Data Processing Agreement
Data Processing Agreement
This Data Processing Agreement ("DPA") is entered into between the entity agreeing to Lorrano's Terms of Service ("Customer," "you," or "Controller") and Lorrano, Inc. ("Lorrano," "we," or "Processor"), and supplements the Terms of Service and Privacy Policy.
This DPA applies when Lorrano processes personal data on behalf of Customer in the course of providing the Service.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law (including GDPR Article 4(1) and CCPA section 1798.140(v)).
"Processing" means any operation performed on Personal Data, including collection, storage, use, transfer, and deletion.
"Controller" means the entity that determines the purposes and means of Processing Personal Data. In this DPA, that is the Customer.
"Processor" means the entity that Processes Personal Data on behalf of the Controller. In this DPA, that is Lorrano.
"Sub-processor" means a third party engaged by Lorrano to Process Personal Data on behalf of the Customer.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including the GDPR (EU Regulation 2016/679), UK GDPR, CCPA/CPRA, and any successor legislation.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Decision 2021/914).
2. Scope and Roles
2.1 Customer as Controller
Customer determines the purposes and means of Processing Personal Data through its use of the Service. Customer decides what inventory feeds to connect, what branding to upload, what social accounts to link, and what videos to generate and post.
2.2 Lorrano as Processor
Lorrano Processes Personal Data solely on behalf of and under the documented instructions of Customer, as described in this DPA and the Terms of Service. Lorrano does not determine the purposes of Processing and does not use Customer Personal Data for its own purposes.
2.3 Categories of Data Processed
| Data Category | Examples | Purpose |
|---|---|---|
| Account holder data | Name, email, phone, job title | Account management, billing, support |
| Dealership business data | Business name, address, tax ID | Invoicing, compliance |
| Inventory data | VIN, year, make, model, price, photos | Video generation |
| Social account tokens | OAuth tokens for Meta, TikTok, Google | Automated posting |
| Usage data | Dashboard interactions, feature usage | Service improvement |
2.4 Data Subjects
Data Subjects under this DPA are limited to:
- Customer's employees and authorized users who access the dashboard
- Customer's business contacts provided during account setup
The Service does not Process personal data of Customer's end consumers (car buyers, leads, or website visitors).
3. Customer Obligations
Customer shall:
- Ensure it has a lawful basis for Processing Personal Data and for instructing Lorrano to Process it.
- Provide all required notices to Data Subjects regarding the Processing.
- Ensure that its instructions to Lorrano comply with Applicable Data Protection Law.
- Not provide Lorrano with any sensitive or special category data (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data) unless explicitly agreed in writing.
4. Lorrano's Obligations
4.1 Processing Instructions
Lorrano shall Process Personal Data only on documented instructions from Customer, which are set forth in this DPA, the Terms of Service, and any written instructions provided by Customer. If Lorrano believes an instruction violates Applicable Data Protection Law, it will promptly notify Customer.
4.2 Confidentiality
Lorrano shall ensure that all personnel authorized to Process Personal Data are bound by obligations of confidentiality, whether contractual or statutory.
4.3 Security
Lorrano shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures include:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls with role-based permissions and SSH key authentication
- Network security via Cloudflare WAF, DDoS protection, and firewall rules
- Regular vulnerability scanning and patch management
- Encrypted storage of credentials and OAuth tokens
- Automated backup with point-in-time recovery
- Incident detection and monitoring
For details, see our Security page.
4.4 Data Subject Requests
Lorrano shall promptly notify Customer if it receives a request from a Data Subject to exercise their rights under Applicable Data Protection Law (access, rectification, erasure, portability, restriction, or objection). Lorrano shall not respond to such requests directly unless authorized by Customer or required by law.
Lorrano shall provide reasonable assistance to Customer in fulfilling Data Subject requests, taking into account the nature of the Processing.
4.5 Data Breach Notification
Lorrano shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of Data Subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
Lorrano shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
4.6 Data Protection Impact Assessments
Lorrano shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, where required by Applicable Data Protection Law, taking into account the nature of the Processing and the information available to Lorrano.
4.7 Audits
Customer has the right to audit Lorrano's compliance with this DPA. Lorrano shall make available all information necessary to demonstrate compliance and allow for audits conducted by Customer or a third-party auditor appointed by Customer. Audits shall be:
- Conducted with at least 30 days' written notice
- Limited to once per year (unless a data breach has occurred)
- Conducted during normal business hours
- Subject to reasonable confidentiality obligations
Lorrano may satisfy audit requests by providing relevant SOC 2 reports, penetration test summaries, or equivalent third-party certifications.
5. Sub-processors
5.1 Authorization
Customer authorizes Lorrano to engage Sub-processors to Process Personal Data on Customer's behalf, subject to the conditions in this section.
5.2 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean, LLC | Cloud infrastructure, data hosting | United States |
| Cloudflare, Inc. | CDN, security, DNS | United States (global edge) |
| Stripe, Inc. | Payment processing | United States |
| Meta Platforms, Inc. | Social media posting (when connected) | United States |
| TikTok (ByteDance) | Social media posting (when connected) | United States / Singapore |
| Google LLC | Social media posting (when connected) | United States |
5.3 Changes to Sub-processors
Lorrano shall notify Customer at least 14 days before engaging a new Sub-processor or replacing an existing one. Notification will be sent to the email address on the Customer's account.
Customer may object to a new Sub-processor by notifying Lorrano within 14 days of receiving notice. If Customer objects, Lorrano will make reasonable efforts to provide an alternative or allow Customer to terminate the affected portion of the Service without penalty.
5.4 Sub-processor Obligations
Lorrano shall enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA. Lorrano remains liable for the acts and omissions of its Sub-processors.
6. International Data Transfers
6.1 Transfer Mechanisms
If Personal Data is transferred from the European Economic Area (EEA), United Kingdom, or Switzerland to a country without an adequacy decision, Lorrano relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914).
By entering into this DPA, Customer and Lorrano are deemed to have executed the SCCs with the following module selections:
- Module 2 (Controller to Processor) for transfers from Customer to Lorrano
- Module 3 (Processor to Sub-processor) for transfers from Lorrano to Sub-processors
6.2 Supplementary Measures
Lorrano implements the following supplementary measures to protect transferred data:
- All data is encrypted in transit and at rest
- Access to data is limited to authorized personnel based in the United States
- Lorrano has not received any government access requests to date and will notify Customer if it receives one (unless legally prohibited)
- Lorrano does not participate in any mass surveillance programs
7. Data Retention and Deletion
7.1 During the Term
Lorrano retains Personal Data only as long as necessary to provide the Service and as described in the Privacy Policy.
7.2 Upon Termination
Upon termination of the Service or at Customer's written request, Lorrano shall:
- Delete all Personal Data within 30 days, unless retention is required by law
- Provide Customer with the opportunity to export data before deletion
- Confirm deletion in writing upon request
7.3 Exceptions
Lorrano may retain Personal Data after termination only where required by Applicable Data Protection Law (for example, tax records and legal hold obligations). Such retained data will continue to be protected under this DPA.
8. Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.
9. Term
This DPA is effective as of the Effective Date and continues for as long as Lorrano Processes Personal Data on behalf of Customer. The obligations in this DPA survive termination to the extent Lorrano retains any Personal Data.
10. Conflict
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
11. Contact
For questions about this DPA:
Data Protection Contact: [email protected]
Legal: [email protected]