Data Processing Addendum

Lightr.ai — Version 1.0 · Effective Date: March 12, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement for the provision of Lightr.ai services (the “Agreement”) between:

(1) The entity that has executed the Agreement with Lightr.ai and is identified as the customer in the Agreement (the “Controller” or “Customer”); and

(2) Lightr.ai, Inc., a Delaware corporation (the “Processor” or “Lightr.ai”).

This DPA applies to the extent that Lightr.ai processes Personal Data on behalf of the Customer in the course of providing the Service. This DPA is incorporated into and subject to the terms of the Agreement. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined herein have the meanings given to them in the Agreement or in applicable Data Protection Laws.

  • “Agreement” means the Lightr.ai Terms of Service, together with any applicable Order Form executed between the Customer and Lightr.ai.
  • “Data Protection Laws” means the GDPR (Regulation (EU) 2016/679), the UK GDPR, the CCPA/CPRA (California Civil Code §1798.100 et seq.), and any other applicable data protection or privacy legislation.
  • “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Lightr.ai on behalf of the Customer under the Agreement.
  • “Processing” means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
  • “Sub-processor” means any third party engaged by Lightr.ai to process Personal Data on behalf of the Customer.
  • “SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries, as adopted by the European Commission under Decision 2021/914.
  • “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Roles

The Customer is the Controller of Personal Data processed through the Service. Lightr.ai is the Processor, acting solely on the documented instructions of the Customer.

The details of Processing are described in Annex 1 to this DPA, including the subject matter, duration, nature and purpose of Processing, the types of Personal Data, and the categories of Data Subjects.

3. Customer Obligations

The Customer shall:

  • Ensure that it has a valid legal basis for the collection and transfer of Personal Data to Lightr.ai, including obtaining all necessary consents and providing all required notices to Data Subjects.
  • Provide documented processing instructions to Lightr.ai that comply with applicable Data Protection Laws.
  • Be responsible for the accuracy, quality, and legality of the Personal Data provided to Lightr.ai.
  • Comply with all applicable Data Protection Laws in its use of the Service, including ensuring that any automated messaging or outreach conducted through the Service complies with applicable anti-spam and electronic communications laws.

4. Processor Obligations

Lightr.ai shall:

  • Process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law, in which case Lightr.ai shall inform the Customer of that legal requirement before Processing (unless prohibited by law from doing so).
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement and maintain appropriate technical and organizational security measures as described in Annex 2 to this DPA.
  • Not engage any Sub-processor without complying with the requirements set out in Section 6 of this DPA.
  • Taking into account the nature of the Processing, assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to Data Subject requests.
  • Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of Processing and the information available to Lightr.ai.
  • At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of the Service, and delete existing copies unless applicable law requires storage of the Personal Data.
  • Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to the terms of Section 8.

5. Data Subject Requests

Lightr.ai shall promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under applicable Data Protection Laws (including access, rectification, erasure, restriction, portability, or objection). Lightr.ai shall not respond to such a request directly except on the documented instructions of the Customer or as required by applicable law.

Lightr.ai shall provide reasonable assistance to the Customer in responding to Data Subject requests, taking into account the nature of the Processing.

6. Sub-Processors

6.1 General Authorization

The Customer provides a general written authorization to Lightr.ai to engage Sub-processors to process Personal Data on the Customer’s behalf, subject to the requirements of this Section 6.

6.2 Current Sub-processors

The list of Sub-processors currently engaged by Lightr.ai is set out in Annex 3 to this DPA. This list is consistent with the sub-processor disclosures in the Lightr.ai Privacy Policy.

6.3 Notification of Changes

Lightr.ai shall notify the Customer by email at least 30 days before engaging any new Sub-processor or replacing an existing Sub-processor. The notification shall include the name, location, and processing activities of the proposed Sub-processor.

6.4 Objection Right

If the Customer objects to a new Sub-processor on reasonable data protection grounds, the Customer shall notify Lightr.ai in writing within 15 days of receiving the notification. The parties shall discuss the objection in good faith. If the parties are unable to reach a resolution within 30 days, the Customer may terminate the affected portion of the Service without penalty by providing written notice to Lightr.ai.

6.5 Sub-processor Obligations

Lightr.ai shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. Lightr.ai shall remain fully liable to the Customer for the performance of each Sub-processor’s obligations.

