This Data Processing Agreement ("DPA") is entered into between: (1) The Customer: The legal entity that has executed a
Service Agreement for the use of Nixi AI's services ("Data Controller"); and (2) The Provider: Nixi AI, a partnership
established under the laws of Germany, with its principal place of business at Adolfsallee 14, 65185 Wiesbaden,
Germany ("Data Processor"); (each a "Party" and together the "Parties").
BACKGROUND
A. The Data Controller and the Data Processor have entered into an agreement for the provision of the Data Processor's services (the "Service Agreement"). This DPA forms an integral part of and is subject to the Service Agreement.
B. In the course of providing the services under the Service Agreement, the Data Processor will process certain personal data on behalf of the Data Controller. Consequently, the Data Controller acts as a controller and the Data Processor acts as a processor within the meaning of the GDPR.
C. This DPA sets out the terms and conditions that govern the Data Processor's Processing of Personal Data on behalf of the Data Controller.
D. The purpose of this DPA is to ensure that the processing of personal data complies with the requirements of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR").
E. This DPA does not exempt the Data Processor from its own direct obligations under the GDPR or any other applicable data protection laws.
1. STRUCTURE OF THE AGREEMENT
1.1. This Data Processing Agreement ("DPA") consists of this main body and the following annexes, which form an integral part hereof:
- Annex A: Details of Processing
- Annex B: Technical and Organisational Measures
- Annex C: Approved Sub-processors
1.2. In the event of any conflict between the terms of this DPA and the Service Agreement, the terms of this DPA shall prevail with regard to the subject matter of data processing.
1.3. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Service Agreement.
2. DEFINITIONS
2.1. Terms such as "Personal Data," "Processing," "Data Subject," "Personal Data Breach," and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.
2.2. In this DPA, the following terms shall have the following meanings:
Definitions Table
| Term |
Definition |
Applicable Data Protection Law |
| Applicable Data Protection Law |
All laws and regulations applicable to the Processing of Personal Data, including the GDPR and any relevant national implementing legislation. |
Yes |
| Approved Purpose |
The Data Processor's Processing of Personal Data as necessary to provide the Services under the Service Agreement and as further instructed in writing by the Data Controller in accordance with this DPA. |
Yes |
| Services |
The services to be provided by the Data Processor to the Data Controller as specified in the Service Agreement. |
Yes |
| Standard Contractual Clauses (SCCs) |
The standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded, or replaced. |
Yes |
| Sub-processor |
Any third-party processor engaged by the Data Processor who Processes Personal Data in accordance with this DPA. Approved Sub-processors are listed in Annex C. |
Yes |
3. OBLIGATIONS OF THE DATA PROCESSOR
The Data Processor undertakes to:
3.1. Purpose Limitation: Process Personal Data solely for the Approved Purposes and in accordance with the Data Controller's documented instructions as set out in Annex A. If the Data Processor considers an instruction to infringe Applicable Data Protection Law, it shall immediately inform the Data Controller.
3.2. Confidentiality: Ensure that all persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.3. Security: Implement the appropriate technical and organisational measures specified in Annex B to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. The principles of data protection by design and by default shall be observed.
3.4. Sub-processing: Not engage any Sub-processor without the prior specific or general written authorisation of the Data Controller. The Data Processor shall ensure that any engaged Sub-processor is bound by data protection obligations that are at least as protective as those in this DPA. Approved Sub-processors are listed in Annex C.
3.5. Assistance with Data Subject Rights: Taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR.
3.6. Personal Data Breach Notification: Notify the Data Controller without undue delay after becoming aware of a Personal Data Breach, providing the Data Controller with sufficient information to allow them to meet their own notification obligations under the GDPR.
3.7. Assistance with Compliance: Assist the Data Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Breach Notification, and Data Protection Impact Assessments), taking into account the nature of the Processing and the information available to the Data Processor.
3.8. Data Deletion or Return: At the choice of the Data Controller, delete or return all Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
3.9. Audits and Inspections: Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
3.10. Transfers to Public Authorities: Notify the Data Controller of any legally binding request for disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.
3.11 Anonymisation and de-identification: Any anonymisation or de-identification of Personal Data is performed solely as part of the Services and on the documented instruction of the Data Controller. Until data is rendered anonymous in accordance with Recital 26 GDPR, it is treated as Personal Data and protected under this DPA.
4. OBLIGATIONS OF THE DATA CONTROLLER
4.1. Lawfulness of Processing: The Data Controller is solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired the Personal Data. The Data Controller warrants that it has a valid legal basis for the Processing of all Personal Data as contemplated by the Service Agreement and this DPA.
4.2. Documented Instructions: The Data Controller shall provide all instructions to the Data Processor in writing (including by email) and ensure such instructions are in compliance with Applicable Data Protection Law.
4.3. Processor Compliance: The Data Controller is responsible for ensuring, throughout the duration of the Processing, that the Data Processor's activities align with its instructions and the agreed-upon terms of this DPA.
4.4. Supervision and Audits: The Data Controller has the right to supervise the Processing, which includes conducting audits and inspections of the Data Processor to verify compliance with this DPA.
- Audits shall be carried out at the Data Controller's exclusive expense
- The Data Controller shall provide the Data Processor with at least thirty (30) working days' prior written notice of any audit or inspection.
- Audits shall be conducted during the Data Processor's normal business hours and shall not unreasonably disrupt the Data Processor's business activities.
- The Data Processor shall cooperate with the audit and provide access to the information and personnel reasonably necessary to demonstrate compliance. Audits are subject to appropriate confidentiality obligations.
- The Data Processor may object to an auditor appointed by the Data Controller if the auditor is, in the Data Processor's reasonable opinion, not suitably qualified or is a direct competitor of the Data Processor. In such an event, the Data Controller shall appoint another auditor.
5. DATA STORAGE AND INTERNATIONAL TRANSFERS
Data Processing Sections
5.1. Data Segregation
The Data Processor operates a segregated infrastructure that clearly distinguishes between non-sensitive
application data and sensitive Personal Data. Processing locations and security measures depend on the
data category, as defined in Annex A of the Data Processing Agreement.
5.2. Processing and Storage of Personal Data concerning health
All Personal Data concerning health (Article 9 GDPR) and other medical content (including transcripts and
generated medical documentation) is processed exclusively within the European Union (EU) and stored
exclusively in Germany. The primary processing and storage location is Frankfurt, Germany.
Such medical content is never transferred outside the EU.
5.3. International Transfer of Non-Sensitive Application Data
Non-sensitive application data (such as name, email address, non-medical settings, and pseudonymized
technical identifiers) may be transferred to and processed outside the EU/EEA by approved Sub-processors
for operational purposes. Such transfers are protected by the execution of the EU Standard Contractual
Clauses (SCCs) and, where required, additional supplementary technical and organizational measures in
accordance with applicable data protection law.
Medical content, transcripts, audio streams, and any Personal Data concerning health are excluded from such transfers.
6. USE OF SUB-PROCESSORS
6.1. General Authorization. The Data Controller provides a general written authorization for the Data Processor to engage the Sub-processors listed in Annex C.
6.2. Sub-processor Obligations. The Data Processor shall enter into a written agreement with each Sub-processor that imposes data protection obligations that are at least as protective as those set out in this DPA. The Data Processor shall ensure that the Sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in compliance with the GDPR.
6.3. Changes to Sub-processors. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Data Controller the opportunity to object to such changes. If the Data Controller objects, the Parties shall discuss in good faith a commercially reasonable resolution.
6.4. Onward Liability. The Data Processor shall remain fully liable to the Data Controller for the performance of a Sub-processor's data protection obligations.
7. RESTRICTED TRANSFERS OF PERSONAL DATA
General Principle
7.1. Personal Data shall only be processed within the European Economic Area (EEA) or a jurisdiction deemed adequate by the European Commission, except where a valid transfer mechanism is in place.
Transfer Mechanism
7.2. For any transfer of Personal Data from the Data Processor to an approved Sub-processor located in a third country not recognized as adequate (a "Restricted Transfer"), such transfer shall be governed by the Standard Contractual Clauses (SCCs).
Mandate to Execute SCCs
7.3. The Data Controller hereby authorized the Data Processor to enter into the Standard Contractual Clauses, specifically Module Three (Processor to Sub-processor), with any approved Sub-processor on the Data Controller's behalf to legitimize a Restricted Transfer.
Continued Liability
7.4. The use of SCCs does not relieve the Data Processor of its obligations under this DPA. The Data Processor remains fully liable to the Data Controller for the performance of the Sub-processor's obligations as specified in Section 6.4.
8. DATA SUBJECT RIGHTS
8.1. Controller's Responsibility. The Data Controller is solely responsible for providing information to Data Subjects regarding the Processing of their Personal Data and for managing requests to exercise their rights.
