Security
Security is foundational to Volari, not an afterthought. Your calendar, goals, and execution data are protected with the same standards trusted by Fortune 500 companies.
AES-256 encryption at rest. TLS 1.2+ for all data in transit. Sensitive credentials encrypted with unique IVs and GCM authentication tags.
You choose which calendars, integrations, and data sources Volari can access. Revoke any connection at any time from Settings.
Request full account deletion at any time. Data purged within 30 days. Inactive accounts anonymized after 90 days. Payment records retained 7 years per tax law.
Your calendar events, goals, and conversations are never used to train AI models. We use Anthropic Claude with zero-retention data processing agreements.
Our AI providers (Anthropic, OpenAI Whisper) do not store your data after processing. Prompts and responses are ephemeral.
All user inputs are sanitized before reaching AI models. Structured tool execution prevents unauthorized actions. Calendar writes are rate-limited and audited.
Five-tier RBAC (Owner, Admin, Manager, Member, Viewer) with row-level security. Team members only see what they need to see.
Sign in with Google or Microsoft. JWT-validated sessions with automatic token refresh. No passwords stored by Volari.
Sensitive operations (account changes, OAuth revocations, subscription modifications) are logged with IP address, timestamp, and context.
Hosted on Vercel (AWS-backed) with automatic failover, edge caching, and DDoS protection. Database on Supabase (AWS) with point-in-time recovery.
Tiered rate limiting across all endpoints. Calendar write operations capped at 20/hour per user. Webhook signatures verified with HMAC-SHA256.
All payment processing handled by Stripe (PCI DSS Level 1). Volari never sees or stores card numbers. Webhook payloads cryptographically verified.
Full compliance with EU General Data Protection Regulation. Data processing agreements available.
California Consumer Privacy Act compliance. Opt-out and deletion rights fully supported.
Audit underway. Automated evidence collection via compliance platform. Target completion Q3 2026.
Business Associate Agreements available for healthcare organizations upon request.
We maintain a transparent list of all third-party services that process your data. We provide 30 days advance notice before adding new subprocessors.
View full subprocessor list →We're happy to walk through our security posture, complete vendor questionnaires, or set up a call with our team.