Products
FeaturesPricing
Company
Sign In
Get Started For Free
Products
FeaturesPricing
Company
Sign In
Get Started For Free
Data Processing Addendum
Data Processing Addendum ("DPA")
Terms of ServicePrivacy PolicyAcceptable Use PolicyData Processing AddendumCookie PolicyRestricted Businesses PolicySub-processorsDMCALaw EnforcementReport Policy Violation
This document was last updated 15 May 2025
Effective date: 15 May 2025

This Data Processing Addendum ("DPA") forms part of the Lana Commerce, Inc. Terms of Service or other written or electronic agreement ("Agreement") between Lana Commerce, Inc. ("Lana," "Lana Commerce," or "Processor") and the Merchant using Lana's Services ("Merchant" or "Controller").

This DPA reflects the parties’ agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws and Regulations.

1. Definitions

Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. In this DPA, the following terms shall have the meanings set out below:

  • "Agreement" means the Lana Commerce, Inc. Terms of Service agreed between Lana and the Merchant.
  • "Controller" means the entity which determines the purposes and means of the Processing of Personal Data (the Merchant).
  • "Data Protection Laws and Regulations" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law, UK Data Protection Law, the CCPA, and other relevant data privacy laws.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "EU Data Protection Law" means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"), and laws implementing or supplementing the GDPR.
  • "Merchant Personal Data" means any Personal Data Processed by Processor on behalf of Merchant pursuant to or in connection with the Agreement.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
  • "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • "Processor" means the entity which Processes Personal Data on behalf of the Controller (Lana).
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended, superseded or replaced from time to time.
  • "Sub-processor" means any third-party processor engaged by Lana to Process Merchant Personal Data.
  • "Supervisory Authority" means an independent public authority which is established by an EU Member State pursuant to the GDPR, or other relevant authority under Data Protection Laws and Regulations.
  • "UK Data Protection Law" means the Data Protection Act 2018 and the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), and laws implementing or supplementing the UK GDPR.
  • "UK SCC Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A(1) of the Data Protection Act 2018.

2. Processing of Merchant Personal Data

2.1 Roles of the Parties.

The parties acknowledge and agree that with regard to the Processing of Merchant Personal Data, Merchant is the Controller and Lana is the Processor.

2.2 Merchant’s Processing of Personal Data.

Merchant shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. Merchant shall have sole responsibility for the accuracy, quality, and legality of Merchant Personal Data and the means by which Merchant acquired Merchant Personal Data. Merchant specifically represents and warrants that it has provided all necessary notices and obtained all necessary consents, authorizations, or approvals from Data Subjects required under applicable Data Protection Laws and Regulations for Lana to Process Merchant Personal Data as contemplated by the Agreement and this DPA.

2.3 Lana’s Processing of Personal Data.

Lana shall treat Merchant Personal Data as Confidential Information and shall only Process Merchant Personal Data on behalf of and in accordance with Merchant’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Merchant (e.g., via email) where such instructions are consistent with the terms of the Agreement. The subject matter, duration, nature, and purpose of the Processing, as well as the types of Personal Data and categories of Data Subjects, are further specified in Annex 1 (Details of Processing) to this DPA.

2.4 Details of Processing.

The details of the Processing operations, including the subject matter, duration, nature, and purpose of the Processing, the types of Personal Data Processed, and the categories of Data Subjects, are described in Annex 1.

3. Processor Personnel

Lana shall ensure that its personnel engaged in the Processing of Merchant Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Lana shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

4. Security Measures

4.1 Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Lana shall implement and maintain appropriate technical and organizational measures ("TOMs") for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Merchant Personal Data), confidentiality and integrity of Merchant Personal Data.

4.2 Details of Security Measures. The specific technical and organizational measures implemented by Lana are described in Annex 2. Lana may update or modify these measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Merchant.

5. Sub-processing

5.1 Authorization. Merchant provides a general authorization to Lana to engage Sub-processors for the Processing of Merchant Personal Data. Lana shall maintain a list of its current Sub-processors as set forth in Annex 3. Lana shall inform Merchant of any intended changes concerning the addition or replacement of Sub-processors, thereby giving Merchant the opportunity to object to such changes.

5.2 Objections. Merchant may reasonably object to Lana’s use of a new Sub-processor by notifying Lana in writing within ten (10) business days after receipt of Lana’s notice. If Merchant objects to a new Sub-processor, and Lana cannot reasonably accommodate the objection, Merchant may terminate the applicable Order Form(s) or the Agreement with respect to those Services which cannot be provided by Lana without the use of the objected-to Sub-processor by providing written notice to Lana. Lana will refund Merchant any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services.

5.3 Sub-processor Obligations. Lana shall ensure that any Sub-processor it engages is subject to data protection obligations compatible with those imposed on Lana under this DPA, including implementing appropriate technical and organizational measures. Lana shall remain fully liable to Merchant for the performance of the Sub-processor's obligations.