8.2. Processor's Assistance. The Data Processor shall, taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organisational measures with fulfilling its obligation to respond to requests from Data Subjects. If a Data Subject sends a request directly to the Data Processor, the Data Processor shall promptly forward the request to the Data Controller's designated contact person.
9. SECURITY OF PROCESSING
9.1. General Commitment. The Data Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall ensure a level of security appropriate to the risk.
9.2. Specific Measures. The Data Processor undertakes to implement, at a minimum, the technical and organisational measures set out in Annex B. The Data Processor reserves the right to update these measures, provided that such updates do not result in a material degradation of the overall security of the Services.
10. PERSONAL DATA BREACH MANAGEMENT
10.1. Notification. In the event of a Personal Data Breach, the Data Processor shall notify the Data Controller without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of it. The notification shall be sent to the Data Controller's designated contact person.
10.2. Information Provided. The notification shall, as far as possible, include: The nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; The likely consequences of the Personal Data Breach; The measures taken or proposed to be taken by the Data Processor to address the breach and mitigate its possible adverse effects; and The name and contact details of the Data Processor's point of contact for more information.
10.3. Cooperation. The Data Processor shall provide the Data Controller with reasonable cooperation and assistance required to fulfil the Data Controller's own data breach notification obligations under the GDPR.
11. GOVERNMENT REQUESTS AND LEGAL OBLIGATIONS
11.1. Requests for Disclosure. The Data Processor shall promptly notify the Data Controller of any legally binding request from a law enforcement or other governmental authority for the disclosure of Personal Data, unless prohibited by law. If legally permissible, this notification shall be provided to the Data Controller before the Data Processor discloses any Personal Data.
11.2. Legally Mandated Retention. If the Data Processor is required by applicable law to retain any Personal Data where it would otherwise be required to be deleted or returned under Section 3.8, it shall notify the Data Controller of this retention requirement. The obligations of confidentiality and security as set out in Section 9 shall continue to apply to such retained Personal Data.
12. LIABILITY
12.1. The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Service Agreement. For the avoidance of doubt, any reference to liability in the Service Agreement shall be interpreted to include liability under this DPA.
ANNEX A: DETAILS OF PROCESSING
This Annex forms part of the DPA and describes the details of the Processing of Personal Data by the Data Processor on behalf of the Data Controller.
Annex A – Details of Processing
Annex A – Details of Processing
The Processing activities described in this Annex A are carried out solely on the documented instructions of the Data Controller
in accordance with Article 28(3) GDPR.
A.1 User Account & Service Management
Purpose: Authentication, access control, and management of user accounts and application settings.
Categories of data: Non-sensitive personal data (name, email address, account settings, pseudonymised technical identifiers).
Data subjects: Medical professionals (users).
Processing & storage: Processed for account and service administration on secure infrastructure.
Where processed outside the EU/EEA by approved sub-processors, appropriate safeguards (including SCCs and supplementary measures where required) apply.
No medical content or Personal Data concerning health (Art. 9 GDPR) is processed in this activity.
A.2 Audio Transcription (Transient Processing)
Purpose: Conversion of spoken medical consultations into text transcripts for documentation purposes.
Categories of data: Personal Data concerning health (Art. 9 GDPR), including spoken medical information.
Data subjects: Patients and medical professionals.
Processing & retention: Audio streams are processed transiently in-memory within the European Union (EU) and are
deleted immediately after transcription. Audio recordings are never stored.
A.3 Medical Document Generation & Secure Storage
Purpose: Generation of structured medical documentation (e.g., clinical notes, letters, billing documents)
from transcripts and/or user-provided text and files.
Categories of data: Personal Data concerning health (Art. 9 GDPR), including transcripts, generated medical text,
and classification codes (e.g., ICD-10).
Data subjects: Patients and medical professionals.
Processing & storage: Processing occurs exclusively within the EU. Storage of medical content occurs exclusively in
Germany (Frankfurt). Retention is user-configurable from 1 to 30 days and content can be deleted manually at any time.
A.4 File Content Extraction (OCR – Transient)
Purpose: Extraction of text from user-uploaded files (e.g., PDFs or images) for inclusion in medical documentation.
Categories of data: Personal Data concerning health (Art. 9 GDPR), depending on file content.
Data subjects: Patients and medical professionals.
Processing & retention: Files are processed transiently in-memory within the EU and deleted immediately
after text extraction. Uploaded files are never stored.
A.5 Service Analytics & Product Improvement
Purpose: Service analytics and product improvement.
Scope & conditions: The Data Processor may process aggregated and anonymised data (where feasible) or otherwise de-identified data
for service analytics and product improvement only on the documented instruction of the Data Controller and, where required,
with valid patient consent.
Pseudonymised data remains Personal Data and is protected under this DPA. Anonymous information, as defined in Recital 26 GDPR,
is not treated as Personal Data.
Restriction: Personal Data processed for the provision of the Services is not used to train general-purpose or foundation AI models.
Annex A – Details of Processing
Annex A – Details of Processing
The Processing activities described in this Annex A are carried out solely on the documented instructions of the Data Controller
in accordance with Article 28(3) GDPR.
A.1 User Account & Service Management
Purpose: Authentication, access control, and management of user accounts and application settings.
Categories of data: Non-sensitive personal data (name, email address, account settings, pseudonymised technical identifiers).
Data subjects: Medical professionals (users).
Processing & storage: Processed for account and service administration on secure infrastructure.
Where processed outside the EU/EEA by approved sub-processors, appropriate safeguards (including SCCs and supplementary measures where required) apply.
No medical content or Personal Data concerning health (Art. 9 GDPR) is processed in this activity.
A.2 Audio Transcription (Transient Processing)
Purpose: Conversion of spoken medical consultations into text transcripts for documentation purposes.
Categories of data: Personal Data concerning health (Art. 9 GDPR), including spoken medical information.
Data subjects: Patients and medical professionals.
Processing & retention: Audio streams are processed transiently in-memory within the European Union (EU) and are
deleted immediately after transcription. Audio recordings are never stored.
A.3 Medical Document Generation & Secure Storage
Purpose: Generation of structured medical documentation (e.g., clinical notes, letters, billing documents)
from transcripts and/or user-provided text and files.
Categories of data: Personal Data concerning health (Art. 9 GDPR), including transcripts, generated medical text,
and classification codes (e.g., ICD-10).
Data subjects: Patients and medical professionals.
Processing & storage: Processing occurs exclusively within the EU. Storage of medical content occurs exclusively in
Germany (Frankfurt). Retention is user-configurable from 1 to 30 days and content can be deleted manually at any time.
A.4 File Content Extraction (OCR – Transient)
Purpose: Extraction of text from user-uploaded files (e.g., PDFs or images) for inclusion in medical documentation.
Categories of data: Personal Data concerning health (Art. 9 GDPR), depending on file content.
Data subjects: Patients and medical professionals.
Processing & retention: Files are processed transiently in-memory within the EU and deleted immediately
after text extraction. Uploaded files are never stored.
A.5 Service Analytics & Product Improvement
Purpose: Service analytics and product improvement.
Scope & conditions: The Data Processor may process aggregated and anonymised data (where feasible) or otherwise de-identified data
for service analytics and product improvement only on the documented instruction of the Data Controller and, where required,
with valid patient consent.
Pseudonymised data remains Personal Data and is protected under this DPA. Anonymous information, as defined in Recital 26 GDPR,
is not treated as Personal Data.
Restriction: Personal Data processed for the provision of the Services is not used to train general-purpose or foundation AI models.
ANNEX B: TECHNICAL AND ORGANISATIONAL MEASURES (Revised)
Pursuant to Article 32 of the GDPR, the Data Processor shall implement and maintain the following technical and organisational measures to ensure a level of security appropriate to the risk of the Processing.
Security Measures Table
| Security Principle (GDPR Article 32) |
Implemented Measures |
| Pseudonymisation and Encryption of Personal Data |
- All data is encrypted in-transit between the user, Nixi AI services, and sub-processors using industry-standard TLS protocols (HTTPS).
- All databases and storage are encrypted at-rest.
- Data Segregation: Sensitive Protected Health Information (PHI) is stored in a physically and logically separate infrastructure from non-sensitive application data.
- Transient Data Handling: Audio streams and user-uploaded files are processed in-memory and are immediately and permanently deleted after processing. They are never stored at rest.
|
| The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services |
- Strict Access Control: The platform operates on a "zero-trust" model. A user can only access data that they have explicitly created, which is enforced programmatically on every data request via a secure authentication system.
- Private Networking: All backend services that handle sensitive data (API and database) are isolated from the public internet and communicate exclusively over a secure Google Cloud private network (VPC).
- Data Residency: All sensitive PHI is stored and processed exclusively within Google Cloud's europe-west3 region (Frankfurt, Germany) to ensure data sovereignty.
