# Privacy FAQ

### AI Regulation (AI Act)

<details>

<summary>Is the AI Agent GDPR-compliant</summary>

Yes, all data is processed and hosted in the EU.

</details>

<details>

<summary>Which provisions of the EU AI Act apply to AI Agents, and into which risk category do they fall?</summary>

sipgate AI Agents generally fall under the category of “limited risk” pursuant to Art. 50 of the AI Regulation. For systems in this category, transparency obligations primarily apply. The AI Regulation classifies systems for direct interaction with natural persons (such as Voice Agents) as subject to transparency obligations, but not as high-risk systems.\
The AI Act has been in force since August 1, 2024; the transparency obligations under Art. 50 apply from August 2, 2026.

</details>

<details>

<summary>Does the AI Agent have to actively point out at the beginning of a conversation that it is an AI-supported dialogue, and in what form?</summary>

Yes, pursuant to Art. 50(1) of the AI Act, providers of AI systems intended for direct interaction with natural persons must design them so that people are informed that they are interacting with an AI system. The notice must be clear, unambiguous, and transparent, at the latest upon the first interaction. An exception exists only if this is obvious from the context. By default, sipgate ensures that the AI Agent issues a pre-formulated notice (greeting text) at the start of every conversation, which clearly discloses the AI-supported nature of the dialogue. This notice is technically fixed at the start of the conversation and cannot be skipped. The notice must be reproduced in the specified wording regardless of the language setting and meets accessibility requirements.

</details>

<details>

<summary>What fines are imposed for violations of the<br>transparency obligations of the AI Act?</summary>

Violations of the transparency obligations under Art. 50 of the AI Act can be punished in accordance with Art. 99(4) of the AI Act with fines of up to EUR 15 million or 3% of the company's worldwide annual turnover (whichever is higher). The fines are imposed by national supervisory authorities. It should be noted that responsibility for compliance with the transparency obligations lies with the operator of the AI system (the customer), while sipgate, as the provider of the AI system, provides the technical prerequisites.

</details>

### Data protection (GDPR)

<details>

<summary>What legal basis applies to the processing of conversation data by the AI Agent?</summary>

The processing of conversation data can be based, for example, on Art. 6(1)(a) GDPR (consent) or Art. 6(1)(b) GDPR (performance of a contract), depending on the specific use case. For inbound calls in customer service, processing may be necessary for the performance of a contract or for taking steps prior to entering into a contract.

</details>

<details>

<summary>Is the caller's voice a biometric datum within the meaning of Art. 9 GDPR, and does a company therefore need explicit consent?</summary>

The human voice can be classified as biometric data within the meaning of Art. 4 No. 14 and Art. 9 GDPR if it is processed using special technical procedures for the unique identification of a person. The decisive factor is the purpose of processing: if the voice is used solely for speech recognition and conversation handling (without biometric identification), Art. 9 GDPR does not apply. sipgate AI Agents use voice data exclusively for conversation processing, not for biometric identification. Explicit consent under Art. 9(2)(a) GDPR is therefore not strictly required.

</details>

### Data processing

<details>

<summary>Does sipgate use our data for training or machine learning?</summary>

No. sipgate does not use customer data for training AI models or machine learning. This is contractually excluded with all AI service providers (especially OpenAI). The data is used exclusively to provide the commissioned services and is deleted or anonymized after processing is completed. This regulation is part of the technical and organizational measures and is documented in the data processing agreement.

</details>

<details>

<summary>Can sipgate indemnify us against liability to third parties, especially in the event of violations of the AI Act and GDPR?</summary>

Indemnification by sipgate is not предусмотрено, since the customer, as the controller, is generally responsible for the legally compliant use of the AI Agent. This corresponds to the statutory allocation of roles under the GDPR and AI Act.\
sipgate does, however, undertake to provide the technical and organizational prerequisites for lawful use and to support the customer in fulfilling its obligations within the framework of the DPA provisions. The provided systems are generally designed so that they can be used in compliance with the GDPR:\
\
(1) Our data processing agreement (DPA) regulates the details of data processing. Corresponding agreements exist with our subcontractors and partners to ensure legally compliant data processing.\
\
(2) We also point out that the assistant clearly indicates, or can indicate, at the beginning of each conversation that it is an AI (further information can be found in our [Privacy Policy](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/datenschutzerklaerung.pdf?alt=media\&token=bf03f619-6dfa-402d-8396-2db340462f10) and in the [Data Processing Agreement](https://firebasestorage.googleapis.com/v0/b/ai-frontdesk-web-static/o/auftragsverarbeitungs-vertrag.pdf?alt=media\&token=1e567ab2-d173-4b8e-b557-68c85ea66416))\
\
For cases in which a breach is attributable to errors or breaches of duty by sipgate, sipgate is liable in accordance with the contractual liability provisions.

</details>

### Liability & responsibility

<details>

<summary>Who is liable if the AI Agent makes mistakes, provides incorrect information, or violates the AI Act or GDPR?</summary>

Liability is determined by the allocation of roles between controller and processor: the customer, as the operator of the AI Agent, is the controller within the meaning of the GDPR and the AI Act and is therefore generally responsible for its legally compliant use. This includes, in particular, compliance with the transparency obligations, lawful data processing, and ensuring that the AI Agent is configured appropriately for its intended purpose. sipgate is liable as a processor for breaches of duty within the scope of data processing on behalf of a controller (Art. 82 GDPR).

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.sipgate.de/ai-agents/en/privacy-terms-and-conditions-and-data-processing-agreement/faq-datenschutz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.