Banzai Data Processing Addendum

Revised and Effective as of January 31, 2022

This Data Processing Addendum (“DPA”) supplements and forms part of the written or electronic agreement(s) (individually and collectively the “Agreement”) between Banzai International, Inc. (“Banzai”) and the customer (“Company”) for the purchase, access to, and/or licensing of products, services and/or platforms (collectively the “Services”) from Banzai, including, but not limited to, the Demio webinar software, Banzai Reach and High Attendance, as specified in the Agreement and the applicable Schedule(s) 1 below. This DPA sets out the terms that apply to the Processing of Personal Data by Banzai, on behalf of Company, in the course of providing the Services to the Company under the Agreement. This DPA shall be effective on the effective date of the Agreement. All capitalized terms not defined below will have the meanings set forth in the Agreement.

1. DEFINITIONS

1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, or is a named client of Company. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity. 

1.2. “Authorized Affiliate means any of Company’s Affiliate(s) that use the Services pursuant to the Agreement.

1.3. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq. as may be amended from time to time.

1.4. “Controller means the entity which determines the purposes and means of the Processing of Personal Data.

1.5. “Company Data means the Personal Data Processed by Banzai on behalf of Company and/or its clients in connection with the provision of the Services.

1.6. “Data Protection Laws” means privacy and data protection laws and regulations throughout the world, including the CCPA, laws and regulations of the European Union, the European Economic Area, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement, including the GDPR and the UK GDPR.

1.7. “Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by use of Personal Data alone or in combination with other Personal Data. 

1.8. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

1.9. “Personal Data” or “Personal Information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with a particular Data Subject, which is included in Company Data Processed by Banzai pursuant to the Agreement. 

1.10. “Personnel means persons, including employees and contractors, authorized by Banzai to Process Company Data. 

1.11. “Process”, “Processed” or “Processing” means any operation or set of operations which is performed on Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction. 

1.12. “Processor” means the entity which processes Personal Data on behalf of the Controller.

1.13. “Security Incident” means an actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Data transmitted, stored or otherwise Processed by Banzai pursuant to the Agreement.

1.14. “Standard Contractual Clauses” refers to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), found on the following official URL: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en, and as per the applicable module(s) of the Standard Contractual Clauses as set forth in Schedule 2.

1.15. “Sub-processor” means any other processor  engaged by Banzai that Processes Company Data under the supervision of Banzai. 

1.6 “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).

2. INTERACTION WITH THE AGREEMENT

This DPA supplements the Agreement with respect to any Processing of Company Data by Banzai. In the event of any conflict between this DPA and the Agreement, the terms of this DPA shall prevail. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

3. DATA PROCESSING

3.1. Scope and Roles. This DPA applies when Company Data is Processed by Banzai on behalf of Company, as part of Banzai’s provision of the applicable Services, as specified in the Agreement. Pursuant to the GDPR or similar Data Protection Law, Company is the Controller and Banzai is the Processor. The Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR, applicable data protection provisions and the Standard Contractual Clauses. For the purposes of the CCPA (to the extent applicable), Company is the “Business” (as defined in the CCPA) and Banzai is the “Service Provider” (as defined in the CCPA). 

3.2. Subject Matter, Duration, Nature and Purpose of Processing. Banzai Processes Company Data as part of providing Company with the Services, pursuant to the specifications and for the duration set forth in the Agreement, and as described in the applicable Schedule(s) 1 below.

3.3. Categories of Data Subjects and Personal Data. Banzai shall process Company Data as set forth in the applicable Schedule(s) 1 below. 

3.4. Instructions. Banzai will only Process Company Data on behalf of and in accordance with Company’s written instructions, including with regard to transfers of personal data to a third country. Banzai will promptly inform Company, if in Banzai’s opinion an instruction infringes any provision under Data Protection Laws. 

3.5. CCPA. Banzai shall not sell Company Data. Banzai shall not retain, use, or disclose Company Data for any purpose other than for the specific purpose of performing the Services.

4. ASSISTANCE

4.1. Rights Request. Banzai shall promptly notify Company in writing if Banzai receives a Data Subject rights request where the Data Subject seeks to exercise any of its rights under the Data Protection Laws (“Rights Request”). Taking into account the nature of the processing, Banzai will assist Company by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Company’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.

4.2. Cooperation. Banzai shall assist Company  in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, like personal data breach notifications and Data Protection Impact Assessments, taking into account the nature of processing and the information available to Banzai.

5. VENDOR PERSONNEL

5.1. Limitation of Access. Banzai will ensure that Banzai’s access to Personal Data is limited to those Personnel who require such access to perform the Agreement. 

5.2. Confidentiality. Banzai will impose appropriate contractual obligations upon its Personnel engaged in the Processing of Company Data, including relevant obligations regarding confidentiality, data protection, and data security. Banzai will ensure that its Personnel engaged in the Processing of Company Data are informed of the confidential nature of the Company Data and have received appropriate training in their responsibilities.

6. SUB-PROCESSORS

6.1. Banzai may engage Sub-processors to Process Company Data on behalf of Company. Company hereby provides Banzai with a general written authorization to engage all Sub-processors under contract by Banzai as of the effective date of this DPA. All Sub-processors have entered into written agreements with Banzai that bind them by data protection obligations substantially similar to those under this DPA. Banzai will remain fully liable to Company for the performance of that Sub-processor’s obligations.

6.2. Banzai may engage with new Sub-processors (“New Sub-processors”) to Process Company Data on Company’s behalf. Banzai shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Company Data in connection with the provision of the Service. Company may object to the Processing of Company Data by the New Sub-processor, by providing a written objection (email sufficient) on reasonable grounds to Banzai within fifteen (15) business days following Banzai’s written notice to Company of the intended engagement with the New Sub-processor. The parties will make a good-faith effort to resolve Company’s objection. In the absence of a resolution, Banzai will make commercially reasonable efforts to provide Company with the same level of Service, without using the New Sub-processor to Process Company Data. If Company’s concerns with such New Sub-processor are not resolved by Banzai, Company may terminate the Agreement.   

7. CROSS-BORDER DATA TRANSFERS

If the Processing of Company Data by Banzai includes transfers (either directly or via onward transfer) from the European Economic Area, Switzerland (collectively “EEA Transfer”) and/or the UK (“UK Transfer”) to other countries which have not been subject to a relevant adequacy decision by the data protection authorities, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Banzai for the lawful transfer of Personal Data outside the EEA, Switzerland or the UK, as applicable, then (i) the terms set forth in Part 1 of Schedule 2 (EEA Cross Border Transfers) shall apply to any such EEA Transfer; (ii) the terms set forth in Part 2 of Schedule 2 (UK Cross Border Transfers) shall apply to any such UK Transfer; and (iii) the terms set forth in Part 3 of Schedule 2 (Additional Safeguards) shall apply to such an EEA Transfer and UK Transfer.

8. SECURITY

Banzai will implement and maintain administrative, physical and technical safeguards to protect the security, confidentiality and integrity of Company Data. Banzai shall adhere to the data security measures set forth in Schedule 3 (Security Addendum).

9. SECURITY INCIDENT MANAGEMENT AND NOTIFICATION

In the event of any Security Incident the Banzai shall:

9.1. Promptly notify Company in writing, and no later than forty-eight (48) hours after discovery of the Security Incident, providing: (i) all information known about the Security Incident; (ii) relevant and knowledgeable points of contact for ongoing communication with Company, and (iii) such additional details of the circumstances as pertinent to legal obligations (including the category and approximate number of records of any Personal Data affected), to the extent known; and

9.2. Provide such information and assistance as Company may require in order for Company to make any notification or announcement as referred to above.

10. AUDIT AND DEMONSTRATION OF COMPLIANCE

Banzai will make available to Company all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by a third party auditor agreed to by the parties. Audits by Company are subject to the following terms: (i) the audit will be pre-scheduled in writing with Banzai, at least thirty (30) days in advance and will be performed not more than once a year; and (ii) the auditor will execute a non-disclosure agreement with Banzai. Company shall bear the cost of any such audit. Banzai shall promptly remediate any deficiencies discovered in the course of such audit. 

11. RETURN OR DELETION OF PERSONAL DATA

On termination or expiration of the Agreement, unless otherwise required by applicable law, Banzai shall (at Company’s election) promptly, and in any event within thirty (30) days, of Company’s request, return or delete all Company Data.

12. AUTHORIZED AFFILIATES

The parties acknowledge and agree that, by executing the DPA, the Company enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by the Company’s obligations under this DPA.

AGREED AND ACCEPTED

[COMPANY]


____________________________

Name: 

Title: 

Date:

Banzai International, Inc.


____________________________

Name: Joe Davy

Title: CEO

Date:

Schedule 1a – Data Processing for Demio

Subject-matter of the Processing

Demio is a no download webinar software/platform (SaaS) most commonly used for one-to-many online meetings/workshops, but can also be used for one-to-one meetings. Users can set up one-off or recurring, live or automated events, enable chat functionality, share audio, video, presentations, images, links, survey attendees (polls) and more. Users get insights into their webinars, like who and how many attended, session duration, average time attended, average time focused - all over time (to see trends).

Categories of Data Subjects

Company potential and existing customers (webinar attendees) and  Company employees/personnel.

Categories of Personal Data Transferred

Categories of personal data transferred may differ depending on the data exporter's use of the Demio software. For webinar attendees, personal data typically includes name, email address and any other personal data submitted through the registration form, IP address, geographical location, device information, browser type and version, operating system, as well as timing, frequency and pattern of their use of our Services.

Sensitive Data Transferred

Not applicable.

Frequency of Transfer

Continuous while Services are being used, until the Agreement is terminated.

Nature of the Processing

To facilitate online webinars, including host/store webinar attendee lists, webinar content (including recordings, chat transcript etc.), and webinar analytics.

Purpose of the Processing

To provide the Services as described in the Agreement. 

Period Personal Data Will Be Retained

For the Term of the Agreement. We process personal data on behalf of the data exporter for as long as they are a Customer. If the data exporter terminates the Agreement (their use of Demio), we will delete Customer Data within 30 days of account termination (unless they opt for pausing their account, which effectively means they continue to be a Customer).

Subject-matter, nature and duration of processing for transfers to (sub-)processors

The subject matter pertains mainly to infrastructure cloud hosting and services. The nature of the processing relates to facilitating online webinars, including recording, hosting webinar material (recordings, presentation, images etc.), in-webinar chat functionality, and webinar analytics. We also use Sub-processors for content distribution, logging and similar operations that are strictly necessary for delivering our services. The duration of processing is for as long as the data exporter remains a Customer.


Schedule 1b – Data Processing for Reach and similar Banzai Services

Subject-matter of the Processing

Depends on the Services as specified in the Agreement, but could include: Event marketing automation and lead generation services for virtual, in-person and hybrid events. Multi-channel outreach where Customer can upload their own contact lists, target, contact, and register potential event attendees etc. All-in-one virtual event/meeting platform for Customer to plan and execute virtual, in-person, and hybrid events.

Categories of Data Subjects

Company potential and existing customers (e.g., Customer event attendees), and Company employees/personnel.

Categories of Personal Data Transferred

Categories of personal data transferred may differ depending on the data exporter's use of the Services. For event attendees, personal data typically includes name, contact information (e.g., email address, address, phone number), any personal data related to the event(s) they attend and, if applicable, any event recordings they have access to, as well as IP address, geographical location, device information, browser type and version, and operating system.

Sensitive Data Transferred

Not applicable.

Frequency of Transfer

Continuous while Services are being used, until the Agreement is terminated.

Nature of the Processing

To facilitate in-person, hybrid or/and virtual events, which could, depending on the Services covered by the Agreement, include research and store potential attendees lists, verify email addresses, send emails, conduct calls, facilitate online event registration, and, if applicable, record webinars, host webinar content (including recordings, chat transcript etc.), and webinar analytics.

Purpose of the Processing

To provide the Services as described in the Agreement.

Period Personal Data Will Be Retained

For the Term of the Agreement. We process personal data on behalf of the data exporter for as long as they are a Customer. If the data exporter terminates the Agreement, we will delete Customer Data within 30 days of account termination (unless they also use our webinar Services (Demio) and opt for pausing their account, which effectively means they continue to be a Customer).