- Personnel Access: Access to production environments by authorized Nixi AI personnel is strictly limited on a need-to-know basis, logged, and requires multi-factor authentication (MFA).
|
| The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident |
- The services are built on a resilient, high-availability cloud infrastructure (Google Cloud Platform).
- Secure, automated, and tested backups of databases containing Personal Data are performed regularly to ensure data integrity and the ability to restore the service in a timely manner.
|
| A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing |
- Backend Security: The backend infrastructure is built on Google Cloud Platform (GCP), leveraging Google's robust, enterprise-grade security model, which is subject to regular independent audits against international security standards.
- Frontend & Application Security: The frontend web application, hosted by Bubble Group, Inc., is subject to their regular third-party penetration testing. Additionally, Nixi AI engages Flusk.eu to perform continuous automated security monitoring of the application, including weekly and monthly vulnerability checks with 24/7 alerting for potential security issues.
- Secure Development: Security is integrated into the software development lifecycle, including mandatory code reviews and vulnerability scanning before deployment.
|
ANNEX C: APPROVED SUB-PROCESSORS
The Data Controller provides general authorization for the Data Processor to engage the sub-processors listed below, in accordance with the terms of the DPA.
1. List of Approved Sub-processors
Company Information Table
| Company Name |
Registered Address |
| Bubble Group, Inc. |
22 W 21st Street, 2nd Floor, New York, NY 10010 |
| Google Cloud EMEA Ltd. |
70 Sir John Rogerson's Quay, Dublin 2, Ireland |
| Microsoft Ireland Operations Ltd. |
One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland |
2. Details of Sub-processor Processing Activities
Approved Sub-Processors Table
| APPROVED SUB-PROCESSOR |
SCOPE AND PURPOSE OF PROCESSING |
CATEGORIES OF PERSONAL DATA |
PROCESSING AND STORAGE LOCATIONS |
LEGAL BASIS FOR TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA |
| Bubble Group, Inc. |
Hosts the application frontend and manages user accounts and application settings.
Explicit exclusion: No patient records, transcripts, audio, medical documents,
or other Personal Data concerning health are processed or stored by this sub-processor.
|
Non-sensitive application account data only:
- Name
- Email address
- Account and application settings
- Pseudonymised technical identifiers (e.g., user/session IDs, security logs)
Explicitly excluded: Any medical content, transcripts, audio streams, files, diagnoses, ICD codes, or other Personal Data concerning health.
|
United States (AWS infrastructure) |
Standard Contractual Clauses (SCCs) pursuant to EU Commission Implementing Decision (EU) 2021/914,
supplemented by additional technical and organisational measures where required.
|
| Google Cloud EMEA Ltd. |
Provides the secure backend infrastructure for the Services, including application hosting and private databases.
Medical content is stored for a maximum of 30 days. The retention period is configurable
by the customer and can be reduced at any time. Data can also be deleted manually by the customer at any time.
|
Personal Data concerning health (medical content), including transcripts and generated medical documentation;
and related identifiers required to provide secure access (e.g., pseudonymised encounter/session IDs).
|
Processing: European Union (EU).
Storage (medical content): Germany (Frankfurt, europe-west3).
|
Not applicable. Processing and storage for medical content occur exclusively within the EU, with storage in Germany.
|
| Microsoft Ireland Operations Ltd. |
Provides AI services for transient processing of medical content, including Speech-to-Text
(Azure STT) and medical note generation (Azure OpenAI).
|
Personal Data concerning health (transient): audio stream and transcript text processed for the purpose of generating documentation.
No audio recordings are stored.
|
European Union (EU): Speech-to-Text (West Europe); Generative AI (Germany West Central).
Storage of medical content remains in Germany (Frankfurt).
|
Not applicable. Processing occurs exclusively within the EU.
|
Additional Data Protection Provisions:
• The Data Processor may process aggregated and anonymised data (where feasible) or otherwise de-identified or
pseudonymised data for service analytics and product improvement only on the documented instruction of the
Data Controller and, where required, with valid patient consent.
• Where data is pseudonymised, it remains Personal Data and is protected under the DPA. Anonymous information,
as defined in Recital 26 GDPR, is not treated as Personal Data.
• Personal Data processed for the provision of the Services is not used to train general-purpose or foundation AI models.
• Encrypted backups containing Personal Data are retained on a rolling basis for up to 30 days
and are automatically overwritten thereafter, unless a longer retention period is required by applicable law.