Data Processing Agreement

Important: This document is a starting template, not legal advice. Have qualified counsel review and adapt it for your legal entity, role as controller or processor, jurisdictions, subprocessors, hosting locations, and contract stack (including Standard Contractual Clauses) before signing or relying on it with customers or regulators.

Effective date: The date this Data Processing Agreement is published at this URL (the “Effective Date”).

This Data Processing Agreement (“DPA”) forms part of the agreement between you (the Customer) and the operator of Latern (the Processor, “we,” “us”) governing Processor’s processing of Personal Data on behalf of Customer when Customer uses Latern websites, dashboards, APIs, and related services (collectively, the “Service”). It supplements the Latern Terms of Service and Privacy Policy (together, the “Agreement”). If you use the Service only as an individual and not on behalf of a business, this DPA may not apply; where Customer is a legal entity, an authorized representative accepts this DPA by using the Service on Customer’s behalf or as otherwise agreed in writing.

Capitalized terms used but not defined here have the meanings in the Agreement or applicable data protection law.

1. Roles and scope

1.1 Roles. Customer is a controller (or, where Customer processes Personal Data only as a processor for its own customers, a processor acting on documented instructions from its controller) with respect to Personal Data described in Section 3. Processor is a processor (or sub-processor, if Customer is itself a processor) and will process such Personal Data only on Customer’s documented instructions as described in this DPA and the Agreement, unless applicable law requires otherwise (in which case Processor shall inform Customer of that legal requirement before processing, unless the law prohibits such notice on important grounds of public interest).

1.2 Details of processing. The subject matter, nature, purpose, duration, types of Personal Data, and categories of data subjects are described in Section 3 and Annex A (Processing details).

1.3 No sale. Processor does not sell Personal Data and does not use Personal Data for cross-context behavioral advertising as those terms are commonly understood in U.S. state privacy laws, except as permitted or required by law.

2. Definitions

• “Applicable Privacy Laws” means, to the extent they apply to the processing described in this DPA, the EU General Data Protection Regulation (“GDPR”) and its implementing laws; the UK GDPR and Data Protection Act 2018; the Swiss Federal Act on Data Protection; and U.S. state comprehensive privacy laws (including the California Consumer Privacy Act as amended by the CPRA), in each case as updated or replaced.
• “Personal Data” means any information relating to an identified or identifiable natural person that Processor processes on behalf of Customer through the Service, excluding information that is aggregated, de-identified, or otherwise outside the scope of Applicable Privacy Laws in a given context.
• “Processing,” “processor,” “controller,” and “data subject” have the meanings given in Applicable Privacy Laws.
• “Security Incident” means accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Processor attributable to a breach of Processor’s security obligations under Section 7.
• “Subprocessor” means a third party engaged by Processor to process Personal Data on Customer’s behalf.

3. Categories of Personal Data and data subjects

Customer determines the content of notification payloads, subscriber registrations, and workspace configuration. Depending on how Customer configures and uses the Service, processing may include:

3.1 Data subjects: Customer’s employees, contractors, and other authorized users of the Service; recipients of notifications or visitors to Customer-controlled surfaces that integrate with the Service; and other individuals about whom Customer submits Personal Data through the Service.

3.2 Categories of Personal Data (illustrative):

• Account and access: name, email address, authentication identifiers, roles, organization membership, and similar account data.
• Workspace metadata: organization, project, and topic names and identifiers; configuration and security settings (including hashed or secret forms of keys or tokens where the product is designed to store them).
• Customer content: titles, bodies, custom fields, and technical subscriber data (such as web push subscription endpoints and related parameters) that may identify a browser, device, or individual when combined with other data Customer holds.

Customer is responsible for the accuracy, minimization, and lawfulness of the Personal Data it instructs Processor to process.

4. Customer instructions

4.1 Instructions. Customer instructs Processor to process Personal Data to provide, maintain, secure, and improve the Service; carry out Customer’s configuration and API calls; provide support when requested; comply with law; and as otherwise described in the Agreement and this DPA. Additional instructions outside this scope require Processor’s prior written agreement (email from an authorized Customer contact sufficing unless a separate enterprise agreement specifies otherwise).

4.2 Lawful use. Customer will (a) have and maintain a lawful basis (or documented instructions from its controller) for processing; (b) honor data subject rights and notices applicable to Customer’s relationship with data subjects; and (c) not instruct Processor to process Personal Data in violation of law.

5. Processor obligations

Processor will:

• Process Personal Data only on documented instructions under Section 4, unless required by law as described in Section 1.1.
• Ensure that persons authorized to process Personal Data are bound by confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures as described in Section 7, taking into account the state of the art, cost of implementation, and risks to data subjects.
• Respect the restrictions in Applicable Privacy Laws on engaging Subprocessors as described in Section 8.
• Assist Customer, taking into account the nature of processing, with appropriate technical and organizational measures for fulfillment of Customer’s obligation to respond to requests to exercise data subject rights under Applicable Privacy Laws, where such rights apply and to the extent Processor is able to assist.
• Assist Customer with Customer’s obligations under Articles 32–36 GDPR (or equivalent provisions) regarding security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to Processor.
• At Customer’s choice, delete or return Personal Data after the end of provision of the services relating to processing, except where Processor is required by law to retain copies, and delete existing copies unless storage is required by law.
• Make available to Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR (or equivalent) and allow for and contribute to audits as described in Section 10.