Subject-matter, nature and duration of processing for transfers to (Sub-)processors

The subject matter pertains mainly to infrastructure cloud hosting and services, email validation services, email services, call center services, event marketing automation and lead generation. The nature of the processing relates to facilitating event invitations and registrations, including communication and registration and, if applicable, or online webinars: recording, hosting webinar material (presentation, images etc.), in-webinar chat functionality, and webinar analytics. We also use Sub-processors for content distribution, logging and similar operations that are strictly necessary for delivering our services. The duration of processing is for as long as the data exporter remains a Customer.


SCHEDULE 2– CROSS BORDER TRANSFERS

Module 2: Controller-to-Processor

PART 1 – EEA Transfers

  1. The parties agree that the terms of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), as per the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, found on the following official URL: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX%3A32021D0914&locale=en, are hereby incorporated by reference and shall apply to any EEA Transfer.
  2. Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Company as the Controller of the Company Data and Banzai as the Processor of the Company Data.
  3. Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
  4. The General Written Authorization in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 6 of the DPA.
  5. In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
  6. In Clause 13 of the Standard Contractual Clauses, the second paragraph shall apply.
  7. In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of Ireland.
  8. In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts located in Dublin, Ireland.
  9. Annex I.A of the Standard Contractual Clauses shall be completed as follows:

Data Exporter: The Customer, as specified in the Agreement.

Contact details: As detailed in the Agreement.

Data Exporter Role: Module Two: Controller

Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.

Data Importer: Banzai International, Inc.

Contact details: As detailed in the Agreement.

Data Importer Role: Module Two: Processor.

Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement.

  1. Annex I.B of the Standard Contractual Clauses, including in relation to transfers to Sub-processors, shall be completed as set forth in the applicable Schedule(s) 1 of the DPA. 
  2. Annex I.C of the Standard Contractual Clauses shall be completed as follows: 

The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section ‎7 above.

  1. The Security Addendum referred to in Schedule 3 serves as Annex II of the Standard Contractual Clauses.

PART 2 – UK Transfers

1. With respect to any transfers of Company Data falling within the scope of the UK GDPR from the Company (as data exporter) to Banzai (as data importer):

a.) neither the Standard Contractual Clauses nor the DPA shall be interpreted in a way that conflicts with rights and obligations provided for in any laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR;

b.) the Standard Contractual Clauses are deemed to be amended to the extent necessary so they operate:

  1. for transfers made by the Company to Banzai, to the extent that UK GDPR applies to the Company’s processing when making that transfer;
  2. to provide appropriate safeguards for the transfers in accordance with Article 46 of the UK GDPR.

c.) the amendments referred to in Section 1(b) include (without limitation) the following:

  1. references to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK GDPR” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article of the UK GDPR;
  2. references to Regulation (EU) 2018/1725 are removed;
  3. references to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”;
  4. the “competent supervisory authority” shall be the UK Information Commissioner;
  5. clause 17 of the Standard Contractual Clauses is replaced with the following: “These Clauses are governed by the laws of England and Wales”;
  6. clause 18 of the Standard Contractual Clauses is replaced with the following: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts”;
  7. any footnotes to the Standard Contractual Clauses are deleted in their entirety.

PART 3 – Additional Safeguards 

1. In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate: 

a.) Banzai will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Company Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”).

b.) If Banzai becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Company Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:

  1. Banzai shall inform the relevant government authority that the Banzai is a processor of the Personal Data and that the Company has not authorized Banzai to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Company in writing;
  2. Banzai will use commercially reasonable legal mechanisms to challenge any such demand for access to Company Data which is under the Banzai’s control. Notwithstanding the above, (a) the Company acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended government authority access, and (b) if, taking into account the nature, scope, context and purposes of the intended government authority access to Company Data, Banzai has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, this subsection shall not apply. In such event, Banzai shall notify the Company, as soon as possible, following the access by the government authority, and provide the Company with relevant details of the same, unless and to the extent legally prohibited to do so.

