For personal data about an Organiser’s viewers and customers, the Organiser is the Controller and Zanzo is the Processor. Zanzo only processes that data on the Organiser’s documented instructions, which include the configuration choices made in the product.

Subject matter: provision of the streaming platform. Duration: for as long as the Organiser uses the Service (plus any limited wind-down). Nature & purpose: hosting, transcoding and streaming content; authenticating viewers; processing purchases; and producing analytics and billing for the Organiser.

• → Data subjects: the Organiser’s viewers, ticket/pass buyers, and invited admins.
• → Personal data: name, email, locale; authentication/session data; purchase, billing and tax-identifier data; viewing/usage data; and technical data such as IP address and device type.
• → We do not intentionally process special-category data; Organisers should not upload it as viewer data.

• → Process personal data only on the Controller’s documented instructions, including for transfers, unless required by law (in which case we’ll inform the Controller where permitted).
• → Ensure persons authorised to process the data are bound by confidentiality.
• → Implement appropriate technical and organisational security measures (Article 32).
• → Assist the Controller, taking into account the nature of processing, with data-subject requests and with security, breach, and DPIA obligations.
• → Make available information necessary to demonstrate compliance and allow for reasonable audits.

The Controller authorises Zanzo to engage the sub-processors below to deliver the Service. We impose data-protection terms on each that are no less protective than this DPA, and remain responsible for their performance. We’ll give notice of intended changes so the Controller can object.

• → Stripe — payment processing.
• → Cloudflare R2 — video & image storage.
• → Neon — EU-hosted PostgreSQL database.
• → Vercel — application hosting & delivery.
• → Resend — transactional email.
• → Google Analytics — usage analytics (only where the Organiser enables it and the viewer consents).
• → Számlázz.hu — invoice generation (where applicable).

We maintain measures appropriate to the risk, including encryption in transit, access controls and least-privilege, signed/expiring URLs for protected media, host-scoped session cookies, and EU-hosted infrastructure. Measures may evolve as the Service improves, without materially reducing protection.

We will, taking into account the nature of processing, assist the Controller in responding to requests to exercise data-subject rights. We will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data, with the information reasonably available to us.

We aim to keep processing within the EU/EEA. Where a sub-processor transfers data outside the EEA, the transfer relies on an adequacy decision or the EU Standard Contractual Clauses.

On termination, we will, at the Controller’s choice, delete or return the personal data we process on their behalf, and delete existing copies, unless retention is required by law (e.g. accounting records).

To countersign this DPA or raise a data-protection question, contact privacy@conferencestreaming.eu. See also our Privacy Policy.