Nixi AI Data Processing Agreement

Last Updated: October 7, 2025

This Data Processing Agreement ("DPA") is entered into between: (1) The Customer: The legal entity that has executed a

Service Agreement for the use of Nixi AI's services ("Data Controller"); and (2) The Provider: Nixi AI, a partnership

established under the laws of Germany, with its principal place of business at Adolfsallee 14, 65185 Wiesbaden,

Germany ("Data Processor"); (each a "Party" and together the "Parties").

BACKGROUND

A. The Data Controller and the Data Processor have entered into an agreement for the provision of the Data Processor's services (the "Service Agreement"). This DPA forms an integral part of and is subject to the Service Agreement.

B. In the course of providing the services under the Service Agreement, the Data Processor will process certain personal data on behalf of the Data Controller. Consequently, the Data Controller acts as a controller and the Data Processor acts as a processor within the meaning of the GDPR.

C. This DPA sets out the terms and conditions that govern the Data Processor's Processing of Personal Data on behalf of the Data Controller.

D. The purpose of this DPA is to ensure that the processing of personal data complies with the requirements of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR").

E. This DPA does not exempt the Data Processor from its own direct obligations under the GDPR or any other applicable data protection laws.

1. STRUCTURE OF THE AGREEMENT

1.1. This Data Processing Agreement ("DPA") consists of this main body and the following annexes, which form an integral part hereof:

  • Annex A: Details of Processing
  • Annex B: Technical and Organisational Measures
  • Annex C: Approved Sub-processors

1.2. In the event of any conflict between the terms of this DPA and the Service Agreement, the terms of this DPA shall prevail with regard to the subject matter of data processing.

1.3. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Service Agreement.

2. DEFINITIONS

2.1. Terms such as "Personal Data," "Processing," "Data Subject," "Personal Data Breach," and "Supervisory Authority" shall have the meanings ascribed to them in the GDPR.

2.2. In this DPA, the following terms shall have the following meanings:

Definitions Table
Term Definition Applicable Data Protection Law
Applicable Data Protection Law All laws and regulations applicable to the Processing of Personal Data, including the GDPR and any relevant national implementing legislation. Yes
Approved Purpose The Data Processor's Processing of Personal Data as necessary to provide the Services under the Service Agreement and as further instructed in writing by the Data Controller in accordance with this DPA. Yes
Services The services to be provided by the Data Processor to the Data Controller as specified in the Service Agreement. Yes
Standard Contractual Clauses (SCCs) The standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended, superseded, or replaced. Yes
Sub-processor Any third-party processor engaged by the Data Processor who Processes Personal Data in accordance with this DPA. Approved Sub-processors are listed in Annex C. Yes

3. OBLIGATIONS OF THE DATA PROCESSOR

The Data Processor undertakes to:

3.1. Purpose Limitation: Process Personal Data solely for the Approved Purposes and in accordance with the Data Controller's documented instructions as set out in Annex A. If the Data Processor considers an instruction to infringe Applicable Data Protection Law, it shall immediately inform the Data Controller.

3.2. Confidentiality: Ensure that all persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security: Implement the appropriate technical and organisational measures specified in Annex B to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. The principles of data protection by design and by default shall be observed.

3.4. Sub-processing: Not engage any Sub-processor without the prior specific or general written authorisation of the Data Controller. The Data Processor shall ensure that any engaged Sub-processor is bound by data protection obligations that are at least as protective as those in this DPA. Approved Sub-processors are listed in Annex C.

3.5. Assistance with Data Subject Rights: Taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's bligation to respond to requests for exercising the Data Subject's rights laid down in Chapter III of the GDPR.

3.6. Personal Data Breach Notification: Notify the Data Controller without undue delay after becoming aware of a Personal Data Breach, providing the Data Controller with sufficient information to allow them to meet their own notification obligations under the GDPR.

3.7. Assistance with Compliance: Assist the Data Controller in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR (Security of Processing, Breach Notification, and Data Protection Impact Assessments), taking into account the nature of the Processing and the information available to the Data Processor.

3.8. Data Deletion or Return: At the choice of the Data Controller, delete or return all Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

3.9. Audits and Inspections: Make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR and allow for and contribute to audits, includinginspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

3.10. Transfers to Public Authorities: Notify the Data Controller of any legally binding request for disclosure of the Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

4. OBLIGATIONS OF THE DATA CONTROLLER

4.1. Lawfulness of Processing: The Data Controller is solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it acquired the Personal Data. The Data Controller warrants that it has a valid legal basis for the Processing of all Personal Data as contemplated by the Service Agreement and this DPA.

