Breeze RMM — Data Processing Addendum
Effective Date: April 8, 2026
Last Updated: April 8, 2026
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Breeze RMM Hosted Terms of Service (“Agreement”) between Lantern Ops, LLC, a Colorado limited liability company doing business as Breeze RMM (“Breeze,” “Processor,” “we,” “us,” or “our”) and the Customer identified in the Agreement (“Customer,” “Controller,” “you,” or “your”).
This DPA sets forth the parties’ obligations with respect to the processing of personal data in connection with the Platform and Agent Software, as those terms are defined in the Agreement.
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of personal data, consistent with the order of precedence in Section 2.2 of the Agreement.
1. Definitions
“Applicable Data Protection Law” means all laws and regulations relating to the processing of personal data that apply to the processing activities under this DPA, including (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation as retained under the Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); and (e) any other applicable U.S. state privacy laws.
“Controller” means the entity that determines the purposes and means of the processing of personal data. Under this DPA, the Customer is the Controller.
“Data Subject” means an identified or identifiable natural person whose personal data is processed under this DPA.
“EU SCCs” means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission pursuant to Implementing Decision (EU) 2021/914.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Breeze on behalf of the Customer in connection with the Platform, as further described in Annex I.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Breeze.
“Processor” means the entity that processes personal data on behalf of the Controller. Under this DPA, Breeze is the Processor.
“Processing” means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
“Sub-Processor” means any third party engaged by Breeze to process Personal Data on behalf of the Customer.
“Supervisory Authority” means an independent public authority responsible for monitoring the application of data protection law.
2. Scope and Roles
2.1 Roles of the Parties
The Customer is the Controller and Breeze is the Processor with respect to the Personal Data processed under this DPA.
2.2 Subject Matter and Purpose
Breeze processes Personal Data solely to provide the Platform and related services described in the Agreement, including device monitoring and management, remote access, security scanning, patch management, script execution, network discovery, AI-powered assistance, and automation.
2.3 Nature and Duration of Processing
Processing continues for the duration of the Agreement and, following termination, for the limited period described in Section 12 of this DPA.
2.4 Categories of Data Subjects and Personal Data
The categories of Data Subjects and types of Personal Data processed under this DPA are described in Annex I.
3. Customer Obligations
3.1 Lawfulness of Processing
The Customer is responsible for ensuring that its collection and use of Personal Data through the Platform complies with Applicable Data Protection Law, including:
- Establishing a valid legal basis for the processing of Personal Data;
- Providing all required notices to Data Subjects regarding the processing of their Personal Data;
- Obtaining any consents required under Applicable Data Protection Law;
- Ensuring that the Customer’s instructions to Breeze comply with Applicable Data Protection Law; and
- Entering into appropriate data processing agreements with its own clients where the Customer acts as an MSP.
3.2 Data Accuracy
The Customer is responsible for ensuring the accuracy and quality of Personal Data provided to or collected through the Platform.
4. Processing Instructions
4.1 Documented Instructions
Breeze shall process Personal Data only on the Customer’s documented instructions, unless required to do so by applicable law. In such a case, Breeze shall inform the Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
4.2 Scope of Instructions
The Customer’s documented instructions are set forth in this DPA, the Agreement, and any written instructions communicated by the Customer to Breeze during the term. The Customer’s use of the Platform’s features and configuration of data collection settings constitute documented instructions.
4.3 Prohibited Processing
Breeze shall not:
- Process Personal Data for any purpose other than as necessary to provide the Platform;
- Sell, share, or disclose Personal Data to third parties for advertising, marketing, or any commercial purpose unrelated to providing the Platform;
- Combine Personal Data received from the Customer with personal data received from other sources, except as necessary to provide the Platform; or
- Use Personal Data to train machine learning or artificial intelligence models, whether proprietary or third-party.
5. Personnel
5.1 Confidentiality
Breeze shall ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.2 Training
Breeze shall ensure that all personnel with access to Personal Data receive appropriate data protection awareness training.
5.3 Access Limitations
Breeze limits access to Personal Data to those personnel who require access to perform their duties, consistent with the principle of least privilege.
