: Where the breach is likely to result in a high risk to individuals' rights and freedoms, the DPO will communicate the breach to affected data subjects without undue delay. Notifications will describe the nature of the breach in clear and plain language, provide the name and contact details of the DPO, describe the likely consequences of the breach, and describe the measures taken or proposed to address the breach and mitigate its effects.
- Documentation: All breaches are recorded in the Company's breach register, including the facts of the breach, its effects, the remedial action taken, and the reasoning behind decisions regarding ICO and data subject notification.
- Post-Incident Review: Following each breach, a review is conducted to identify the root cause, evaluate the effectiveness of the response, and implement measures to prevent recurrence.
9. Data Protection Impact Assessments
In accordance with Article 35 of the UK GDPR, VoltaServices Ltd conducts Data Protection Impact Assessments (DPIAs) before implementing any new processing activity that is likely to result in a high risk to the rights and freedoms of individuals.
- When a DPIA is Required: A DPIA is mandatory before introducing systematic and extensive profiling or automated decision-making that produces significant effects, processing special category data or criminal offence data on a large scale, systematic monitoring of individuals on a large scale, processing that involves new technologies or novel application of existing technologies, and any processing that appears on the ICO's published list of processing operations requiring a DPIA.
- DPIA Process: Each DPIA includes a systematic description of the proposed processing operations and their purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address those risks and demonstrate compliance, and, where applicable, the views of data subjects or their representatives.
- DPIAs Conducted: VoltaServices Ltd has conducted DPIAs for the AI Email Management feature (automated classification of personal email data using AI models), the Semantic Search and RAG Memory feature (vector embeddings of conversation content for retrieval-augmented generation), and the Knowledge Base feature (processing and storing uploaded PDF content with vector embeddings).
- Prior Consultation: Where a DPIA indicates that the proposed processing would result in a high risk that cannot be mitigated, VoltaServices Ltd will consult the ICO prior to proceeding with the processing, in accordance with Article 36.
10. Data Retention and Disposal
VoltaServices Ltd operates a defined data retention schedule to ensure personal data is not held for longer than necessary:
- Retention Schedule: Specific retention periods for each category of personal data are documented in our GDPR Policy (Section 11). The DPO is responsible for ensuring adherence to the retention schedule.
- Secure Disposal: When personal data reaches the end of its retention period or is subject to an erasure request, it is securely disposed of. Electronic data is permanently deleted from all systems, including backups, within the timescales specified in the retention schedule. Database records are deleted using secure deletion methods. Cached data in Redis is purged. Vector embeddings and associated metadata are removed from vector stores.
- Account Deletion: When a user account is deleted, all associated personal data is removed within 30 days, including account details, conversations, messages, images, knowledge base documents, API keys, usage logs (subject to the 12-month retention period), and email classification data. Financial transaction records are retained for the statutory 6-year period as required by law, but are disassociated from identifying information where possible.
11. Privacy by Design and Default
In accordance with Article 25 of the UK GDPR, VoltaServices Ltd implements data protection by design and by default throughout the development and operation of the VoltaAI platform:
- Privacy by Design: Data protection considerations are integrated into the design of all new features and processing activities from the earliest stage. This includes minimising the collection of personal data, pseudonymising or anonymising data where possible, implementing security controls appropriate to the data being processed, and conducting DPIAs for high-risk processing.
- Privacy by Default: Default settings are configured to provide the highest level of privacy. No optional data collection occurs without explicit user action. The platform does not use tracking cookies, advertising pixels, or third-party analytics. Email account connection requires explicit OAuth authorisation. MFA is available but not forced; users choose their preferred security level.
12. Training and Awareness
VoltaServices Ltd ensures that all personnel with access to personal data are aware of their data protection responsibilities:
- All personnel receive data protection awareness briefings relevant to their role.
- Personnel with access to production systems or personal data receive additional training on secure data handling, breach identification and reporting, and access control procedures.
- Training is refreshed periodically and updated when significant changes are made to data protection legislation or Company processing activities.
- Awareness of this policy and related policies is maintained through internal communications.
13. Subject Access Requests
VoltaServices Ltd has established procedures for handling data subject access requests (SARs) and other rights requests efficiently and within statutory timescales:
- Receipt: Requests may be submitted by email to the DPO or to privacy@voltaservices.co.uk, or by post. Requests do not need to reference specific legislation or use specific terminology to be valid.
- Verification: Before processing a request, we verify the identity of the requester to prevent unauthorised disclosure of personal data. Verification is typically performed by confirming the email address associated with the account.
- Response: Valid requests are acknowledged within 5 working days and fulfilled within one calendar month. Where a request is complex or voluminous, the response period may be extended by up to two further months, with the requester informed of the extension and the reasons within the first month.
- Format: Data provided in response to access requests is supplied in a structured, commonly used, and machine-readable format (JSON) where applicable, or in a clear and intelligible written format.
- Exemptions: Certain exemptions under Schedule 2 of the Data Protection Act 2018 may apply, including exemptions for legal professional privilege, management forecasting, and negotiations. Where an exemption is applied, the requester is informed of the reasons.
- Fees: Subject access requests are fulfilled free of charge. A reasonable fee may be charged for manifestly unfounded or excessive requests, or for requests for further copies of the same information.
14. Record Keeping
In accordance with Article 30 of the UK GDPR, VoltaServices Ltd maintains the following records:
- Record of Processing Activities (ROPA): A comprehensive record of all processing activities carried out under the Company's responsibility, including the purposes of processing, categories of data subjects and personal data, categories of recipients, details of international transfers, retention periods, and a description of technical and organisational security measures.
- Breach Register: A record of all personal data breaches, whether or not they required notification to the ICO, including the facts, effects, and remedial actions for each breach.
- DPIA Register: Records of all Data Protection Impact Assessments conducted, including the outcomes, identified risks, and mitigating measures implemented.
- Data Processing Agreements: Copies of all data processing agreements with third-party processors.
- Subject Access Request Log: A record of all data subject requests received, the actions taken, and the timescales for response.
- Consent Records: Records demonstrating that valid consent was obtained where consent is relied upon as the lawful basis for processing, including what the individual consented to, when and how consent was given, and any withdrawal of consent.
15. Review and Audit
This Data Protection Policy is subject to regular review and audit to ensure its continued effectiveness and compliance with applicable legislation:
- Annual Review: This policy is reviewed at least annually by the Data Protection Officer, or more frequently where significant changes to processing activities, legislation, or regulatory guidance occur.
- Compliance Audits: The DPO conducts periodic audits of data processing activities to verify compliance with this policy, the UK GDPR, and the Data Protection Act 2018.
- Incident-Driven Review: This policy is reviewed following any personal data breach or near-miss to incorporate lessons learned and improve controls.
- Version Control: All revisions to this policy are version-controlled, with the date of the most recent revision displayed at the top of this page.
16. Related Policies
This Data Protection Policy should be read in conjunction with the following:
- Privacy Policy — How we collect, use, and protect your personal information.
- GDPR Policy — Our compliance with the UK GDPR, including lawful bases, data subject rights, and international transfers.
- Terms of Service — The terms governing your use of the VoltaAI platform.
- Refund Policy — Our refund and cancellation terms.
17. Contact
For any questions about this Data Protection Policy or how we protect your personal data, please contact: