Citt.ai

Joint Controller Agreement — Citt.ai

Version: 1.1
Last updated: 2026-04-22

This Agreement is entered into between Citt.ai and the Controller (the licensed therapist or clinic account holder identified in the Citt.ai platform). Together with the Citt.ai Terms of Service for therapists, the privacy notices published at citt.ai/privacy and citt.ai/privacy/therapist, and the Residual Data Processing Agreement where it applies, it governs how the parties allocate responsibilities under Article 26 GDPR for the joint processing described below.

Electronic acceptance in the product (including version, document hash, timestamp, and technical connection details captured at acceptance) records the Controller’s agreement.

1. Parties

  • Citt.ai — 90 Clapham Common North Side, London, UK, SW49SG. Privacy contact: Declan Ahern, declan@citt.ai.

  • Controller — you, the therapist or clinic responsible for the Citt.ai account through which this Agreement is accepted.

Each party is an independent controller in general and a joint controller with the other for the processing scoped in clause 2.

2. Subject matter and scope

The parties act as joint controllers for the following processing carried out through the Citt.ai platform:

  1. Managed patient records and the patient claim flow — practice records created for patients before they activate patient-facing features, and the secure flow by which a patient attaches their own account to an existing record.

  2. Patient AI messaging and support — in-app chat and, where enabled, messaging channels such as WhatsApp Business, including safety screening applied platform-side.

  3. Assessments, check-ins, and progress tracking — structured measures and metrics configured or offered in the product.

  4. Session recording, transcription, and AI-assisted session notes — where you choose to use these features and any associated AI drafting.

For processing outside this scope, the roles described in the published privacy notices apply (including areas where Citt.ai acts as sole controller for its own platform, billing, and security operations).

Where a future narrow technical engagement qualifies as processor-only processing under applicable law, the Residual Data Processing Agreement applies instead of this Agreement for that engagement.

3. Allocation of responsibilities (Article 26)

The following allocation describes who leads in practice on key GDPR obligations for the joint scope. It is an allocation of responsibility, not a delegation; each controller remains accountable to data subjects and regulators for its own compliance.

3.1 Transparency (Articles 12–14)

Joint. Citt.ai maintains the patient-facing privacy notice at citt.ai/privacy, including a plain-language summary of this joint arrangement. You maintain your own notice for your clinical relationship with patients and reference the Citt.ai notice for the platform layer where appropriate.

3.2 Data subject rights (Articles 15–22)

Joint, with practical routing as in clause 4. Either party may be the first point of contact. Each party assists the other within reasonable timeframes so the data subject receives a co-ordinated response within applicable statutory deadlines.

3.3 Data protection by design and default (Article 25)

Citt.ai leads on platform architecture, secure defaults, retention defaults built into the product, and automated safety screening. You configure the Service within available controls and must not disable or circumvent protections without a documented lawful basis and risk assessment appropriate to your role.

3.4 Sub-processors (Article 28)

Citt.ai selects, contracts with, and oversees platform sub-processors. The current summary of key providers is published in the Trust Center. Citt.ai notifies you of material changes to sub-processors for the joint scope in line with the commitments in the Trust Center and product notifications. You may use your own processors for activities outside the platform; those are solely your responsibility.

3.5 Security of processing (Article 32)

Citt.ai implements platform security (encryption, access control, logging, incident response). You are responsible for securing your devices, credentials, and any systems outside Citt.ai that you connect to your workflow.

3.6 Breach notification (Articles 33–34)

Each party must meet its own legal duties toward supervisory authorities and, where required, data subjects. Where a breach affects joint-scope data, the parties co-operate in good faith and share information needed for timely notification.

3.7 Data protection impact assessments (Article 35)

Citt.ai maintains an assessment of platform-level risks and mitigations. You maintain any care-specific assessments required for your practice and deployment choices.

3.8 Records of processing (Article 30)

Each party maintains its own record of processing activities for the processing under its responsibility.

4. Single point of contact and practical routing

Either party may act as the single point of contact for a data subject. Default routing:

  • Clinical content (messages, transcripts, assessment results, care plans, clinical notes) — you lead fulfilment; Citt.ai provides reasonable platform assistance (export, redaction support, deletion tooling).

  • Platform-side data (authentication, account identifiers, security logs, vendor processing that does not alter clinical meaning) — Citt.ai leads fulfilment; you are informed where the response has clinical implications.

  • Erasure requests — handled through co-ordinated platform and practice workflows, subject to lawful retention that overrides erasure (for example clinical records, invoicing, or security logs as described in the published retention disclosures).

Where a request crosses both areas, the party that receives it acknowledges promptly, involves the other party without undue delay, and the parties work toward one clear answer to the data subject within GDPR timelines (including any lawful extensions).

5. Information made available to data subjects (Article 26(2))

The essence of this arrangement is made available through the patient privacy notice at citt.ai/privacy, the therapist-facing summary at citt.ai/privacy/therapist, and your own professional transparency materials.

6. Sub-processors

Authorised sub-processors for the joint scope are those described in the Trust Center and updated through the notice mechanism described there. By accepting this Agreement, you authorise the listed sub-processors for the joint scope, subject to material-change notice.

7. International transfers

Where data is transferred outside the UK, EEA, or other relevant jurisdiction, the parties rely on lawful mechanisms (including adequacy decisions, standard contractual clauses, UK addenda, or other approved tools) as described at a high level in the published privacy notices and Trust Center.

8. Liability

Each party remains liable under applicable law for its own processing and for breaches of this Agreement caused by its acts or omissions. Nothing in this Agreement excludes or limits liability that cannot lawfully be excluded or limited. Subject to the foregoing, neither party shall be liable to the other for indirect or consequential loss arising from this Agreement. Each party shall use reasonable efforts to mitigate loss.

9. Term, termination, and deletion

This Agreement remains in effect while you use the Service for joint-scope processing and for any period afterwards that either party continues to process personal data within that scope.

On termination of the Service or your account:

  • you may export clinical data through in-product export tools within any period stated in the Terms of Service;

  • Citt.ai applies retention and deletion practices described in the published privacy notices, subject to lawful retention;

  • the parties complete any in-flight data subject requests.

10. Acceptance and updates

Acceptance is recorded electronically when you agree in the product. If this Agreement changes materially, Citt.ai may require a new acceptance before you continue sensitive operations; version and hash are compared server-side to the current legal pack.

11. Order of precedence

If documents conflict, the order of precedence for the joint scope is:

  1. this Joint Controller Agreement;

  2. the Residual Data Processing Agreement, only for processor-only processing outside the joint scope;

  3. the Citt.ai Terms of Service for therapists;

  4. any separate enterprise order form, subject to mandatory law.

© Citt.ai. All rights reserved.