# Privacy FAQ

### AI Regulation (AI Act)

<details>

<summary>Is the AI Agent GDPR-compliant</summary>

Yes, all data is processed and hosted in the EU.

</details>

<details>

<summary>Which regulations of the EU AI Act apply to AI Agents and what risk category do they fall into?</summary>

sipgate AI Agents generally fall under the category of "limited risk" according to Art. 50 of the AI Regulation. For systems in this category, transparency obligations primarily apply. The AI Regulation classifies systems for direct interaction with natural persons (such as voice agents) as subject to transparency obligations, but not as high-risk systems.\
The AI Act has been in force since 1 August 2024, and the transparency obligations under Art. 50 apply from 2 August 2026.

</details>

<details>

<summary>Does the AI Agent have to actively point out at the beginning of a conversation that it is an AI-supported dialogue, and in what form?</summary>

Yes, under Art. 50 para. 1 of the AI Act, providers of AI systems intended for direct interaction with natural persons must design them so that people are informed that they are interacting with an AI system. The notice must be clear, unambiguous, and transparent, at the latest at the first interaction. An exception applies only if this is obvious from the context. By default, sipgate ensures that the AI Agent issues a pre-formulated notice (greeting text) at the beginning of each conversation, which clearly discloses the AI-supported nature of the dialogue. This notice is technically fixed at the start of the conversation and cannot be skipped. The notice must be reproduced in the specified wording regardless of the language setting and meets accessibility requirements.

</details>

<details>

<summary>What fines can be imposed for violations of the AI Act transparency obligations?</summary>

Violations of the transparency obligations under Art. 50 of the AI Act may be punished in accordance with Art. 99 para. 4 of the AI Act with fines of up to 15 million euros or 3% of the company's worldwide annual turnover (whichever is higher). The fines are imposed by national supervisory authorities. It should be noted that responsibility for compliance with the transparency obligations lies with the operator of the AI system (customer), while sipgate as the provider of the AI system provides the technical requirements.

</details>

### Data protection (GDPR)

<details>

<summary>What legal basis applies to the processing of conversation data by the AI Agent?</summary>

The processing of conversation data can be based, for example, on Art. 6 para. 1 lit. a GDPR (consent) or Art. 6 para. 1 lit. b GDPR (performance of a contract), depending on the specific use case. For inbound calls in customer service, processing may be necessary for the performance of a contract or for the implementation of pre-contractual measures.

</details>

<details>

<summary>Is the caller's voice biometric data within the meaning of Art. 9 GDPR and does a company need explicit consent for this?</summary>

The human voice can be classified as biometric data within the meaning of Art. 4 No. 14 and Art. 9 GDPR if it is processed using special technical procedures for the unique identification of a person. The purpose of the processing is decisive: if the voice is used only for speech recognition and conversation management (without biometric identification), Art. 9 GDPR does not apply. sipgate AI Agents use voice data exclusively for conversation processing, not for biometric identification. Explicit consent under Art. 9 para. 2 lit. a GDPR is therefore not absolutely required.

</details>

### Data processing

<details>

<summary>Does sipgate use our customers' data for training or machine learning?</summary>

No. sipgate does not use customer data for training AI models or machine learning. This is contractually excluded with all AI service providers (especially OpenAI). The data is used exclusively to provide the commissioned services and is deleted or anonymized after processing is completed. This regulation is part of the technical and organizational measures and is documented in the data processing agreement.

</details>

<details>

<summary>Can sipgate indemnify us against liability to third parties, especially in the event of violations of the AI Act and GDPR?</summary>

An indemnification by sipgate is not предусмотрено, as the customer, as the controller, is generally responsible for the lawful use of the AI Agent. This corresponds to the statutory allocation of roles under the GDPR and AI Act.\
sipgate does, however, undertake to provide the technical and organizational prerequisites for lawful use and to support the customer in complying with its obligations within the framework of the provisions of the data processing agreement. The systems provided are generally designed so that they can be used in a GDPR-compliant manner:\
\
(1) Our data processing agreement (DPA) regulates the details of data processing. Corresponding agreements are in place with our suppliers and partners to ensure lawful data processing.\
\
(2) We also point out that the assistant clearly indicates, or can indicate, at the beginning of each conversation that it is an AI (further information can be found in our [privacy policy](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/datenschutzerklaerung.pdf?alt=media\&token=bf03f619-6dfa-402d-8396-2db340462f10) as well as in the [Data Processing Agreement](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/auftragsverarbeitungs-vertrag.pdf?alt=media\&token=1e567ab2-d173-4b8e-b557-68c85ea66416))\
\
In cases where a breach is attributable to errors or breaches of duty by sipgate, sipgate is liable under the contractual liability provisions.

</details>

### Liability & Responsibility

<details>

<summary>Who is liable if the AI Agent makes mistakes, provides incorrect information, or violates the AI Regulation or GDPR?</summary>

Liability is determined by the allocation of roles between controller and processor: The customer as the operator of the AI Agent is the controller within the meaning of the GDPR and the AI Act and is therefore generally responsible for lawful use. This includes, in particular, compliance with the transparency obligations, lawful data processing, and ensuring that the AI Agent is configured appropriately for its intended use. sipgate is liable as a processor for breaches of duty in the context of data processing (Art. 82 GDPR).

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.sipgate.com/documentation/en/privacy-terms-and-conditions-and-dpa/faq-datenschutz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.