6. Security Measures
6.1 Technical and Organizational Measures
Breeze implements and maintains appropriate technical and organizational security measures to protect Personal Data, as described in Annex II. These measures include, at a minimum:
- Encryption in Transit: TLS 1.2 or higher for all data in transit; DTLS/SRTP via WebRTC for remote desktop sessions;
- Encryption at Rest: AES-256 encryption for Personal Data stored in databases;
- Authentication and Access Control: Multi-factor authentication; SHA-256 hashed agent tokens with optional mutual TLS (mTLS); role-based access control with granular permissions and least-privilege enforcement;
- Multi-Tenant Isolation: Organization-scoped access controls and row-level security (RLS) policies;
- Rate Limiting: Redis-backed sliding window rate limiting;
- Audit Logging: Comprehensive, tamper-resistant audit logs;
- Network Security: Firewall rules, intrusion detection, and DDoS mitigation;
- Organizational Controls: Background checks, security awareness training, incident response plan, and business continuity procedures; and
- Compliance Verification: Breeze is working toward SOC 2 Type II certification and will undergo annual independent audits and third-party penetration testing once the Platform reaches the required operational maturity.
6.2 Ongoing Assessment
Breeze regularly evaluates and, where necessary, updates its security measures. Any changes shall not materially reduce the overall level of protection afforded to Personal Data.
7. Sub-Processors
7.1 General Authorization
The Customer provides general written authorization for Breeze to engage Sub-Processors, subject to the requirements of this Section 7.
7.2 Current Sub-Processors
A current list of Breeze’s Sub-Processors is maintained at breezermm.com/legal/sub-processors.
7.3 Notification of New Sub-Processors
Breeze shall notify the Customer at least thirty (30) days before engaging a new Sub-Processor or replacing an existing Sub-Processor.
7.4 Objection Right
If the Customer has a reasonable, data-protection-related objection to a new Sub-Processor, the Customer shall notify Breeze in writing within thirty (30) days. The parties shall negotiate in good faith to resolve the concern. If no resolution is reached within thirty (30) days, the Customer may terminate the affected services without penalty.
7.5 Sub-Processor Obligations
Breeze shall enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set forth in this DPA, and remains fully liable for the acts and omissions of its Sub-Processors.
8. International Data Transfers
8.1 Transfer Mechanisms
For transfers of Personal Data from the EEA, the United Kingdom, or Switzerland to countries that have not received an adequacy decision, Breeze relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Implementing Decision (EU) 2021/914), incorporated into this DPA by reference, with Module Two (Controller to Processor) and Module Three (Processor to Processor) applying.
8.2 SCC Configuration
For the purposes of the EU SCCs:
- Clause 7 (Docking Clause): The optional docking clause applies;
- Clause 9(a): Option 2 (general written authorization) applies, with a thirty (30) day notification period;
- Clause 11: The optional language regarding independent dispute resolution is not included;
- Clause 13(a): The competent supervisory authority is determined by the Customer’s establishment;
- Clause 17: Governed by the law of the Customer’s EU Member State, or Ireland if that law does not allow third-party beneficiary rights; and
- Clause 18(b): Disputes are resolved before the courts of the Customer’s EU Member State, or Dublin, Ireland.
8.3 Transfer Impact Assessment
Breeze has conducted a transfer impact assessment and has determined that, together with the supplementary measures described in Annex II, the transfer mechanisms provide an adequate level of protection.
8.4 Alternative Transfer Mechanisms
If the applicable transfer mechanism is invalidated, the parties shall cooperate to implement an alternative lawful mechanism within ninety (90) days. If no alternative is established, the Customer may terminate the affected services without penalty.
8.5 Regional Hosting and EU Data Residency
Breeze operates two independent regional tenants of the Platform:
- US Region (us.2breeze.app) — primary Customer Data is stored and processed in DigitalOcean datacenters located in the United States.
- EU Region (eu.2breeze.app) — primary Customer Data is stored and processed in DigitalOcean’s Frankfurt, Germany datacenter (FRA1).
