Security
Security is foundational to Volari, not an afterthought. Your calendar, goals, and execution data are protected with the same standards trusted by Fortune 500 companies.
AES-256 encryption at rest. TLS 1.2+ for all data in transit. Sensitive credentials encrypted with unique IVs and GCM authentication tags.
You choose which calendars, integrations, and data sources Volari can access. Revoke any connection at any time from Settings.
Request full account deletion at any time. Data purged within 30 days. Inactive accounts anonymized after 90 days. Payment records retained 7 years per tax law.
Your calendar events, goals, and conversations are never used to train AI models. We use Anthropic Claude with zero-retention data processing agreements.
Our AI providers (Anthropic, OpenAI Whisper) do not store your data after processing. Prompts and responses are ephemeral.
All user inputs are sanitized before reaching AI models. Structured tool execution prevents unauthorized actions. Calendar writes are rate-limited and audited.
Five-tier RBAC (Owner, Admin, Manager, Member, Viewer) with row-level security. Team members only see what they need to see.
Sign in with Google or Microsoft. JWT-validated sessions with automatic token refresh. No passwords stored by Volari.
Sensitive operations (account changes, OAuth revocations, subscription modifications) are logged with IP address, timestamp, and context.
Hosted on Vercel (AWS-backed) with automatic failover, edge caching, and DDoS protection. Database on Supabase (AWS) with point-in-time recovery.
Tiered rate limiting across all endpoints. Calendar write operations capped at 20/hour per user. Webhook signatures verified with HMAC-SHA256.
All payment processing handled by Stripe (PCI DSS Level 1). Volari never sees or stores card numbers. Webhook payloads cryptographically verified.
Full compliance with EU General Data Protection Regulation. Data processing agreements available.
California Consumer Privacy Act compliance. Opt-out and deletion rights fully supported.
Audit underway. Automated evidence collection via compliance platform. Target completion Q3 2026.
HIPAA-ready with signed BAAs for all healthcare customers. Documented breach response plan, data retention policy, and technical safeguards.
Volari is built to serve healthcare practices. We sign Business Associate Agreements with every healthcare customer and maintain the technical, administrative, and physical safeguards required by HIPAA.
BAA included with every healthcare contract. Covers permitted uses, prohibited disclosures, breach notification commitments, and data return obligations.
AES-256 encryption at rest. TLS 1.2+ in transit. Role-based access control with 124+ row-level security policies. MFA available. Automatic session termination.
Documented incident response plan with 30-day notification commitment. Detection, containment, notification, and remediation procedures defined and tested.
All data access logged with agent, action, target, and timestamp. Audit logs retained for 6 years per HIPAA requirement (45 CFR § 164.530(j)).
Documented retention schedule for all data types. PHI returned or destroyed within 30 days of service termination, with written certification.
Supabase (SOC 2 Type II) and Vercel (SOC 2 Type II) infrastructure. US-based data residency (AWS us-east-1). Daily automated backups with point-in-time recovery.
Request a BAA: Contact us at security@volari.ai to request a Business Associate Agreement for your practice. BAAs are included at no additional cost.
We maintain a transparent list of all third-party services that process your data. We provide 30 days advance notice before adding new subprocessors.
View full subprocessor list →We're happy to walk through our security posture, complete vendor questionnaires, or set up a call with our team.