Privacy FAQ

Yes, all data is processed and hosted in the EU.

sipgate AI Agents generally fall under the category of "limited risk" pursuant to Article 50 of the AI Regulation. For systems in this category, transparency obligations apply primarily. The AI Regulation classifies systems for direct interaction with natural persons (such as voice agents) as subject to transparency obligations, but not as high-risk systems. The AI Act has been in force since 1 August 2024; the transparency obligations under Article 50 apply from 2 August 2026.

Yes, under Article 50(1) of the AI Act, providers of AI systems intended for direct interaction with natural persons must design them so that people are informed that they are interacting with an AI system. The notice must be clear, unambiguous, and transparent, at the latest upon the first interaction. An exception exists only if this is obvious from the context. By default, sipgate ensures that the AI Agent outputs a pre-formulated notice (greeting text) at the start of every conversation, clearly disclosing the AI-supported nature of the dialogue. This notice is technically fixed at the start of the conversation and cannot be skipped. The notice must be reproduced in the specified wording regardless of the language setting and meets accessibility requirements.

Violations of the transparency obligations under Article 50 of the AI Act can be punished under Article 99(4) of the AI Act with fines of up to EUR 15 million or 3% of the company's worldwide annual turnover, whichever is higher. The fines are imposed by national supervisory authorities. Please note that responsibility for compliance with the transparency obligations lies with the operator of the AI system (customer), while sipgate, as the provider of the AI system, provides the technical prerequisites.

The processing of conversation data may be carried out, for example, on the basis of Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (performance of a contract), depending on the specific use case. For inbound calls in customer service, processing may be necessary for the performance of a contract or for taking steps prior to entering into a contract.

The human voice can be classified as biometric data within the meaning of Art. 4 No. 14 and Art. 9 GDPR if it is processed using special technical procedures for the unique identification of a person. What matters is the purpose of the processing: if the voice is used solely for speech recognition and conversation handling (without biometric identification), this does not fall under Art. 9 GDPR. sipgate AI Agents use voice data exclusively for conversation processing, not for biometric identification. Explicit consent under Art. 9(2)(a) GDPR is therefore not mandatory.

No. sipgate does not use customer data for training AI models or machine learning. This is contractually excluded with all AI service providers (especially OpenAI). The data is used exclusively to provide the commissioned services and is deleted or anonymized after processing is completed. This regulation is part of the technical and organizational measures and documented in the Data Processing Agreement.

Indemnification by sipgate is not provided for, as the customer, as the controller, is generally responsible for the lawful use of the AI Agent. This corresponds to the statutory distribution of roles under the GDPR and the AI Act. sipgate does, however, undertake to provide the technical and organizational prerequisites for lawful use and to support the customer in complying with its obligations within the framework of the provisions of the DPA. The systems provided are generally designed so that they can be used in compliance with the GDPR: (1) Our data processing agreement (DPA) regulates the details of data processing. We have corresponding agreements in place with our subcontractors and partners to ensure lawful data processing. (2) We also point out that the assistant clearly indicates at the beginning of each conversation, or can indicate, that it is an AI (more information can be found in our privacy policy as well as in the Data Processing Agreement) For cases in which a violation is attributable to errors or breaches of duty by sipgate, sipgate is liable under the contractual liability provisions.

Liability is determined by the division of roles between controller and processor: the customer, as the operator of the AI Agent, is the controller within the meaning of the GDPR and the AI Act and is therefore generally responsible for lawful use. This includes, in particular, compliance with transparency obligations, lawful data processing, and ensuring that the AI Agent is configured appropriately for its intended use. sipgate is liable as a processor for breaches of duty within the scope of data processing on behalf of the controller (Art. 82 GDPR).