Customers may select the EU Region at account creation to keep their primary Customer Data resident in Germany. For EU Region customers:
- All platform databases (PostgreSQL), caching layers (Redis), object storage, and application servers handling Customer Data are hosted in DigitalOcean’s Frankfurt (FRA1) datacenter;
- Customer Data is not replicated to the US Region, and the two tenants are fully isolated at the infrastructure and data layers;
- The international transfer mechanisms in Sections 8.1–8.3 apply only to the limited categories of data processed by sub-processors that operate exclusively or primarily from the United States, as described below; and
- EU Region customers may continue to rely on the Standard Contractual Clauses as supplementary safeguards for any residual cross-border processing.
The following sub-processors process limited categories of Customer Data outside the EU even for EU Region customers, subject to the transfer mechanisms in this Section 8:
- Anthropic, PBC (United States) — Only when Authorized Users invoke AI-powered features. The prompts, device metadata, and diagnostic data submitted to the AI Agent are processed in the United States. Customers may disable AI features to prevent any transfer of data to Anthropic.
- Stripe, Inc. (United States) — Billing contact and payment method metadata for subscription processing. Stripe does not process Customer Data collected from Managed Devices.
- Cloudflare, Inc. (global edge network) — Network traffic metadata and connection data transit Cloudflare’s global edge, including EU points of presence where available. Cloudflare’s EU edge locations handle the majority of EU Region traffic.
- GitHub, Inc. (United States) — Deployment infrastructure only. GitHub does not process Customer Data.
The choice of region does not affect the security, functional, or contractual commitments of the Platform. Customers that have selected the US Region and later require EU data residency may contact [email protected] to discuss migration options.
9. Data Subject Rights
9.1 Assistance with Data Subject Requests
Breeze shall assist the Customer in fulfilling its obligations to respond to Data Subject requests, including access, rectification, erasure, restriction, data portability, and objection.
9.2 Notification of Requests
If Breeze receives a request from a Data Subject directly, Breeze shall promptly redirect the request to the Customer.
9.3 Technical Measures
Breeze provides API access, platform features for searching and deleting data by Data Subject identifiers, configurable data retention periods, and documented data schemas to assist with Data Subject requests.
9.4 Costs
Where assistance requires effort beyond what is reasonably necessary using the Platform’s standard features, Breeze may charge a reasonable fee based on administrative costs.
10. Data Protection Impact Assessments
Upon the Customer’s reasonable request, Breeze shall provide information necessary to conduct DPIAs under GDPR Article 35 and shall assist with prior consultations with Supervisory Authorities under GDPR Article 36 where required.
11. Security Incident Notification
11.1 Notification Obligation
In the event of a Personal Data Breach, Breeze shall notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.
11.2 Content of Notification
The notification shall include the nature of the breach, categories and approximate numbers of Data Subjects and records affected, the likely consequences, and measures taken or proposed to address the breach.
11.3 Ongoing Updates
Where it is not possible to provide all information at the time of initial notification, Breeze shall provide the information in phases as it becomes available.
11.4 Assistance with Customer Obligations
Breeze shall assist the Customer in fulfilling its own notification obligations to Supervisory Authorities under GDPR Article 33 and to affected Data Subjects under GDPR Article 34.
11.5 Post-Incident Report
Breeze shall provide a post-incident report with root cause analysis and preventive measures within thirty (30) days of incident resolution.
12. Data Deletion and Return
12.1 Data Retrieval Period
Following termination of the Agreement, the Customer may retrieve its Personal Data for a period of thirty (30) days. Breeze shall provide data in a standard, machine-readable format (JSON or CSV).
12.2 Deletion from Active Systems
After the Data Retrieval Period, Breeze shall permanently delete all Personal Data from active systems within thirty (30) days.
12.3 Backup Purge
Personal Data may persist in encrypted backups for up to ninety (90) days following deletion from active systems, after which it shall be purged.
12.4 Certification of Deletion
Upon written request, Breeze shall certify in writing that all Personal Data has been deleted in accordance with this Section 12.
12.5 Legal Retention
Breeze may retain Personal Data to the extent required by applicable law, subject to continued security measures and limited to the minimum data and duration required.
