Legal
Data Processing Agreement
Volta Connect Studio
Last updated: 9 March 2026 — Standard form
When does this apply? This Data Processing Agreement ("DPA") applies where
you use Volta Connect Studio to collect or process personal data from third parties (such as
your audience members). In that context, you are a data controller and Volta XR Ltd
is a data processor acting on your behalf. UK GDPR Article 28 requires a written
agreement governing such processing.
If you are using the Platform solely to manage your own account and experiences, and no audience member personal data is processed, this DPA may not apply to you. If you are unsure, contact privacy@volta-xr.com.
If you are using the Platform solely to manage your own account and experiences, and no audience member personal data is processed, this DPA may not apply to you. If you are unsure, contact privacy@volta-xr.com.
1. Parties
This DPA is between:
- Controller: you, the registered user of Volta Connect Studio ("Controller"), and
- Processor: Volta XR Ltd, a company registered in England and Wales ("Volta", "Processor").
This DPA forms part of and is subject to the End User Licence Agreement between you and Volta.
2. Details of Processing
| Subject matter | Processing of personal data submitted by audience members participating in interactive live experiences created by the Controller using the Volta Connect Studio Platform. |
| Duration | For the duration of the Controller's use of the Platform and for the retention periods set out in the Privacy Policy. |
| Nature of processing | Collection, storage, transmission, automated moderation screening, and deletion of audience-submitted content and associated session metadata. |
| Purpose | Enabling the Controller to run interactive real-time audience experiences at live events, as directed by the Controller through the Platform. |
| Categories of data subjects | Audience members who voluntarily interact with experiences created by the Controller. |
| Types of personal data | Text submissions; images uploaded by audience members; device sensor data (e.g. accelerometer readings) where used; session identifiers; IP addresses (retained transiently in server logs). |
3. Processor Obligations
Volta agrees to:
- Process personal data only on the documented instructions of the Controller, which for the purposes of this DPA are the Controller's use of the Platform features as described in the EULA. Volta will inform the Controller if it believes any instruction infringes applicable data protection law;
- Ensure that all persons authorised to process the personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality;
- Implement the technical and organisational security measures described in Annex A;
- Not engage any sub-processor without prior written authorisation from the Controller (general authorisation is granted by the Controller's acceptance of this DPA for the sub-processors listed in Annex B). Volta will notify the Controller of any intended changes to sub-processors and give the Controller an opportunity to object;
- Ensure that where sub-processors are engaged, they are bound by data protection obligations equivalent to those in this DPA;
- Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures (insofar as possible) to fulfil the Controller's obligation to respond to data subject rights requests;
- Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of the processing and the information available to Volta;
- At the choice of the Controller, delete or return all personal data after the end of the provision of the services, and delete existing copies unless applicable law requires retention. Account deletion requests can be sent to privacy@volta-xr.com;
- Make available all information necessary to demonstrate compliance with this DPA and contribute to audits conducted by the Controller or a third-party auditor on reasonable prior written notice (no less than 30 days) and at the Controller's cost, no more than once per year unless required by a supervisory authority;
- Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting personal data processed under this DPA.
4. Controller Obligations
The Controller agrees to:
- ensure it has a lawful basis under UK GDPR for all personal data processed under this DPA, including obtaining any necessary consents from audience members;
- provide audience members with a privacy notice explaining how their data is processed, including disclosure that a third-party platform (Volta) processes it on the Controller's behalf;
- ensure that any instructions given to Volta comply with applicable data protection law;
- not instruct Volta to process personal data in a way that would breach applicable law.
5. International Transfers
Some sub-processors listed in Annex B are located outside the UK. Transfers to those sub-processors are made under appropriate transfer mechanisms (IDTA or Standard Contractual Clauses). Details are set out in Annex B. Volta will not transfer personal data to any country or recipient not covered by an adequate safeguard without the Controller's prior written consent.
6. Governing Law
This DPA is governed by the law of England and Wales and subject to the jurisdiction of the courts of England and Wales.
Annex A — Technical and Organisational Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ enforced on all API and WebSocket connections |
| Encryption at rest | DynamoDB and S3 encrypted at rest using AWS-managed keys (SSE) |
| Access control | JWT-based authentication; IAM role-based access within AWS; least-privilege principle applied to Lambda execution roles |
| Infrastructure security | Serverless architecture on AWS (eu-west-2); no persistent servers; auto-scaling reduces attack surface |
| Pseudonymisation | Audience submissions are associated with session tokens, not named user accounts |
| Data minimisation | Only data required to operate the Platform is collected; IP addresses retained in logs for 90 days only |
| Breach detection and response | AWS CloudWatch monitoring; incident response process in place; Controller notified within 72 hours of becoming aware of a breach |
| Availability and resilience | Serverless architecture on AWS provides automatic failover; DynamoDB is multi-AZ by default |
Annex B — Approved Sub-processors
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | Infrastructure (compute, database, storage) | UK (eu-west-2) | UK data; AWS DPA |
| Resend | Transactional email | US | IDTA / SCCs |
| Stream (GetStream.io) | Automated content moderation (text and image) | US | IDTA / SCCs |
| Cloudinary | Image upload, processing, storage and delivery | US | IDTA / SCCs |
Volta will notify Controllers of any intended changes to this list (additions or replacements) giving at least 14 days' notice. Controllers may object to changes by contacting privacy@volta-xr.com.