Banzai Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements and forms part of the written or electronic agreement(s) (individually and collectively the “Agreement”) between Banzai International, Inc. (“Banzai”) and customer (“Customer”) for the purchase, access to, and/or licensing of products, services and/or platforms (collectively the “Services”) from Banzai in the Agreement to reflect the parties’ agreement with regard to the Processing of Personal Data.  In the event of a conflict between the terms of the Agreement as it relates to the Processing of Personal Data and this DPA, the DPA shall prevail.  This DPA shall be effective for the duration of the Agreement (or longer to the extent required by applicable law).

In the course of providing the Services to Customer pursuant to the Agreement, Banzai may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

1. DEFINITIONS

Banzai Personal Data” means Personal Data provided by Banzai to Customer.

Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

Customer” means the entity that is a party to the Agreement, other than Banzai.

Customer Personal Data” means Personal Data provided by Customer to Banzai.

Data Protection Laws” means all data protection and data privacy laws and regulations applicable to the relevant party, including but not limited to the EU General Data Protection Regulation (GDPR), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and the California Consumer Privacy Act (CCPA).

Data Subject” means the identified or identifiable person or household to whom Personal Data relates.

Personal Data” shall have the meaning ascribed to “personally identifiable information,” “personal information,” “personal data” or equivalent terms as such terms are defined under Data Protection Laws.

Personal Data Incident” shall have the meaning assigned by Data Protection Laws to the terms “security incident,” “security breach” or “personal data breach” means the unauthorized or unlawful access, use, modification, theft, processing, disclosure, or destruction of Customer Personal Data.

Processing” means any operation or set of operations that is performed on Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor” means the entity that Processes Personal Data on behalf of the Controller.

Subprocessor” means a Processor engaged by a Processor to process Personal Data.

2. PERSONAL DATA PROCESSING

2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and Banzai is the Processor.

2.2 Customer’s Instructions for the Processing of Customer Data. Customer’s instructions for the Processing of Customer Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data provided by the Customer to Banazi and the means by which Customer acquired Customer Personal Data.

2.3 Banzai’s Processing of Customer Personal Data. Banzai shall only Process Customer Personal Data on behalf of and in accordance with Customer’s instructions and for the following purposes: (i) Processing in accordance with the Agreement; and (ii) Processing to comply with other documented reasonable instructions provided by Customer where such instructions are consistent with the terms of the Agreement. Banzai shall inform Customer if, in Banzai’s opinion, an instruction is in violation of Data Protection Laws. For the avoidance of doubt, Banzai will not collect, retain, use, sell, or otherwise disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services. To the extent Banzai uses or otherwise processes Personal Data subject to the Data Protection Laws in connection with Banzai’s legitimate business operations, Banzai will be an independent data controller for such use and will be responsible for complying with all applicable laws and controller obligations. Banzai employs safeguards to protect Personal Data in processing, including those identified in this DPA and those contemplated in Article 6(4) of the GDPR.

2.4 Details of the Processing. The subject matter of Processing of Customer Personal Data by Banzai is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Customer Personal Data Processed and the categories of Data Subjects for whom Customer Personal Data is Processed are set forth in Schedule 1.

2.5 Confidentiality. Banzai shall ensure only authorized personnel who have undergone appropriate training in the protection and handling of Customer Personal Data and are bound to respect the confidentiality of Customer Personal Data have authorized access to the same.

2.6 Security Controls. Banzai shall implement appropriate technical and organizational measures to maintain the security, confidentiality and integrity of Customer Personal Data, including measures designed to protect against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data.

2.7 Data Subject Requests. Banzai shall, taking into account the nature of the Processing, assist the Customer, as Data Controller, by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests from a Data Subject exercising that Data Subject’s rights under Data Protection Laws.

2.8 Data Protection Impact Assessment. Banzai shall, upon Customer’s written request and taking into account the nature of Processing and information available, provide reasonable assistance to Customer in connection with obligations under Articles 32 and 36 of the GDPR or equivalent provisions under Data Protection Laws.

2.9 Return or Deletion of Personal Data. Banzai shall, upon Customer’s written request, promptly destroy or return any Customer Personal Data after the end of the provision of Services, unless storage of the Customer Personal Data is required by applicable law.