13. Audits and Compliance
13.1 Audit Information
Breeze shall make available, to the extent currently maintained, documentation of security measures, records of Sub-Processor due diligence, and current compliance status. Once achieved, SOC 2 Type II audit reports and annual penetration test summaries will also be made available upon written request.
13.2 Customer Audits
Breeze shall allow for and contribute to audits conducted by the Customer or a qualified third-party auditor, subject to thirty (30) days’ prior written notice, normal business hours, confidentiality obligations, and a limit of one audit per twelve (12) month period unless a Personal Data Breach has occurred.
13.3 Supervisory Authority Audits
Breeze shall cooperate with any audit or investigation by a competent Supervisory Authority to the extent required by Applicable Data Protection Law.
14. CCPA and U.S. State Privacy Law Provisions
14.1 Service Provider Status
For the purposes of the CCPA/CPRA, Breeze is a “Service Provider” as defined in Cal. Civ. Code section 1798.140(ag).
14.2 Restrictions on Use
Breeze shall not sell or share Personal Information; retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement; retain, use, or disclose it outside of the direct business relationship; or combine it with personal information from other sources, except as permitted by the CCPA/CPRA.
14.3 CCPA Compliance Certification
Breeze certifies that it understands the restrictions in Section 14.2 and will comply with them.
14.4 Right to Audit
The Customer has the right to take reasonable steps to ensure Breeze’s compliance with the CCPA/CPRA, including through the audit rights in Section 13.
14.5 Notification of Inability to Comply
Breeze shall promptly notify the Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA.
14.6 Other U.S. State Privacy Laws
To the extent that Personal Data is subject to other U.S. state privacy laws (including the Colorado Privacy Act, Virginia CDPA, Connecticut DPA, and similar laws), Breeze shall process such data in accordance with the applicable requirements, which are substantially addressed by this DPA.
15. UK and Swiss Addendum
15.1 UK International Data Transfer Addendum
For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU SCCs (“UK IDTA”) is incorporated into this DPA by reference. The UK IDTA tables reference the parties, SCCs, and annexes set forth in this DPA.
15.2 UK-Specific References
For processing subject to the UK GDPR: references to “GDPR” shall be read as references to the UK GDPR; “Supervisory Authority” includes the ICO; the governing law is England and Wales; and disputes shall be resolved before the courts of London.
15.3 Swiss Addendum
For transfers from Switzerland, the EU SCCs apply with modifications required by the Swiss FDPIC, including that the competent authority is the FDPIC, the governing law is Swiss law, disputes are resolved in Zurich, and the term “data subject” includes legal entities to the extent required by the FADP.
16. General Provisions
16.1 Term
This DPA takes effect on the Effective Date and remains in effect for the duration of the Agreement.
16.2 Order of Precedence
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.
16.3 Amendments
This DPA may be amended only in writing signed by both parties, except that Breeze may update Annex I and Annex II to reflect changes in processing activities, provided that any such update does not materially reduce the protections afforded to Personal Data.
16.4 Governing Law
This DPA is governed by the same law that governs the Agreement, except to the extent that the EU SCCs, UK IDTA, or Swiss Addendum specify different governing law.
16.5 Data Protection Officer
Breeze’s Data Protection Officer can be contacted at [email protected].
Annex I — Description of Processing Activities
A. List of Parties
Data Exporter (Controller): The Customer identified in the Agreement.
Data Importer (Processor): Lantern Ops, LLC (d/b/a Breeze RMM), PO Box 83, Berthoud, CO 80513. Contact: [email protected].
