Lantern AI Logo

Data Processing Agreement (Lantern AI)

This DPA forms part of the Services Agreement between the parties.

This Data Processing Agreement ("DPA") is entered into between the Customer as the data Controller and Lantern AI as the data Processor. It governs Lantern AI's processing of personal data on behalf of the Customer in connection with Lantern AI's voice-based AI interview recruiting services. This DPA ensures compliance with applicable data protection laws, including the EU/UK GDPR, Hong Kong's Personal Data (Privacy) Ordinance (PDPO), and the PRC Personal Information Protection Law (PIPL). Terms not defined here have the meanings in the Services Agreement or applicable law.

1. Scope and Purpose of Processing

Subject Matter:

Lantern AI provides a voice-based AI interview recruiting service. Under this DPA, Lantern AI processes personal data solely to provide AI analysis of candidate interviews and to automate first‑round screening on behalf of the Customer.

Duration:

Lantern AI will process personal data for the term of the Services Agreement and retain it only as necessary for service provision, or as otherwise required by law.

Nature of Processing:

Collection of interview data from candidates; storage of audio/video recordings and transcripts; automated analysis of responses; and delivery of insights to the Customer.

Purpose of Processing:

  • Provide AI analysis of candidate interviews;
  • Automate initial screening and provide evaluation results;
  • Improve Lantern AI's algorithms using anonymized/aggregated data (see Section 4.9).

Categories of Data Subjects:

Job applicants/candidates and, where applicable, Customer users (e.g., recruiters).

Types of Personal Data:

  • Contact Information: name, email address, phone number, and similar contact details;
  • Professional Background: resume/CV information, employment history, education, skills;
  • Interview Data: audio/video recordings, interview transcripts, responses to questions, derived evaluations or notes;
  • Usage Data: IP address, browser type and version, pages visited, timestamps, and duration of visits.

Special Categories:

Lantern AI does not intentionally collect special categories of personal data. If such data may be incidentally disclosed by candidates, the Customer confirms it has a lawful basis and provides any required notices/consents.

2. Roles and Compliance with Laws

The Customer acts as the data Controller (data user under PDPO; personal information handler under PIPL). Lantern AI acts as the data Processor (entrusted person under PIPL) and will only process personal data on documented instructions of the Customer and as permitted by this DPA.

Each party will comply with all applicable data protection laws, including GDPR, PDPO, and PIPL. The Customer warrants it has provided legally adequate notices and obtained any required consents (including separate consent under PIPL for cross‑border transfers or sensitive processing where applicable).

3. Obligations of the Customer (Controller)

  • Provide lawful, documented instructions and remain responsible for the lawfulness of processing;
  • Provide required privacy notices and obtain any required consents from data subjects;
  • Respond to data subject requests and inform Lantern AI where assistance is needed;
  • Ensure data minimization and accuracy; disclose only data necessary for the purposes;
  • Use Lantern AI's security features appropriately and promptly inform Lantern AI of issues;
  • Remain accountable for Controller obligations and compliance under applicable laws.

4. Obligations of Lantern AI (Processor)

4.1 Processing on Documented Instructions:

Lantern AI will process personal data only on documented instructions from the Customer and for the purposes authorized by this DPA, unless required by law.

4.2 Confidentiality:

Lantern AI ensures all personnel and sub‑contractors with access to personal data are bound by confidentiality obligations and trained on privacy and security.

4.3 Security Measures:

Lantern AI maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. See Annex A for details.

4.4 Sub‑Processors:

Customer provides general authorization for Lantern AI to engage sub‑processors listed in Annex B. Lantern AI will notify Customer of changes, flow down equivalent obligations, and remain liable for sub‑processor performance.

4.5 Assistance with Data Subject Rights:

Taking into account the nature of processing, Lantern AI will assist the Customer in responding to data subject requests, and will not respond directly to data subjects without the Customer's instruction unless legally required.

4.6 Breach Notification:

Lantern AI will notify the Customer without undue delay upon becoming aware of a personal data breach affecting Customer data and will provide information and assistance reasonably required for Customer's compliance obligations.

4.7 DPIA & Cooperation:

Lantern AI will provide reasonable assistance with data protection impact assessments and consultations with supervisory authorities related to the Services.

4.8 International Data Transfers:

Lantern AI will implement appropriate cross‑border transfer mechanisms (e.g., SCCs for GDPR; CAC Standard Contract/certification/security assessment and separate consent under PIPL as applicable). For Hong Kong data, Lantern AI will apply PCPD‑recommended transfer safeguards on a best‑practice basis.

4.9 Anonymization & Service Improvement:

With Customer permission, Lantern AI may anonymize or aggregate data so it can no longer identify an individual and use such de‑identified data to improve services. Anonymized data may be retained post‑termination. Lantern AI will not use personal data for model training in a way that identifies individuals or exceeds Customer's instructions.

4.10 Records & Audit:

Lantern AI maintains records of processing and will make available information to demonstrate compliance. Customer may audit annually (or as required by law or following a material breach). Audits may rely on third‑party certifications or, if needed, on‑site inspections under confidentiality, with reasonable notice.

4.11 Compliance and Accountability:

Lantern AI will promptly inform the Customer if an instruction infringes applicable law or if Lantern AI can no longer meet its obligations under this DPA.

5. Security of Processing

  • Security Standards: Encryption in transit and at rest, access controls, network security, monitoring, and regular testing in line with industry best practices;
  • Incident Response: Documented incident response plan to investigate, mitigate, and prevent recurrence; customer informed throughout;
  • Government/Authority Requests: Lantern AI will notify Customer (unless prohibited) and limit disclosure to what is legally required.

6. Return or Deletion of Data

Upon termination or upon Customer request, Lantern AI will return or securely delete all personal data (including copies) without undue delay, unless retention is required by law. By default, deletion or anonymization occurs within an agreed period following service end. Backups are securely overwritten according to policy.

7. General Provisions

  • Governing Law: As set out in the Services Agreement;
  • Order of Precedence: This DPA prevails in case of conflict on data protection matters;
  • Changes: Parties will cooperate in good faith to update this DPA as laws evolve;
  • Severability: Invalid terms are replaced with valid terms of similar intent;
  • Entire Agreement: This DPA and the Services Agreement constitute the entire agreement on processing;
  • Signatures: This DPA may be executed electronically or in counterparts.

8. Contact Us

If you have any questions, please contact us at support@ourlanterns.com.