4.2. Documented Instructions: The Data Controller shall provide all instructions to the Data Processor in writing (including by email) and ensure such instructions are in compliance with Applicable Data Protection Law.

4.3. Processor Compliance: The Data Controller is responsible for ensuring, throughout the duration of the Processing, that the Data Processor's activities align with its instructions and the agreed-upon terms of this DPA.

4.4. Supervision and Audits: The Data Controller has the right to supervise the Processing, which includes conducting audits and inspections of the Data Processor to verify compliance with this DPA.

  1. Audits shall be carried out at the Data Controller's exclusive expense
  2. The Data Controller shall provide the Data Processor with at least thirty (30) working days' prior written notice of any audit or inspection.
  3. Audits shall be conducted during the Data Processor's normal business hours and shall not unreasonably disrupt theData Processor's business activities.
  4. The Data Processor shall cooperate with the audit and provide access to the information and personnel reasonably necessary to demonstrate compliance.
  5. The Data Processor may object to an auditor appointed by the Data Controller if the auditor is, in the Data Processor's reasonable opinion, not suitably qualified or is a direct competitor of the Data Processor. In such an event, the Data Controller shall appoint another auditor.

5. DATA STORAGE AND INTERNATIONAL TRANSFERS

Data Processing Sections

5.1. Data Segregation

The Data Processor utilizes a segregated infrastructure to distinguish between categories of Personal Data. The location of Processing is dependent on the data category as defined below.

5.2. Processing of Sensitive Data

All sensitive Personal Data, including any Protected Health Information (PHI), shall be stored and Processed exclusively within the European Union (EU). The primary storage location is Frankfurt, Germany. This data shall not be transferred outside the EU.

5.3. International Transfer of Non-Sensitive Application Data

Non-sensitive application data (as defined in Annex A) may be transferred to and processed in the United States by an approved Sub-processor. Such transfers are legitimized and protected by the execution of the Standard Contractual Clauses (SCCs) between the Data Processor and the relevant Sub-processor.

6. USE OF SUB-PROCESSORS

6.1. General Authorization. The Data Controller provides a general written authorization for the Data Processor to engage the Sub-processors listed in Annex C.

6.2. Sub-processor Obligations. The Data Processor shall enter into a written agreement with each Sub-processor that imposes data protection obligations that are at least as protective as those set out in this DPA. The Data Processor shall ensure that the Sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures in compliance with the GDPR.

6.3. Changes to Sub-processors. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Data Controller the opportunity to object to such changes. If the Data Controller objects, the Parties shall discuss in good faith a commercially reasonable resolution.

6.4. Onward Liability. The Data Processor shall remain fully liable to the Data Controller for the performance of a Sub- processor's data protection obligations.

7. RESTRICTED TRANSFERS OF PERSONAL DATA

General Principle

7.1. Personal Data shall only be processed within the European Economic Area (EEA) or a jurisdiction deemed adequate by the European Commission, except where a valid transfer mechanism is in place.

Transfer Mechanism

7.2. For any transfer of Personal Data from the Data Processor to an approved Sub-processor located in a third country not recognized as adequate (a "Restricted Transfer"), such transfer shall be governed by the Standard Contractual Clauses (SCCs).

Mandate to Execute SCCs

7.3. The Data Controller hereby grants the Data Processor a mandate to enter into the Standard Contractual Clauses, specifically Module Three (Processor to Sub-processor), with any approved Sub-processor on the Data Controller's behalf to legitimize a Restricted Transfer.

Continued Liability

7.4. The use of SCCs does not relieve the Data Processor of its obligations under this DPA. The Data Processor remains fully liable to the Data Controller for the performance of the Sub-processor's obligations as specified in Section 6.4.

8. DATA SUBJECT RIGHTS

8.1. Controller's Responsibility. The Data Controller is solely responsible for providing information to Data Subjects regarding the Processing of their Personal Data and for managing requests to exercise their rights.

8.2. Processor's Assistance. The Data Processor shall, taking into account the nature of the Processing, assist the Data Controller by appropriate technical and organisational measures with fulfilling its obligation to respond to requests from Data Subjects. If a Data Subject sends a request directly to the Data Processor, the Data Processor shall promptly forward the request to the Data Controller's designated contact person.