7. Security Incidents

Lightr.ai shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting Personal Data processed under this DPA.

The notification shall include, to the extent available:

  • A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected.
  • The name and contact details of the point of contact at Lightr.ai from whom further information may be obtained.
  • A description of the likely consequences of the Security Incident.
  • A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.

Lightr.ai shall cooperate with the Customer and take reasonable commercial steps to assist the Customer in investigating, mitigating, and remediating the Security Incident. Lightr.ai’s notification of a Security Incident shall not be construed as an acknowledgement of fault or liability.

8. Audits

Lightr.ai shall make available to the Customer, upon reasonable request and no more than once per calendar year (unless a Security Incident has occurred), information reasonably necessary to demonstrate compliance with this DPA.

If the Customer requires an on-site audit, the following conditions apply:

  • The Customer shall provide at least 30 days’ prior written notice.
  • The audit shall be conducted during normal business hours and shall not unreasonably disrupt Lightr.ai’s operations.
  • The Customer shall bear its own costs of the audit. If the audit requires significant Lightr.ai resources, the Customer shall reimburse Lightr.ai’s reasonable costs at rates agreed in advance.
  • The auditor shall execute a confidentiality agreement acceptable to Lightr.ai before the audit commences.
  • Audit findings and reports shall be treated as Confidential Information of Lightr.ai.

Where Lightr.ai holds a current SOC 2 Type II report or equivalent third-party certification, Lightr.ai may provide this report to the Customer in lieu of an on-site audit, unless the Customer can demonstrate that the report does not address the Customer’s specific concerns.

9. International Data Transfers

To the extent that Personal Data originating from the EEA, UK, or Switzerland is transferred to countries not recognized as providing an adequate level of data protection, the parties agree that such transfers shall be governed by the SCCs, which are incorporated into this DPA by reference and attached as Annex 4.

For the purposes of the SCCs:

  • Module Two (Controller to Processor) shall apply.
  • The Customer is the “data exporter” and Lightr.ai is the “data importer.”
  • The details required by Annex I of the SCCs are set out in Annex 1 of this DPA.
  • The technical and organizational measures required by Annex II of the SCCs are set out in Annex 2 of this DPA.
  • The list of Sub-processors required by Annex III of the SCCs is set out in Annex 3 of this DPA.

Where the EU-US Data Privacy Framework applies and Lightr.ai or a Sub-processor is a certified participant, such certification may serve as the transfer mechanism in lieu of the SCCs for transfers to that entity.

10. Term and Termination

This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement.

Upon termination, Lightr.ai shall, at the Customer’s election and written request made within 30 days of termination:

  • Return all Personal Data to the Customer in a commonly used, machine-readable format; or
  • Delete all Personal Data and certify such deletion in writing.

If the Customer does not provide written instructions within 30 days of termination, Lightr.ai shall delete all Personal Data within 60 days of termination, unless retention is required by applicable law.

11. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party’s liability to Data Subjects under applicable Data Protection Laws.

12. Governing Law

This DPA shall be governed by and construed in accordance with the law that governs the Agreement, unless applicable Data Protection Laws require otherwise. For the purposes of the SCCs, the governing law shall be the law of the EU Member State in which the data exporter is established, or, if the data exporter is not established in an EU Member State, the law of France (as the location of Lightr.ai’s EU representative).

13. How This DPA Applies

This DPA is incorporated into and forms part of the Lightr.ai Terms of Service. By creating an account, accepting the Terms of Service, or using the Service, the Customer agrees to be bound by this DPA. No separate signature is required.

This DPA is publicly available at lightr.ai/legal/dpa. The Customer is encouraged to review this DPA and the Lightr.ai Privacy Policy before using the Service.

For enterprise customers requiring a separately executed version of this DPA (including any negotiated amendments), please contact privacy@lightr.ai.