B. Description of Transfer
Categories of Data Subjects:
- End Users of Managed Devices (employees, contractors, and other personnel of the Customer’s clients)
- Authorized Users of the Platform (the Customer’s employees and contractors)
- Individuals whose personal data is incidentally captured in device logs or monitoring data
Categories of Personal Data:
| Category | Examples |
|---|---|
| Device Identifiers | Hostname, serial number, OS version, agent version |
| Network Configuration | IP addresses, MAC addresses, DNS servers, gateway, network interfaces |
| User Session Data | Logged-in usernames, session types, idle time |
| Event Logs | Windows Event Log entries, system logs, application logs |
| Remote Session Metadata | Session start/end timestamps, initiating Authorized User, target device |
| Script Execution Data | Command output (stdout/stderr) |
| AI Interaction Data | Prompts, responses, tool executions, and screenshots (when explicitly captured) |
| Network Discovery Data | Discovered devices including IP addresses, MAC addresses, hostnames, and open ports |
| Security Status | AV provider, firewall state, encryption status, patch level, threat detections |
| Software Inventory | Installed applications, versions, publishers, install dates |
| Configuration State | Registry values, configuration file contents |
Sensitive Data: Breeze does not intentionally process special categories of personal data (Article 9 GDPR). However, event logs, script outputs, or other Customer-controlled data may incidentally contain sensitive information.
Frequency of Transfer: Continuous during the term, with varying frequency by data type (heartbeat every 60–300 seconds; inventory on change detection; event logs approximately every 60 seconds; remote session and AI data only during active sessions).
Purpose of Processing: To provide the Platform and related services, including device monitoring and management, remote access, security scanning, patch management, script execution, network discovery, AI-powered assistance, automation, and reporting.
Annex II — Technical and Organizational Security Measures
1. Encryption
| Measure | Implementation |
|---|---|
| Encryption in Transit | TLS 1.2 or higher for all API, WebSocket, and agent communications; DTLS/SRTP via WebRTC for remote desktop sessions |
| Encryption at Rest | AES-256 encryption for data stored in databases |
| Agent Authentication | SHA-256 hashed tokens; optional mutual TLS (mTLS) with Cloudflare-issued client certificates |
2. Access Control
| Measure | Implementation |
|---|---|
| User Authentication | Email/password with multi-factor authentication (TOTP); JWT-based session management |
| Role-Based Access Control | Granular permissions with principle of least privilege; partner, organization, site, and device-level scoping |
| Agent Authentication | Per-device cryptographic tokens (brz_ prefix) hashed with SHA-256; optional mTLS |
| Internal Access | Least-privilege access with regular access reviews; background checks for personnel with access to Personal Data |
3. Multi-Tenant Isolation
| Measure | Implementation |
|---|---|
| Logical Isolation | Organization-scoped access controls on all data queries |
| Row-Level Security | PostgreSQL RLS policies enforcing tenant boundaries at the database level |
| API Enforcement | Middleware validates organization scope on every authenticated request |
4. Monitoring and Logging
| Measure | Implementation |
|---|---|
| Audit Logging | Comprehensive, tamper-resistant audit logs of all administrative actions, API calls, remote access sessions, and AI interactions |
| Abuse Monitoring | Anomalous usage pattern detection consistent with CISA guidance |
| Rate Limiting | Redis-backed sliding window rate limiting on authentication endpoints and API calls |
5. Network Security
| Measure | Implementation |
|---|---|
| Firewall | Firewall rules restricting access to production systems |
| DDoS Mitigation | DDoS mitigation through infrastructure provider |
| Intrusion Detection | Network intrusion detection and monitoring |
6. Organizational Measures
| Measure | Implementation |
|---|---|
| Personnel Security | Background checks for personnel with access to Personal Data |
| Training | Security awareness training for all employees |
| Incident Response | Documented incident response plan with regular testing |
| Business Continuity | Business continuity and disaster recovery procedures |
| Compliance Audits | Planned: SOC 2 Type II certification and annual third-party penetration testing (in progress as the Platform matures) |
7. Data Minimization and Storage Limitation
| Measure | Implementation |
|---|---|
| Data Minimization | Platform collects only data necessary for monitoring, management, security, and automation features; customers may configure collection scope |
| Retention Controls | Configurable retention periods per data category; automated data purge at retention expiry |
| Post-Termination | 30-day data retrieval period; deletion from active systems within 30 days thereafter; backup purge within 90 days |
Lantern Ops, LLC | PO Box 83, Berthoud, CO 80513 | breezermm.com | [email protected] | [email protected]