EU hosting in Germany — and that applies to every bot.
Platform infrastructure runs at Hetzner in Germany. Joint controllership under Art. 26 GDPR, data processing agreement under Art. 28 GDPR on request. Subprocessor list with locations and safeguards publicly available.No marketing tracking for anonymous bot visitors.
Three points bot providers should answer honestly.
- Where is the infrastructure? Platform hosting at Hetzner in Germany (ISO 27001). Cloudflare sits in front as the edge (USA, EU-US DPF + standard contractual clauses). Subprocessors with location and data categories are listed in our list.
- How are the roles defined? The primary model is joint controllership (Art. 26 GDPR); we provide a data processing agreement under Art. 28 GDPR on request as a separate document. Written DPAs are in place with every active subprocessor (Hetzner, Cloudflare, IONOS, Stripe, LLM providers).
- Which LLM providers are used? Currently in production: Cerebras (USA), Google (Ireland), Anthropic (USA), Groq (USA). For US providers the EU-US DPF and/or SCCs apply; inputs are contractually not used for model training.
Joint controllership — DPA under Art. 28 on request.
The primary model is joint controllership under Art. 26 GDPR (details at /legal/joint-controllership). To the extent that we process personal data solely on your instructions, we provide you on request with a data processing agreement under Art. 28 GDPR as a separate document. The master terms at /terms are authoritative.
Master terms, privacy policy, subprocessor list — all three public.
The three documents that hold the agreements:
- Master terms with the data protection roles (joint controllership, DPA under Art. 28 GDPR on request) — /terms.
- Privacy policy with processing steps, legal bases and retention periods — /privacy.
- Subprocessor list with location, purpose, data categories and third-country safeguards (EU-US DPF / SCCs) — /subprocessors.
We announce changes to subprocessors in advance in the list.
Which GDPR obligations are already covered.
Six points that are contractually and technically handled at Zeptix — each with a reference to the verifiable sources (master terms, privacy policy, subprocessor list).
GDPR Art. 6 + 28
You are the controller for your data, Zeptix is the processor. Governed by the master terms and the privacy policy.
Subprocessors transparent
The full list of subprocessors (hosting, CDN, email, payment processing, AI inference) including location, data categories and third-country safeguards is publicly available at /subprocessors.
TOMs contractually agreed
Technical and organizational measures are contractually defined with Hetzner as the hosting provider (ISO 27001) and with Cloudflare (EU-US DPF + standard contractual clauses).
Right to erasure
Account deletion via the dashboard. After the contract ends, the bot is deactivated and the knowledge base is retained for up to 60 days for export or reactivation, then deleted — subject to statutory retention obligations.
Server log files kept briefly
Technical server logs are processed to secure operations (Art. 6(1)(f) GDPR) and automatically deleted or anonymized after 14 days.
Cookie-free for anonymous users
Anonymous bot visitors get no tracking cookies and no marketing pixels — only strictly necessary cookies.
Four building blocks that carry the security promise.
Hetzner data center (Germany)
Platform infrastructure runs at Hetzner in Germany. Hetzner is ISO 27001 certified. Databases, caches and object storage are located there as well.
Cloudflare as the edge
Cloudflare (USA) provides DDoS protection, CDN and Cloudflare Turnstile for bot defense. Cloudflare is certified under the EU-US Data Privacy Framework; a DPA including standard contractual clauses is in place.
Data protection roles under GDPR
The primary model is joint controllership under Art. 26 GDPR; we provide a data processing agreement under Art. 28 GDPR to customers on request as a separate document. Written DPAs are in place with all active subprocessors (Hetzner, Cloudflare, IONOS, Stripe, LLM providers).
AI inference only with DPA providers
Currently in production: Cerebras (USA), Google (Ireland), Anthropic (USA), Groq (USA). DPAs are in place with all providers; inputs are contractually not used for model training. Locations and safeguards are listed at /subprocessors.
FAQ on security & GDPR.
Which LLM providers does Zeptix use in production?
Currently in production: Cerebras (USA), Google (Ireland), Anthropic (USA) and Groq (USA). DPAs under Art. 28 GDPR are in place with all of them; for US providers the EU-US DPF or standard contractual clauses apply. New or additional LLM providers are announced in advance in the subprocessor list. Full details at /subprocessors.
Where exactly are the servers located?
The platform infrastructure (app servers, databases, caches, object storage) runs at Hetzner in Germany. Cloudflare sits in front as a CDN/DDoS edge (USA, EU-US DPF + SCCs). Detailed locations of all subprocessors are listed at /subprocessors.
Which certifications are in place?
Hetzner as the hosting provider is ISO 27001 certified. Cloudflare is certified under the EU-US Data Privacy Framework. Zeptix itself as a platform is currently not externally certified.
Is my data used to train models?
No. Inputs are not used to train models — all AI providers we use exclude the use of API inputs for training in their data policies.
How long are logs and data retained?
Server log files: 14 days, then automatic deletion or anonymization. Account and contract data: for the contract term plus statutory retention periods (e.g. 10 years under § 147 AO for invoice-relevant data, otherwise 30 days after account deletion). Knowledge base after the contract ends: up to 60 days for export or reactivation, then deletion. Details in the privacy policy.
Can I initiate authority requests or audits with Zeptix?
Yes. The DPA includes the obligation to cooperate with audits. Please submit audit requests in writing to [email protected] — response time max. 14 days, the audit itself by arrangement.
Hosting in Germany, DPA in the master agreement.
Platform at Hetzner in Germany. Subprocessors transparent. Privacy policy and master terms publicly available.