Annex 1: Details of Processing

Element Description
Subject Matter Processing of Personal Data in connection with the provision of Lightr.ai’s marketing automation platform, including social media management, messaging automation, and AI-powered suggested replies.
Duration For the term of the Agreement, plus the post-termination retention period described in Section 10 of this DPA.
Nature and Purpose Lightr.ai processes Personal Data to: (a) connect to and retrieve data from third-party social media platforms on the Customer’s behalf; (b) analyze message content to generate AI-powered suggested replies; (c) execute marketing automation workflows; (d) provide campaign analytics and performance reporting.
Types of Personal Data Account identifiers (names, email addresses, usernames); social media profile information; connection/follower metadata; message content (where platform access is enabled); engagement metrics; IP addresses and device data.
Categories of Data Subjects The Customer’s employees and authorized users; the Customer’s leads, contacts, and prospects; individuals who interact with the Customer’s social media accounts or messaging channels.
Special Categories Lightr.ai does not intentionally process special categories of data (Article 9 GDPR). If the Customer’s use of the Service results in special category data being processed, the Customer is responsible for ensuring a valid legal basis.

Annex 2: Technical and Organizational Measures

Lightr.ai implements and maintains the following technical and organizational security measures, consistent with the security commitments in the Lightr.ai Privacy Policy:

Encryption

  • Data in transit: TLS 1.2 or higher for all communications.
  • Data at rest: AES-256 encryption or equivalent for databases and backups.

Access Controls

  • Role-based access control (RBAC) with the principle of least privilege.
  • Multi-factor authentication (MFA) required for all internal administrative access.
  • Unique user credentials for all personnel; no shared accounts.

Infrastructure Security

  • Cloud hosting and AI/ML infrastructure with enterprise-grade providers (AWS, Supabase, Vercel, Google Cloud Platform, Anthropic, OpenAI), as listed in Annex 3.
  • Network segmentation and firewall protections.
  • Automated vulnerability scanning and regular penetration testing.

Data Minimization and Retention

  • Message content retained for a maximum of 7 days for AI-suggested reply processing, then permanently deleted.
  • Third-party platform metadata purged within 30 days of platform disconnection.
  • Account data deleted or anonymized within 60 days of account termination.

Incident Response

  • Documented incident response plan with defined escalation procedures.
  • Security Incident notification to affected Customers within 48 hours.
  • Notification to supervisory authorities within 72 hours where required by GDPR Article 33.

Personnel

  • Confidentiality obligations in all employment and contractor agreements.
  • Regular data protection and security awareness training.

Business Continuity

  • Regular automated backups with tested restoration procedures.
  • Disaster recovery plan with defined recovery time objectives.

Annex 3: Authorized Sub-Processors

The following Sub-processors are authorized as of the effective date of this DPA. This list is consistent with the sub-processor disclosures in the Lightr.ai Privacy Policy.

Sub-Processor Purpose Location
Amazon Web Services (AWS) Cloud hosting and infrastructure EU (eu-west region) / US
Stripe Payment processing US (PCI-DSS compliant)
Supabase Database and authentication EU / US
Vercel Frontend hosting Global CDN
Google Cloud Platform AI/ML services, API integrations US / Global
Anthropic AI/ML services (language model API for suggested replies) US
OpenAI AI/ML services (language model API for suggested replies) US

Changes to this list are subject to the notification and objection procedure described in Section 6 of this DPA.

Annex 4: Standard Contractual Clauses

The Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA by reference.

Module Two (Controller to Processor) applies.

The parties agree to the following selections within the SCCs:

  • Clause 7 (Docking Clause): Included. Third parties may accede to the SCCs with the consent of both the data exporter and Lightr.ai.
  • Clause 9(a) (Sub-processor Authorization): Option 2 (General written authorization) applies, consistent with Section 6 of this DPA.
  • Clause 11 (Redress): The optional language is not included.
  • Clause 13 (Supervision): The supervisory authority of the EU Member State in which the data exporter is established shall act as the competent supervisory authority. Where the data exporter is not established in the EU, the Commission Nationale de l’Informatique et des Libertés (CNIL, France) shall act as the competent supervisory authority.
  • Clause 17 (Governing Law): The law of the EU Member State in which the data exporter is established. Where the data exporter is not established in the EU, the law of France.
  • Clause 18 (Choice of Forum): The courts of the EU Member State in which the data exporter is established. Where the data exporter is not established in the EU, the courts of France.

The Annexes to the SCCs are completed as follows: Annex I corresponds to Annex 1 of this DPA; Annex II corresponds to Annex 2 of this DPA; Annex III corresponds to Annex 3 of this DPA.

The full text of the SCCs is publicly available in the Official Journal of the European Union (L 199/1, 7.6.2021) and may be obtained at: eur-lex.europa.eu.