6. Records

Processor will maintain records of processing activities as required by Applicable Privacy Laws.

7. Security measures

Processor implements a written information security program appropriate to the Service, which may include, depending on deployment and configuration:

• Encryption of Personal Data in transit using industry-standard protocols (such as TLS) where supported by the Service.
• Logical access controls, authentication, and authorization for production systems and administrative access.
• Logging, monitoring, and vulnerability management practices designed to detect and respond to threats.
• Processes for personnel with access to Personal Data, including confidentiality expectations and access on a need-to-know basis where practicable.
• Business continuity and backup practices consistent with the Service’s architecture.

Customer is responsible for configuring the Service securely (including credentials, organization keys, and integration choices) and for the security of its own systems and networks.

8. Subprocessors

8.1 Authorized Subprocessors. Customer generally authorizes Processor to engage Subprocessors to perform services such as:

• Infrastructure and hosting (for example, cloud servers, databases, object storage, and content delivery) in regions Processor or its vendors operate.
• Payment processing (for example, Stripe) for subscriptions and billing.
• Email and transactional messaging via Customer’s or Processor’s configured mail providers.
• Error, performance, or security monitoring (for example, Sentry or similar when enabled in deployment).
• Push and notification delivery infrastructure (for example, browser vendors’ web push services, Apple push services, Google Firebase or similar) as required to deliver notifications Customer sends.

Processor will impose data protection terms on Subprocessors that require them to protect Personal Data in a manner substantially similar to this DPA, to the extent applicable to the services they provide.

8.2 Changes. Processor may replace or appoint additional Subprocessors. Processor will give Customer reasonable prior notice of material changes (for example, by updating a subprocessors page, email to organization administrators, or in-product notice), and Customer may object on reasonable data-protection grounds. If the parties cannot resolve an objection within a reasonable time, either party may terminate the affected portion of the Service or the Agreement as its sole remedy (without prejudice to fees owed for services already rendered).

9. International transfers

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country not recognized as providing an adequate level of protection, Processor will implement appropriate safeguards required by Applicable Privacy Laws (for example, the EU Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, or Swiss revisions as applicable), unless another lawful transfer mechanism applies. Processor may make available further detail about transfer mechanisms on request for enterprise customers.

10. Audit and demonstration of compliance

10.1 Information. Upon Customer’s written request and subject to confidentiality, Processor will provide information reasonably necessary to demonstrate compliance with this DPA (for example, summaries of security practices or certifications where available).

10.2 Audits. Where Article 28(3)(h) GDPR (or equivalent) requires an audit right, Customer may mandate an independent auditor subject to reasonable confidentiality and security requirements, once per twelve (12) months (or more frequently if required by a competent supervisory authority or following a Security Incident), during business hours and on thirty (30) days’ prior written notice. Audits must not unreasonably disrupt Processor’s operations. If Customer uses a third-party auditor, Processor may require the auditor to execute a reasonable non-disclosure agreement. As an alternative, Processor may satisfy the audit requirement by providing a current third-party report (such as SOC 2) where available, in lieu of an on-site audit.

11. Security incidents

Processor will notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data processed on Customer’s behalf, and will provide information reasonably necessary for Customer to meet any obligations to report or inform data subjects, consistent with Applicable Privacy Laws and Processor’s investigation. Notifications are not an acknowledgment of fault. Customer is solely responsible for its regulatory filings and communications to data subjects.

12. Return and deletion

Upon termination or expiry of the Agreement (or earlier upon Customer’s written request where the product supports deletion), Processor will delete or return Personal Data in accordance with the Service’s documented functionality and retention practices, except where Processor must retain data to comply with law. Backups may persist for a reasonable period in accordance with Processor’s backup rotation before automatic overwrite.

13. Conflict and order of precedence

If there is a conflict between this DPA and the Agreement regarding protection of Personal Data, this DPA prevails to the extent of the conflict. If Customer and Processor execute a separate written data processing agreement or order form that expressly amends or replaces this DPA, the signed document controls over this online DPA to the extent stated there.

14. Changes to this DPA

Processor may update this DPA to reflect changes in law, the Service, or subprocessors. Processor will post the updated DPA at this URL and, where changes are material, provide reasonable notice (for example, by email or in-product notice). Continued use of the Service after the effective date of an update constitutes acceptance of the revised DPA where permitted by law; where required, Processor will seek separate acceptance.

15. Limitation of liability

The limitation of liability and related terms in the Agreement apply to this DPA. Nothing in this DPA is intended to limit any data subject’s rights under Applicable Privacy Laws.

16. Annex A — Processing details (summary)

Enterprise counterpart. Enterprise customers may request a signed PDF or order-form version of this DPA. Until executed, this online DPA applies together with the Agreement.