Data Processing Addendum

Last updated: January 19, 2026

This Data Processing Addendum ("DPA") supplements the Terms of Service or other agreement (the "Agreement") entered into by and between Customer (as defined in the Agreement) and Lantern Software, Inc., a Virginia corporation ("Lantern"). By executing the Agreement, Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates, if any.

This DPA incorporates the terms of the Agreement, and any terms not defined in this DPA shall have the meaning set forth in the Agreement.

1. Definitions

1.1 "Affiliate" means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed an Affiliate so long as such ownership exists.

1.2 "Authorized Sub-Processor" means a third party who has a need to know or otherwise access Customer's Personal Data to enable Lantern to perform its obligations under this DPA or the Agreement.

1.3 "Customer Account Data" means Personal Data that relates to Customer's relationship with Lantern, including names and contact information of individuals authorized by Customer to access Customer's account, and billing and payment-related information associated with the account, as well as data Lantern needs to manage its relationship with Customer, verify identity, or comply with applicable law.

1.4 "Customer Usage Data" means Service usage data collected and processed by Lantern in connection with the provision of the Services, including data used to identify the source and destination of a communication, activity logs, device and browser metadata, and data used to optimize, secure, and maintain performance of the Services, and to investigate, detect, and prevent abuse.

1.5 "Customer Content" means data, recordings, videos, screenshots, text, instructions, metadata, and other information submitted to or processed through the Services by or on behalf of Customer and its Authorized Users.

1.6 "Data Exporter" means Customer.

1.7 "Data Importer" means Lantern.

1.8 "Data Protection Laws" means any applicable laws and regulations relating to the processing of Personal Data, including: (i) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (ii) the UK GDPR and UK Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection; and (iv) the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"); in each case as updated, amended, or replaced from time to time.

1.9 "EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021 (as amended and updated from time to time).

1.10 "ex-EEA Transfer" means the transfer of Personal Data processed subject to the GDPR from the Data Exporter to the Data Importer outside the EEA where the transfer is not governed by an adequacy decision.

1.11 "ex-UK Transfer" means the transfer of Personal Data processed subject to the UK GDPR from the Data Exporter to the Data Importer outside the UK where the transfer is not governed by an adequacy decision.

1.12 "Services" has the meaning set forth in the Agreement.

2. Relationship of the Parties; Processing of Data

2.1 Roles. The parties acknowledge and agree that with regard to the processing of Personal Data: (a) Customer may act as a controller or processor; and (b) except as expressly set forth in this DPA, Lantern acts as a processor when processing Personal Data on behalf of Customer.

2.2 Customer responsibilities. Customer shall ensure that: (i) it has all necessary rights, permissions, and legal bases to provide Personal Data to Lantern and instruct Lantern to process Personal Data; and (ii) its instructions comply with applicable Data Protection Laws. Customer is solely responsible for the accuracy, quality, and legality of Personal Data provided to Lantern and the means by which Customer acquired such Personal Data.

2.3 Lantern processing instructions. Lantern shall not process Personal Data: (i) for purposes other than providing the Services and as described in this DPA and the Agreement; (ii) in a manner inconsistent with Customer's documented instructions; or (iii) in violation of Data Protection Laws. Customer hereby instructs Lantern to process Personal Data in accordance with the Agreement and this DPA.

2.4 Details of processing. The subject matter, nature, purpose, and duration of processing, as well as categories of data and Data Subjects, are described in Exhibit A.

2.5 Return or deletion. Following termination or expiration of the Services, Customer may request that Lantern delete or return Customer's Personal Data, unless retention is required by applicable law. Where deletion is impracticable or prohibited, Lantern will block further processing (except as legally required) and continue to protect the data.

2.6 CCPA/CPRA. To the extent the CCPA/CPRA applies, and except with respect to Customer Account Data and Customer Usage Data, Lantern processes Personal Data as a service provider/processor and will not "sell" or "share" such Personal Data as those terms are defined under CCPA/CPRA. Lantern will not retain, use, or disclose such Personal Data outside the direct business relationship with Customer except as necessary to provide the Services, or as otherwise permitted by CCPA/CPRA.

3. Authorized Sub-Processors

3.1 Authorization. Customer provides general written authorization for Lantern to engage sub-processors as necessary to provide the Services, including Lantern's Affiliates.

3.2 Sub-processor list and notice. Lantern will make available a current list of Authorized Sub-Processors upon request. Lantern will provide notice at least fifteen (15) days before adding a new sub-processor that will have access to Customer's Personal Data.

3.3 Objection. Customer may object in writing to a new sub-processor on reasonable data protection grounds within thirty (30) days of notice. If Lantern cannot provide a commercially reasonable alternative, Customer may discontinue the affected Service by written notice.

3.4 Flow-down terms. Lantern will enter into a written agreement with each Authorized Sub-Processor imposing data protection obligations comparable to those in this DPA.

3.5 Liability. Lantern remains liable to Customer for the performance of Authorized Sub-Processors' obligations to the extent required under Data Protection Laws.

4. Security of Personal Data

Taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of processing, Lantern shall implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Additional information about Lantern's security measures is described in Exhibit C.

5. Transfers of Personal Data

5.1 International transfers. Customer acknowledges that Lantern may process and store Personal Data in the United States and other locations where Lantern or its Authorized Sub-Processors operate, as necessary to provide the Services.