2. Once in every 12-month period, Banzai will inform the Company at the Company’s written request, to the extent permitted by applicable law, of the types of binding legal demands for Company Personal Data it has received and solely to the extent such demands have been received, including national security orders and directives, which shall encompass any process issued under section 702 of FISA.

SCHEDULE 3

SECURITY ADDENDUM

Banzai leverages Whistic which facilitates zero-touch assessments via the Whistic Trust Catalog which contains security information for more than 35,000 businesses. We regularly update our audit reports for each software system we support. 

These reports for Banzai and its products can be accessed on demand via https://whistic.banzai.io and https://demio.banzai.io or by emailing privacy@banzai.io.

ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Measures of pseudonymisation and encryption of personal data

Banzai’s databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer’s software application and Banzai using TLS v1.2.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

Banzai uses a variety of tools and mechanisms to achieve high availability and resiliency. Banzai’s infrastructure spans multiple fault-independent availability zones in geographic regions physically separated from one another using Amazon Web Services (AWS). We employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup.

Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

Banzai leverages specialized tools that monitor server performance, data, and traffic load capacity within each data center and all subsequent development and production environments. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. Banzai is also immediately notified in the event of any suboptimal server performance or overloaded capacity. We can restore any system and service within a short window using our incremental backup systems.

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Banzai has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers’ systems. Our Privacy Policy and Acceptable Use Policy governs the requirements for use of customer data in accordance with several industry standards. 

Banzai conducts a variety of regular internal and external audits that are inclusive of security operations. 

Measures for user identification and authorisation

We leverage a Zero Trust policy for all access controls that access Banzai’s computing  assets be granted based on business justification. These policies are based on limits based on "need to-know" and "least-privilege" principles. In addition, the policy also addresses requirements for access management lifecycle including access provisioning, authentication, access authorization, removal of access rights and periodic access reviews. Documentation of these requirements is recorded and provided to external auditors for security certification testing.

Measures for the protection of data during transmission
Measures for the protection of data during storage

Banzai's databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data stored by Banzai's is encrypted in transit between the Customer’s software application and Banzai using TLS v1.2.

Measures for ensuring physical security of locations at which personal data are processed

Amazon provides physical data center access only to approved employees and Banzai has no access to these locations. Amazon employees who need data center access must first apply for access and provide a valid business justification. These requests are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access, and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions.

Measures for ensuring events logging

Banzai measures and logs all access to services and applications for all it’s development and production systems. Logging of services, user and security events (application access, web server logs, monitoring, FTP server logs, etc.) is enabled and retained centrally. Banzai restricts access to audit logs to authorized personnel based on job responsibilities.

Audit logging procedures are reviewed as part of external audits for security standards.

Measures for ensuring system configuration, including default configuration

Measures for internal IT and IT security governance and management

Banzai has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of Customers’ systems. Banzai performs an annual internal review of all security management policies and procedures and we perform audits before and after employee changes. These regular internal and external audits that are inclusive of security operations and are managed by the IT Department. 

Measures for certification/assurance of processes and products

Measures for ensuring data minimisation

Measures for ensuring data quality

Measures for ensuring limited data retention

Measures for ensuring accountability

Measures for allowing data portability and ensuring erasure

Information about how Banzai processes personal data is set forth in the Privacy Policy available at https://www.banzai.io/legal/privacy-policy. 

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter

When Banzai engages a Sub-processor, Banzai and the Sub-processor enter into an agreement that bind them by data protection obligations substantially similar to those under this DPA. Each Sub-processor agreement must ensure that Banzai is able to meet its obligations to our customers. In addition to implementing technical and organizational measures to protect personal data, Sub-processors must (a) notify Banzai in the event of a Security Incident so Banzai may notify it's customers; and (b) delete personal data when instructed by Banzai in accordance with Customer’s instructions to Banzai.

ANNEX III – LIST OF SUB-PROCESSORS

The Customer has authorised the use of the following Sub-processors, as found on the data importer's websites here: https://www.banzai.io/subprocessors and https://www.demio.com/subprocessors. 

Use of Sub-processors, including any addition or replacement of Sub-processors, will be in accordance with Clause 9.