> For the complete documentation index, see [llms.txt](https://help.sipgate.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.sipgate.com/documentation/en/privacy-terms-and-conditions-and-dpa/faq-datenschutz.md).
# Privacy FAQ
### AI Regulation (AI Act)
Is the AI Agent GDPR-compliant
Yes, all data is processed and hosted in the EU.
Which provisions of the EU AI Act apply to AI Agents, and what risk category do they fall into?
sipgate AI Agents generally fall under the category of "limited risk" pursuant to Article 50 of the AI Act. For systems in this category, transparency obligations apply primarily. The AI Act classifies systems for direct interaction with natural persons (such as voice agents) as subject to transparency obligations, but not as high-risk systems.\
The AI Act has been in force since 1 August 2024; the transparency obligations under Art. 50 apply from 2 August 2026.
Does the AI Agent have to actively indicate at the start of a conversation that it is an AI-assisted dialogue, and in what form?
Yes, under Art. 50(1) of the AI Act, providers of AI systems intended for direct interaction with natural persons must design them so that persons are informed that they are interacting with an AI system. The notice must be clear, unambiguous, and transparent, at the latest during the first interaction. An exception applies only if this is obvious from the context. sipgate ensures by default that the AI Agent outputs a pre-formulated notice (greeting text) at the start of each conversation, which clearly discloses the AI-assisted nature of the dialogue. This notice is technically fixed at the start of the conversation and cannot be skipped. The notice must be reproduced in the specified wording regardless of the language setting and meets accessibility requirements.
What fines apply for violations of the AI Act transparency obligations?
Violations of the transparency obligations under Art. 50 of the AI Act can, pursuant to Art. 99(4) of the AI Act, be punished with fines of up to EUR 15 million or 3% of the company's worldwide annual turnover (whichever is higher). The fines are imposed by national supervisory authorities. Please note that responsibility for complying with the transparency obligations lies with the operator of the AI system (the customer), while sipgate as the provider of the AI system supplies the technical prerequisites.
### Data Protection (GDPR)
What legal basis applies to the processing of conversation data by the AI Agent?
Processing of conversation data can take place on the basis of Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (performance of a contract), depending on the specific use case. Inbound calls in customer service may require processing for the performance of a contract or for taking pre-contractual measures.
Is the caller's voice biometric data within the meaning of Art. 9 GDPR and does a company need explicit consent for this?
The human voice can be classified as biometric data within the meaning of Art. 4 No. 14 and Art. 9 GDPR if it is processed using special technical procedures for the unique identification of a person. The decisive factor is the purpose of the processing: if the voice is used solely for speech recognition and conversation handling (without biometric identification), Art. 9 GDPR does not apply. sipgate AI Agents use voice data exclusively for conversation processing, not for biometric identification. Explicit consent under Art. 9(2)(a) GDPR is therefore not strictly required.
### Data Processing
Does sipgate use our customers' data for training or machine learning?
No. sipgate does not use customer data for the training of AI models or machine learning. This is contractually excluded with all AI service providers (in particular OpenAI). The data is used exclusively to provide the commissioned services and is deleted or anonymized after processing is completed. This regulation is part of the technical and organizational measures and documented in the DPA.
Can sipgate indemnify us against liability towards third parties, especially in the event of violations of the AI Act and GDPR?
An indemnification by sipgate is not provided for, since the customer as controller is generally responsible for the lawful use of the AI Agent. This corresponds to the statutory allocation of roles under the GDPR and AI Act.\
sipgate does, however, undertake to provide the technical and organizational prerequisites for lawful use and to support the customer in complying with its obligations under the provisions of the DPA. The systems provided are generally designed so that they can be used in compliance with the GDPR:\
\
(1) Our data processing agreement (DPA) regulates the details of data processing. Corresponding agreements are in place with our sub-processors and partners to ensure lawful data processing.\
\
(2) We also point out that the assistant clearly indicates, or can indicate, at the start of each conversation that it is an AI (Further information can be found in our [privacy policy](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/datenschutzerklaerung.pdf?alt=media\&token=bf03f619-6dfa-402d-8396-2db340462f10) and in the [data processing agreement](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/auftragsverarbeitungs-vertrag.pdf?alt=media\&token=1e567ab2-d173-4b8e-b557-68c85ea66416))\
\
In cases where a violation is attributable to errors or breaches of duty by sipgate, sipgate is liable under the contractual liability rules.
### Liability & Responsibility
Who is liable if the AI Agent makes mistakes, provides false information, or violates the AI Regulation or GDPR?
Liability is determined by the allocation of roles between controller and processor: The customer as operator of the AI Agent is the controller within the meaning of the GDPR and the AI Act and is therefore generally responsible for lawful use. This includes in particular compliance with transparency obligations, lawful data processing, and ensuring that the AI Agent is configured appropriately for its intended purpose. sipgate is liable as processor for breaches of duty within the framework of data processing (Art. 82 GDPR).
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://help.sipgate.com/documentation/en/privacy-terms-and-conditions-and-dpa/faq-datenschutz.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.