5.2 EU SCCs (ex-EEA Transfers). Where required, ex-EEA Transfers are made pursuant to the EU SCCs, which are incorporated by reference. The applicable module will depend on Customer's role (controller/processor) and Lantern's role (processor/sub-processor).

5.3 UK transfers (ex-UK Transfers). Where required, ex-UK Transfers will be governed by appropriate UK transfer mechanisms, including the UK Addendum to the EU SCCs or other legally recognized transfer tool.

5.4 Supplementary measures. Lantern will maintain reasonable supplementary measures appropriate to risk, including encryption in transit and at rest where applicable, access controls, and policies to respond to lawful government requests.

6. Rights of Data Subjects

6.1 Data Subject requests. To the extent permitted by law, Lantern will notify Customer if Lantern receives a request from a Data Subject to exercise their rights (each a "Data Subject Request"). Lantern will direct the Data Subject to submit their request to Customer.

6.2 Assistance. Upon Customer's request, Lantern will provide reasonable assistance to help Customer respond to Data Subject Requests, taking into account the nature of the processing and the information available to Lantern. Customer may be responsible for reasonable costs where legally permitted.

7. Audits; Compliance; Breach Notification

7.1 Compliance support. Lantern will provide reasonable information and assistance to enable Customer to meet obligations such as DPIAs and supervisory authority consultations, where Customer does not otherwise have access to relevant information.

7.2 Audit rights. Upon Customer's written request at reasonable intervals, and subject to confidentiality obligations, Lantern will either: (i) provide relevant summaries, certifications, or reports (if available) demonstrating security compliance; or (ii) if required by law, allow a limited audit by an independent third party under mutually agreed scope, timing, and confidentiality terms. Audits may occur no more than once per year and must not unreasonably disrupt Lantern's business.

7.3 Instruction conflict. Lantern will notify Customer if, in Lantern's reasonable opinion, Customer's instructions infringe Data Protection Laws.

7.4 Personal Data Breach. Lantern will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data and will provide reasonable information and cooperation to support Customer's breach notification obligations.

8. Lantern's Role as a Controller

The parties acknowledge and agree that Lantern is an independent controller (not a joint controller) for Customer Account Data and certain Customer Usage Data processed for: account administration, billing, identity verification, fraud prevention, security, compliance, internal analytics, and improving the Services, as permitted by Data Protection Laws.

Lantern may de-identify or anonymize data for analytics and product improvement where permitted by law.

9. Conflict

In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) applicable SCCs and/or transfer addenda; (2) this DPA; (3) the Agreement; and (4) any other written agreement between the parties.

Exhibit A — Details of Processing

Nature and Purpose of Processing

Lantern processes Customer's Personal Data as necessary to provide the Services, including:

  • Ingesting screen recordings and/or uploaded videos
  • Capturing or generating screenshots and media clips
  • Extracting interaction signals and workflow metadata
  • Generating step-by-step text guides and structured metadata
  • Hosting and publishing Customer documentation sites (as configured by Customer)
  • Enabling integrations (e.g., exporting/syncing guides to third-party knowledge bases)
  • Providing analytics and usage insights (if enabled)

Duration of Processing

During the term of the Agreement and as needed to provide the Services, unless earlier deleted upon Customer request or required to be retained by law.

Categories of Data Subjects

  • Customer employees, contractors, and other Authorized Users
  • Customer end users or customers whose information may appear in recordings or Content (as controlled by Customer)

Categories of Personal Data

Depending on Customer's use, Personal Data may include:

  • Names, emails, and account identifiers
  • User-generated Content and documentation text
  • Audio/video and images from recordings or uploads
  • Interaction and event data (clicks, navigation, timestamps)
  • Technical metadata (device, browser, IP address)

Sensitive Data

Sensitive or special category data is not intended to be processed. Customer should avoid recording or uploading sensitive data. If sensitive data is included in unstructured recordings, it may be processed as part of providing the Services.

Exhibit B — Transfer Details (SCC Annex Information)

1. The Parties

Data Exporter(s): Customer, as identified in the applicable Order Form or Agreement.

Data Importer: Lantern Software, Inc.

Role(s): Customer is controller or processor (depending on context). Lantern is processor for Customer Content and related Personal Data, and controller for Customer Account Data and certain Customer Usage Data.

2. Description of the Transfer

  • Subject matter: Provision of documentation generation and hosting services.
  • Frequency: Continuous/periodic during the term, as initiated by Customer use.
  • Recipients: Lantern personnel with a need-to-know basis and Authorized Sub-Processors.

3. Competent Supervisory Authority

Where GDPR applies, the competent supervisory authority is determined under GDPR based on Customer's establishment.

Exhibit C — Technical and Organizational Measures (High-Level)

Lantern maintains technical and organizational measures designed to protect Customer Personal Data, including:

  • Encryption in transit (TLS/HTTPS)
  • Encryption at rest where supported by storage providers
  • Role-based access control and least-privilege access
  • Logging and monitoring for security events
  • Secure development practices and vulnerability management
  • Backups and disaster recovery procedures
  • Sub-processor security diligence

Additional details may be made available under confidentiality upon request.

Ship documentation faster than you ever thought possible.

Get started for freeTalk to sales