2.10 Data Processor Point of Contact. If Customer has any questions regarding Processing of Personal Data by Banzai, Customer may send such questions to the following email: legal@getbanzai.com.

2.11 Banzai Personal Data.  Each party to this DPA: (a) is an independent controller of Banzai Personal Data under the Data Protection Laws; (b) will individually determine the purposes and means of its processing of Banzai Personal Data; and (c) will comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of the Banzai Personal Data.  If Banzai Personal Data is transferred from the European Economic Area or the UK to the United States, Customer agrees either (i) to maintain its Privacy Shield certification throughout the term of the Agreement and to promptly notify Customer in writing if Banzai ceases to maintain, or anticipates the revocation or withdrawal, or is otherwise challenged by any regulatory authority as to the status of, or makes a determination itself that it can no longer meet its obligations under, the Privacy Shield, or (ii) to abide by the principles of the Privacy Shield throughout the term of the Agreement as though it were certified.

3. SUBPROCESSORS

3.1 Appointment of Subprocessors. Customer acknowledges and agrees that Banzai may engage Subprocessors in connection with provision of the Services. Banzai shall enter into a written agreement with any engaged Subprocessor that contains data protection obligations no less protective than those contained in this DPA.

3.2 List of Current Subprocessors. Banzai shall make available to Customer the current list of Subprocessors for the Services on request.

3.3 Notification of New Subprocessors. Banzai will notify Customer in writing of any changes to this list of Subprocessors.

3.4 Objection to New Subprocessors. Customer may object to Banzai’s use of a new Subprocessor by notifying Banzai in writing within ten (10) business days after receipt of Banzai’s communication advising of the new Subprocessor. In the event Customer reasonably objects to the use of a new Subprocessor, Banzai will use reasonable efforts to address Customer’s objections. If Banzai is unable to make available such change within a reasonable period, which shall not exceed ninety (90) days, Customer may terminate the applicable Agreement with respect only to those Services which cannot be provided by Banzai without the use of the objected-to new Subprocessor by providing written notice to Banzai.

3.5 Liability. Banzai shall be liable for the acts and omissions of its Subprocessors to the same extent Banzai would be liable if performing the services of each Subprocessor directly under the terms of this Data Processing Agreement, except as otherwise set forth in the Agreement.

4. PERSONAL DATA INCIDENTS

4.1 Banzai shall notify Customer without undue delay (and in any event within forty-eight (48) hours) after becoming aware of a Personal Data Incident. Banzai shall identify the cause of such Personal Data Incident and take those steps necessary in order to remediate the cause of such a Personal Data Incident.

5. INTERNATIONAL DATA TRANFERS

5.1 Personal Data Transfers. Customer agrees to allow transfer of Customer Personal Data outside the country from which it was originally collected provided that such transfer is required in connection with the provision of Services under the Agreement and such transfers take place in accordance with Banzai’s EU-US and Swiss-US Privacy Shield certification.

5.2 Privacy Shield Certification. Banzai agrees to maintain its Privacy Shield certification throughout the term of the Agreement. Banzai shall promptly notify Customer in writing if Banzai ceases to maintain, or anticipates the revocation or withdrawal, or is otherwise challenged by any regulatory authority as to the status of, or makes a determination itself that it can no longer meet its obligations under, the Privacy Shield.

6. AUDITS

6.1 On no more than an annual basis and upon thirty (30) days’ notice in writing, Banzai, to the extent that it is acting as a Data Processor to Customer, shall make available to Customer information necessary to demonstrate compliance with the obligations set forth under Data Protection Laws, provided that Banzai shall have no obligation to provide confidential information. On no more than an annual basis and upon thirty (30) days’ notice in writing, Banzai shall, to the extent that it is acting as a Data Processor to Customer, following a request by Customer and at Customer’s expense, further allow for and contribute to audits and inspections by a mutually agreed third party auditor. The scope, timing, and duration of any such audits, including conditions of confidentiality, shall be mutually agreed upon by Banzai and Customer prior to initiation.  Customer shall promptly notify Banzai with information regarding non-compliance discovered during the course of an audit, and Banzai shall use commercially reasonable efforts to address any confirmed non-compliance.  Customer will reimburse Banzai for its reasonable costs associated with any such audit.