9. SECURITY OF PROCESSING

9.1. General Commitment. The Data Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures shall ensure a level of security appropriate to the risk.

9.2. Specific Measures. The Data Processor undertakes to implement, at a minimum, the technical and organisational measures set out in Annex B. The Data Processor reserves the right to update these measures, provided that such updates do not result in a material degradation of the overall security of the Services.

10. PERSONAL DATA BREACH MANAGEMENT

10.1. Notification. In the event of a Personal Data Breach, the Data Processor shall notify the Data Controller without undue delay, and in any event no later than forty-eight (48) hours after becoming aware of it. The notification shall be sent to the Data Controller's designated contact person.

10.2. Information Provided. The notification shall, as far as possible, include: The nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; The likely consequences of the Personal Data Breach; The measures taken or proposed to be taken by the Data Processor to address the breach and mitigate its possible adverse effects; and The name and contact details of the Data Processor's point of contact for more information.

10.3. Cooperation. The Data Processor shall provide the Data Controller with reasonable cooperation and assistance required to fulfil the Data Controller's own data breach notification obligations under the GDPR.

11. GOVERNMENT REQUESTS AND LEGAL OBLIGATIONS

11.1. Requests for Disclosure. The Data Processor shall promptly notify the Data Controller of any legally binding request from a law enforcement or other governmental authority for the disclosure of Personal Data, unless prohibited by law. If legally permissible, this notification shall be provided to the Data Controller before the Data Processor discloses any Personal Data.

11.2. Legally Mandated Retention. If the Data Processor is required by applicable law to retain any Personal Data where it would otherwise be required to be deleted or returned under Section 3.8, it shall notify the Data Controller of this retention requirement. The obligations of confidentiality and security as set out in Section 9 shall continue to apply to such retained Personal Data.

12. LIABILITY

12.1. The liability of each Party under this DPA shall be subject to the limitations and exclusions of liability set out in the Service Agreement. For the avoidance of doubt, any reference to liability in the Service Agreement shall be interpreted to include liability under this DPA.

ANNEX A: DETAILS OF PROCESSING

This Annex forms part of the DPA and describes the details of the Processing of Personal Data by the Data Processor on behalf of the Data Controller.

Processing Details Cards

Subject-Matter and Nature of the Processing

The Data Processor provides a software service that uses AI to transcribe medical consultations and generate structured medical documentation. Processing involves receiving transient audio/file data, generating text, storing the text securely for a limited period, and managing user accounts.

Purpose of the Processing

The sole purpose of the Processing is to provide the services subscribed to by the Data Controller under the Service Agreement, including transcription, document generation, secure storage, and user authentication.

Duration of the Processing

For the duration of the Service Agreement, unless otherwise specified below.

Details of Processing Activities

Processing Activities Table
Processing Activity Purpose Categories of Personal Data Categories of Data Subjects Storage / Retention Period
User Account & Service Management To authenticate and secure user access; manage service settings and metadata. Non-Sensitive Data: User's name, email address, non-sensitive settings. Pseudonymized identifiers for patients/encounters. Medical Professionals (Users) For the duration of the Service Agreement.
Audio Transcription To convert the spoken medical consultation into a written digital transcript. Sensitive Data (Transient): Audio stream of the medical consultation. May contain any category of Protected Health Information (PHI) discussed. Patients, Medical Professionals Transient Processing Only: The audio stream is processed in-memory and is deleted immediately after transcription. It is never stored.
Medical Document Generation To use AI to analyze the transcript and generate structured medical notes, letters, or billing documents. Sensitive Data (PHI): Transcript content, generated medical text, ICD-10 codes. Patients, Medical Professionals User-configurable from 1 to 30 days. Data is automatically and permanently deleted after the selected period.
File Content Extraction (OCR) To extract text from user-uploaded files (e.g., PDFs, images) for inclusion in medical documents. Sensitive Data (Transient): Content of uploaded files. May contain any category of PHI present in the file. Patients, Medical Professionals Transient Processing Only: Files are processed for text extraction and are deleted immediately. They are never stored.
Secure Storage of PHI To provide the user with secure access to their generated transcripts and medical documents. Sensitive Data (PHI): All generated transcripts and medical documents created within the service. Patients, Medical Professionals User-configurable from 1 to 30 days. Data is automatically and permanently deleted after the selected period.