6. Data Subject Rights

Taking into account the nature of the Processing, Lana shall assist Merchant by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Merchant’s obligations, as reasonably understood by Merchant, to respond to requests to exercise Data Subject rights under the Data Protection Laws and Regulations (such as rights of access, rectification, erasure, restriction of processing, data portability, and objection). Lana shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Data Subject. Merchant shall be responsible for responding to such requests.

7. Data Protection Impact Assessment and Prior Consultation

Lana shall provide reasonable assistance to Merchant with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Merchant reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of other Data Protection Laws and Regulations, in each case solely in relation to Processing of Merchant Personal Data by, and taking into account the nature of the Processing and information available to, the Processor.

8. Personal Data Breach

Lana shall notify Merchant without undue delay upon Lana becoming aware of a Personal Data Breach affecting Merchant Personal Data, providing Merchant with sufficient information to allow the Merchant to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws and Regulations. Lana shall co-operate with Merchant and take reasonable commercial steps as are directed by Merchant to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.

9. Deletion or Return of Merchant Personal Data

Upon termination of the Agreement, Lana shall, at the choice of the Merchant, delete or return all Merchant Personal Data to the Merchant, and delete existing copies unless applicable law requires storage of the Personal Data. The specifics regarding data deletion timelines are further outlined in the Agreement (e.g., Section 10.5 specifies a 90-day retention period post-termination).

10. Audit Rights

Lana shall make available to Merchant on request all information reasonably necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Merchant or an auditor mandated by Merchant in relation to the Processing of the Merchant Personal Data by the Processor. Any such audit shall be subject to reasonable prior notice, conducted during normal business hours, and shall not unreasonably interfere with Lana's business activities. Merchant shall bear the costs of any such audit.

11. International Transfers

11.1 Processing Locations. Merchant acknowledges and agrees that Lana may Process Merchant Personal Data in and transfer Merchant Personal Data to countries outside the Merchant's country of residence, including the United States and locations within the European Economic Area (EEA), as necessary to provide the Services and fulfill its obligations under the Agreement.

11.2 Transfer Mechanism. To the extent that the Processing of Merchant Personal Data involves a transfer of Personal Data outside the EEA, Switzerland, or the UK to a country not recognized by the European Commission, Swiss Federal Data Protection and Information Commissioner (FDPIC), or UK Information Commissioner's Office (ICO) as providing an adequate level of data protection, the parties agree that the Standard Contractual Clauses (SCCs) shall apply. a. For transfers subject to EU Data Protection Law, the SCCs will apply, completed as follows: Module Two (Controller to Processor) will apply where Merchant is a Controller and Lana is a Processor. The optional Clause 7 docking clause will not apply. Clause 9(a) Option 2 (General Written Authorisation) will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 5.1 of this DPA. Clause 11(a) redress option will not apply. For Clause 17 (Governing Law), Option 1 will apply, and the Member State law shall be the law of Ireland. For Clause 18 (Choice of forum and jurisdiction), the courts of Ireland shall apply. Annex I and II of the SCCs shall be deemed completed with the information set out in Annex 1 and 2 of this DPA respectively. b. For transfers subject to UK Data Protection Law, the SCCs shall apply as completed in accordance with paragraph (a) above, and the UK SCC Addendum will be deemed executed between the parties and incorporated into this DPA. Part 1 of the UK SCC Addendum shall be deemed completed with the information set out in Annex 1 and 2 of this DPA.

12. General Terms

12.1 Governing Law. This DPA shall be governed by and construed in accordance with the governing law specified in the Agreement, unless required otherwise by Data Protection Laws and Regulations. 12.2 Conflict. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail with regard to the subject matter of data protection. 12.3 Order of Precedence. This DPA is incorporated into and forms part of the Agreement.

List of Annexes:

Annex 1: Details of Processing Annex 2: Technical and Organizational Security Measures Annex 3: List of Sub-processors

Annex 1: Details of Processing

(A) List of Parties

Data exporter(s) / Controller(s):

  • Name: The Merchant, as defined in the Lana Agreement.
  • Address: The Merchant's address as provided during account registration.
  • Contact person’s name, position, and contact details: As provided by the Merchant in the Account.
  • Activities relevant to the data transferred under these Clauses: Obtaining Lana's Services as described in the Agreement.
  • Role (controller/processor): Controller

Data importer(s) / Processor(s):

  • Name: Lana Commerce, Inc.
  • Address: 548 Market St, Suite #35443, San Francisco, California 94104, US
  • Contact person’s name, position, and contact details: hello@lana.dev
  • Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.
  • Role (controller/processor): Processor *

