Joint Controllership Agreement

This agreement is concluded between

• Zeptix (Alexander Sadomsky, c/o IP-Management #42121, Ludwig-Erhard-Str. 18, 20459 Hamburg, Germany) — hereinafter "Zeptix" —
• and the chatbot operator operating a chatbot via the platform — hereinafter "Operator" —

jointly: "Parties".

This agreement governs the joint controllership of the Parties pursuant to Art. 26 GDPR for the processing of personal data of end users (visitors of the chatbot) arising from the use of the chatbot operated by the Operator on the Zeptix platform.

The Parties define the following areas of responsibility pursuant to Art. 26 (1) GDPR:

3.1 Chatbot operator responsibility.

• Content design of the chatbot (system prompt, personality, knowledge-base documents and content entered via the training AI)
• Informing the end users (own privacy notice, where required, and notice on the AI nature of the bot)
• Defining the purpose of processing within own business activity
• Primary point of contact for data subject requests (access, deletion, rectification, etc.)
• Lawfulness of content processed by the bot (e.g. no sensitive data, no copyrighted material without authorisation)
• If a paywall with Stripe integration is enabled: own Stripe data protection obligations

3.2 Zeptix responsibility.

• Provision and operation of the technical platform
• Selection and contractual binding of the subprocessors used (see zeptix.io/subprocessors)
• Technical and organisational measures pursuant to Art. 32 GDPR (encryption, access control, logging)
• Transmission of chat content to LLM providers for response generation
• Provision of the general privacy information for the platform at zeptix.io/privacy
• Supporting the chatbot operator on data subject requests where only Zeptix has the technical means

End users may exercise their data subject rights vis-à-vis either Party. The Parties agree on the following points of contact:

• Primary contact: the respective chatbot operator (content responsibility, knowledge of the processing context)
• Subsidiary contact: Zeptix at [email protected] — we forward requests without delay to the responsible chatbot operator and provide technical support.

Notwithstanding this internal allocation, data subjects remain free to assert their rights vis-à-vis either Party (Art. 26 (3) sentence 2 GDPR).

The chatbot operator is obliged to transparently inform the end users of the bot in an own or Zeptix-provided privacy notice about:

• Identity and contact details of the chatbot operator
• Purpose of processing and legal basis
• Notice that Zeptix as platform operator is jointly responsible (with reference to this agreement and to zeptix.io/privacy)
• AI notice (the bot is an AI; responses may be incorrect)

If a Party becomes aware of a data breach affecting personal data of end users, it shall inform the other Party without undue delay, at the latest within 24 hours, in writing (e-mail suffices).

Notification to the supervisory authority pursuant to Art. 33 GDPR is in principle made by the Party in whose area of responsibility the breach occurred. For platform-side incidents Zeptix takes over; for content-side incidents (e.g. unauthorised disclosure of knowledge-base data) the chatbot operator. Both Parties coordinate.

The subprocessors used by Zeptix (hosting, LLM providers, payment service providers, e-mail dispatch) are listed at zeptix.io/subprocessors. With all subprocessors data processing agreements pursuant to Art. 28 GDPR are in place.

The chatbot operator may use own subprocessors (e.g. own Stripe account if paywall is enabled) — for these, the operator is solely responsible.

To the extent that data is transmitted to subprocessors in third countries (in particular USA), this is done on the basis of the EU-US Data Privacy Framework and/or standard contractual clauses (Decision 2021/914). Details: zeptix.io/subprocessors.

Externally, the Parties are jointly and severally liable to data subjects pursuant to Art. 82 GDPR. Internally, each Party bears responsibility for the areas defined in Section 3.

This agreement applies for the duration of the chatbot operator's contractual relationship with Zeptix. Material changes are communicated to the operator before they take effect by e-mail. After contract end, data is deleted in accordance with the storage periods set out in the privacy policy.

The essential content of this agreement is made available to data subjects via the chatbot operator's privacy notice as well as via zeptix.io/privacy.

Current version: 2026-04-17