Additional Processing Notes:

  1. Data Retention: The retention period for all sensitive PHI (transcripts and generated documents) is explicitly controlled by the user and can be set from a minimum of one (1) day to a maximum of thirty (30) days. After this period expires, the data is automatically and permanently deleted from the Data Processor's systems.
  2. Service Improvement: The Data Processor may use fully anonymized and aggregated data for service analytics and product improvement. This data is stripped of all personal identifiers and cannot be reverse-engineered to identify any Data Subject.

ANNEX B: TECHNICAL AND ORGANISATIONAL MEASURES (Revised)

Pursuant to Article 32 of the GDPR, the Data Processor shall implement and maintain the following technical and organisational measures to ensure a level of security appropriate to the risk of the Processing.

Security Measures Table
Security Principle (GDPR Article 32) Implemented Measures
Pseudonymisation and Encryption of Personal Data
  • All data is encrypted in-transit between the user, Nixi AI services, and sub-processors using industry-standard TLS protocols (HTTPS).
  • All databases and storage are encrypted at-rest.
  • Data Segregation: Sensitive Protected Health Information (PHI) is stored in a physically and logically separate infrastructure from non-sensitive application data.
  • Transient Data Handling: Audio streams and user-uploaded files are processed in-memory and are immediately and permanently deleted after processing. They are never stored at rest.
The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Strict Access Control: The platform operates on a "zero-trust" model. A user can only access data that they have explicitly created, which is enforced programmatically on every data request via a secure authentication system.
  • Private Networking: All backend services that handle sensitive data (API and database) are isolated from the public internet and communicate exclusively over a secure Google Cloud private network (VPC).
  • Data Residency: All sensitive PHI is stored and processed exclusively within Google Cloud's europe-west3 region (Frankfurt, Germany) to ensure data sovereignty.
  • Personnel Access: Access to production environments by authorized Nixi AI personnel is strictly limited on a need-to-know basis, logged, and requires multi-factor authentication (MFA).
The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
  • The services are built on a resilient, high-availability cloud infrastructure (Google Cloud Platform).
  • Secure, automated, and tested backups of databases containing Personal Data are performed regularly to ensure data integrity and the ability to restore the service in a timely manner.
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
  • Backend Security: The backend infrastructure is built on Google Cloud Platform (GCP), leveraging Google's robust, enterprise-grade security model, which is subject to regular independent audits against international security standards.
  • Frontend & Application Security: The frontend web application, hosted by Bubble Group, Inc., is subject to their regular third-party penetration testing. Additionally, Nixi AI engages Flusk.eu to perform continuous automated security monitoring of the application, including weekly and monthly vulnerability checks with 24/7 alerting for potential security issues.
  • Secure Development: Security is integrated into the software development lifecycle, including mandatory code reviews and vulnerability scanning before deployment.

ANNEX C: APPROVED SUB-PROCESSORS

The Data Controller provides general authorization for the Data Processor to engage the sub-processors listed below, in accordance with the terms of the DPA.

1. List of Approved Sub-processors

Company Information Table
Company Name Registered Address
Bubble Group, Inc. 22 W 21st Street, 2nd Floor, New York, NY 10010
Google Cloud EMEA Ltd. 70 Sir John Rogerson's Quay, Dublin 2, Ireland
Microsoft Ireland Operations Ltd. One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland



2. Details of Sub-processor Processing Activities

Approved Sub-Processors Table
APPROVED SUB-PROCESSOR SCOPE AND PURPOSE OF PROCESSING CATEGORIES OF PERSONAL DATA PROCESSING AND STORAGE LOCATIONS LEGAL BASIS FOR TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA
Bubble Group, Inc. Hosts the application frontend and stores all non-sensitive, non-medical application data. Non-Sensitive Data: User's name, non-sensitive settings, pseudonymized identifiers. United States (on AWS infrastructure) The Standard Contractual Clauses (SCCs)
Google Cloud EMEA Ltd. Provides the secure, private backend infrastructure, including application hosting (Cloud Run) and the private database (Cloud SQL) for all sensitive data. Sensitive Data (PHI): User's email address, transcripts, generated medical documents, ICD-10 codes. Germany (Frankfurt, europe-west3 region) Not Applicable. All data is processed and stored exclusively within the European Union.
Microsoft Ireland Operations Ltd. Provides AI services for transient processing of sensitive data, including Speech-to-Text (Azure STT) and medical note generation (Azure OpenAI). Sensitive Data (PHI): Audio stream (transient), transcript text (transient). European Union (Speech-to-Text: West Europe; Generative AI: Germany West Central) Not Applicable. All data is processed and stored exclusively within the European Union.