Sub-processors — Lantern

Sub-processor List

Last updated: 26 April 2026 · Lantern by Augmt Pty Ltd

To receive advance notice of changes to this list (per § 5 of the DPA), email [email protected] with the subject "subscribe sub-processor changes". Notifications go out at least 30 days before any new Sub-processor is engaged.

Lantern engages the following Sub-processors to deliver the Service. Each is bound by data-protection obligations at least as protective as those in our Data Processing Addendum.

Sub-processor	Purpose	Data processed	Location	Transfer mechanism
Cloudflare, Inc.	CDN, DNS, edge compute (Workers, Pages), object storage (R2), KV cache, email routing, anti-abuse on login (Turnstile)	All Personal Data in transit; R2 object storage (screenshots, recordings, source maps); session cookies; cached state; on each password login attempt, Turnstile receives the visitor's IP and a browser fingerprint generated by its widget — Cloudflare's bot-management signal, not durable customer data	Global edge network (data resident in nearest region; primary: US, EU). Turnstile siteverify endpoint resolves to Cloudflare's nearest edge.	SCCs (Module 2) + Cloudflare DPA
Neon, Inc.	Managed Postgres database (primary data store)	All structured Personal Data — accounts, projects, pin reports, comments, error events, audit log	EU (Frankfurt)	EU storage; no transfer mechanism required for EU data
Resend, Inc.	Transactional email delivery (magic links, invites, bug-report notifications, password reset)	Recipient email address, recipient name, email subject, email metadata	US	SCCs (Module 2)
Stripe, Inc.	Payment processing and subscription billing	Billing contact name, email, address; payment method (held by Stripe, not Lantern); invoice history	US	SCCs (Module 2) + Stripe DPA
Anthropic, PBC	AI-assisted bug analysis (LanternIQ feature)	Bug report contents and (where the customer has connected their repo) excerpts of source code, sent to Claude API at request-time. Anthropic does not retain or train on API inputs/outputs by default; see Anthropic Privacy Policy.	US	SCCs (Module 2) + Anthropic DPA
BetterStack (Logtail)	Application log ingestion (request logs, error tracking on Lantern itself — not customer-captured errors)	API request paths, status codes, request IDs, IP addresses, user-agent strings. 30-day retention.	EU (Frankfurt)	EU storage; no transfer mechanism required for EU data
Atlassian (Jira) / Slack / Atlassian (Bitbucket)	Optional integrations — only activated if Customer connects them. When activated, Lantern transmits bug content to the connected workspace at Customer's instruction.	Bug content, attachments, environment metadata, source-code requests (Bitbucket only)	US (Atlassian / Slack global)	Each vendor's DPA + SCCs as needed

Sub-processor

Purpose

Data processed

Location

Transfer mechanism

Cloudflare, Inc.

CDN, DNS, edge compute (Workers, Pages), object storage (R2), KV cache, email routing, anti-abuse on login (Turnstile)

All Personal Data in transit; R2 object storage (screenshots, recordings, source maps); session cookies; cached state; on each password login attempt, Turnstile receives the visitor's IP and a browser fingerprint generated by its widget — Cloudflare's bot-management signal, not durable customer data

Global edge network (data resident in nearest region; primary: US, EU). Turnstile siteverify endpoint resolves to Cloudflare's nearest edge.

SCCs (Module 2) + Cloudflare DPA

Neon, Inc.

Managed Postgres database (primary data store)

All structured Personal Data — accounts, projects, pin reports, comments, error events, audit log

EU (Frankfurt)

EU storage; no transfer mechanism required for EU data

Resend, Inc.

Transactional email delivery (magic links, invites, bug-report notifications, password reset)

Recipient email address, recipient name, email subject, email metadata

SCCs (Module 2)

Stripe, Inc.

Payment processing and subscription billing

Billing contact name, email, address; payment method (held by Stripe, not Lantern); invoice history

SCCs (Module 2) + Stripe DPA

Anthropic, PBC

AI-assisted bug analysis (LanternIQ feature)

Bug report contents and (where the customer has connected their repo) excerpts of source code, sent to Claude API at request-time. Anthropic does not retain or train on API inputs/outputs by default; see Anthropic Privacy Policy.

SCCs (Module 2) + Anthropic DPA

BetterStack (Logtail)

Application log ingestion (request logs, error tracking on Lantern itself — not customer-captured errors)

API request paths, status codes, request IDs, IP addresses, user-agent strings. 30-day retention.

EU (Frankfurt)

EU storage; no transfer mechanism required for EU data

Atlassian (Jira) / Slack / Atlassian (Bitbucket)

Optional integrations — only activated if Customer connects them. When activated, Lantern transmits bug content to the connected workspace at Customer's instruction.

Bug content, attachments, environment metadata, source-code requests (Bitbucket only)

US (Atlassian / Slack global)

Each vendor's DPA + SCCs as needed

Vendors out of scope

The following vendors handle Lantern's own data only (not Customer Personal Data) and are not Sub-processors under the DPA:

Date	Change
2026-04-26	Initial list published

Date

Change

2026-04-26

Initial list published

Sub-processor List

Vendors out of scope

Change history