(B) Description of Transfer

  • Categories of data subjects whose personal data is transferred:
  • Customers, end-users, and visitors of the Merchant's online store(s) and related services.
  • Merchant's employees, representatives, and staff users authorized to access the Services.
  • Categories of personal data transferred:
  • Merchant's Customer Data: Name, email address, phone number, shipping/billing address, IP address, order details (products purchased, amounts, payment status - excluding full payment card details which are typically handled directly by payment gateways), device information, browser information, customer account information (if applicable), communication records (if using platform features for this).
  • Merchant User Data: Name, email address, job title/role, contact details, account login credentials (hashed), usage data within the Services.
  • Sensitive data transferred (if applicable) and applied restrictions or safeguards: None anticipated under standard use.
  • The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis): Continuous basis for the duration of the Agreement.
  • Nature of the processing: Collection, storage, hosting, retrieval, use, organization, analysis (for providing analytics features to the Merchant), disclosure (to authorized sub-processors or as instructed by Merchant), combination, restriction, erasure, and destruction of Personal Data as necessary to provide the Services under the Agreement.
  • Purpose(s) of the data transfer and further processing: To enable Lana to provide, maintain, support, secure, and improve the headless commerce platform Services to the Merchant as detailed in the Agreement.
  • The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for the duration of the Agreement, plus a period of 90 days post-termination for deletion, unless otherwise required by applicable law or specified in the Agreement.
  • For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As specified for Lana above, delegated to Sub-processors listed in Annex 3 solely for the purpose of assisting in providing the Services. Duration is tied to the engagement with the Sub-processor.

(C) Competent Supervisory Authority

The competent supervisory authority is determined in accordance with Clause 13 of the Standard Contractual Clauses (SCCs) and the UK SCC Addendum, as applicable:

  • For data transfers subject to the EU GDPR where the Merchant (Data Exporter) is established in an EU Member State, the competent supervisory authority is the data protection authority of that EU Member State.
  • For data transfers subject to the EU GDPR where the Merchant (Data Exporter) is not established in an EU Member State but the transfer is otherwise subject to the GDPR, and given that this DPA specifies Irish law to govern the SCCs, the competent supervisory authority for the purpose of the SCCs is the Data Protection Commission of Ireland.
  • For data transfers subject to the UK GDPR, the competent supervisory authority is the UK Information Commissioner's Office (ICO).
  • For Merchants established in other jurisdictions (e.g., Australia) and processing personal data subject to their local privacy laws (e.g., the Australian Privacy Act), the relevant national or regional data protection authority (e.g., the Office of the Australian Information Commissioner - OAIC) will have jurisdiction over the Merchant's compliance as a data controller. The SCCs primarily address EU/UK data protection requirements for international transfers.

Annex 2: Technical and Organizational Security Measures

Lana shall implement and maintain the following technical and organizational security measures to protect Merchant Personal Data:

  1. Physical Access Control: Measures to prevent unauthorized persons from gaining access to data processing systems (e.g., security personnel, access control systems, secure data center facilities).
  2. System Access Control: Measures to prevent data processing systems from being used without authorization (e.g., authentication mechanisms, password policies, role-based access controls, logging).
  3. Data Access Control: Measures to ensure that persons entitled to use a data processing system gain access only to such data as they are authorized to access in accordance with their access rights, and that Personal Data cannot be read, copied, modified or deleted without authorization during Processing (e.g., access permissions, segregation of duties, encryption of data at rest and in transit).
  4. Transmission Control: Measures to ensure that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission or transport (e.g., encryption (TLS/SSL), secure file transfer protocols).
  5. Input Control: Measures to ensure that it is possible to check and establish whether and by whom Personal Data have been entered, modified or deleted from data processing systems (e.g., logging, audit trails).
  6. Availability Control: Measures to ensure that Personal Data are protected against accidental destruction or loss (e.g., backup and recovery procedures, redundancy, disaster recovery plans).
  7. Separation Control: Measures to ensure that Personal Data collected for different purposes can be processed separately (e.g., logical separation of data, separate databases or schemas).
  8. Security Testing & Vulnerability Management: Regular security testing, vulnerability scanning, and patch management processes.
  9. Incident Response: Procedures for detecting, responding to, and reporting security incidents and Personal Data Breaches.
  10. Personnel Security: Security awareness training for personnel with access to Personal Data, background checks where appropriate.

Annex 3: List of Sub-processors

Merchant provides general authorization for Lana to engage the following categories of Sub-processors:

  • Cloud Infrastructure Providers: [e.g., AWS, Google Cloud, Azure] - For hosting the platform and data storage.
  • Content Delivery Networks (CDNs): [e.g., Cloudflare, Fastly] - For performance and security.
  • Customer Support & Communication Tools: [e.g., Zendesk, Intercom, SendGrid] - For providing support and sending transactional emails/notifications.
  • Analytics & Monitoring Services: [e.g., Datadog, Sentry] - For service monitoring, logging, and performance analysis.
  • Payment Processors (for Lana's own billing, not Merchant sales): [e.g., Stripe] - For processing fees owed by Merchant to Lana.
  • Internal Collaboration & Productivity Tools: [e.g., Slack, Google Workspace] - For internal team communication and operations (with appropriate safeguards).

A specific, up-to-date list of Sub-processors can be found at: Sub-processors. Lana will provide notice of changes to this list as described in Section 5.1 of the DPA.

Get started for free
Get Started
© Lana
Products
Storefront API Commerce API
Using Lana
Features Pricing Documentation
Company
About Careers Security
Resources
User Guide Terms & Privacy Status Cookie Preferences