Is Nixi AI secure enough for my practice?
Compliance posture.
The legal frameworks and infrastructure standards Nixi AI adheres to. Where we stand. With data, not marketing claims.
Legal & regulatory compliance
GDPR
Data processor under Art. 28. DPA is part of every contract.
✓ Full§203 StGB
Nixi AI is integrated as an 'auxiliary person' (§203 para. 3 StGB, 2017 reform) into medical confidentiality.
✓ Integrated§393 SGB V
Mandatory since July 2025. Nixi AI satisfies the requirement via attested infrastructure.
✓ FulfilledEU AI Act
Full applicability for high-risk AI expected August 2026. Nixi AI actively tracks the timeline.
◐ In Progress
Infrastructure compliance
BSI C5
Nixi AI runs on BSI C5-certified cloud infrastructure. Nixi AI itself does not hold a C5 attestation.¹
✓ Infrastructure
¹ The C5 certification refers to the cloud infrastructure provider, not to Nixi AI itself.
Hosting and Data Architecture.
All patient data is processed in the EU and stored in Frankfurt, Germany. Encrypted in transit (TLS 1.3) and at rest (AES-256). Cloud infrastructure carries BSI C5 attestation; data never leaves the EU.
| Location | Frankfurt am Main, Germany |
| Jurisdiction | German law (StGB, TMG, GDPR) |
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.3 |
| US data transfer | No. Excluded |
| CLOUD Act risk | None. Nixi AI is a German company subject exclusively to German/EU law |
| On-premise option | On request, Enterprise tier |
Data Flow
Consultation
The doctor speaks with the patient. Nixi AI listens via microphone.
No permanent audio storage on the device
Encrypted Transfer
Audio is transmitted over TLS 1.3 to the Nixi AI server in Frankfurt.
Processing
Audio is transcribed and a structured clinical note draft is generated on EU infrastructure in Frankfurt.
Result
The finished draft is sent back encrypted. The doctor reviews, corrects, and approves.
Audio Deletion
Audio is deleted after processing. No permanent storage, no backup, no archive.
For enterprise customers with strict internal IT policies, we offer on-premise installation on request. All data stays entirely within your own infrastructure.
What Nixi AI deliberately does not do.
Five things we contractually exclude. Spelled out in the DPA.
No permanent audio storage.
Audio is used exclusively for processing and then deleted. No archive, no backup, no 'stored for quality purposes.'
No data transfer to the US.
Nixi AI GmbH is based in Wiesbaden, Germany. All data stays in Germany. No CLOUD Act, no Schrems II risk.
No sharing with third parties.
Patient data is not shared with advertising partners, data brokers, research institutions or other third parties.
No autonomous clinical decisions.
Nixi AI creates a documentation draft. The doctor reviews, corrects, and approves. Nixi AI makes no diagnostic or therapeutic decisions.
Compliance Documents: Everything in one place.
All documents your data protection officer, IT department or audit requires.
Enterprise RFI Pack
Pre-assembled procurement pack for hospitals + MVZ networks: architecture diagram, BSI C5 attestation reference, sample DPA, Art. 30 record, TOM summary, and model-card document for Dedicated / On-Premise deployments.
Data Processing Agreement (DPA)
Individually signed under Art. 28 GDPR. Covers processing purpose, deletion periods, sub-processors, AI training exclusion and audit rights.
Terms of Service
Complete terms of use for Nixi AI.
Privacy Policy (Product)
How Nixi AI processes data in the product. Separate from the website privacy policy.
Patient Consent Template
Template notice for your practice. Short, clear, ready to use.
DPIA Guidance
Template for Data Protection Impact Assessment under Art. 35 GDPR when introducing AI documentation.
Sub-processor List
Transparent list of all sub-processors with location and purpose.
Technical and Organizational Measures (TOM)
Summary of technical and organizational security measures under Art. 32 GDPR.
These documents do not constitute legal advice. Coordinate implementation with your data protection officer.
Sub-processors.
The service providers Nixi AI uses to operate the product. Each processes data on our behalf under contract per Art. 28 GDPR. Matches the list in the Privacy Policy.
Microsoft AzureAI processing
AI services.
EU (Frankfurt)
EUGoogle Cloud (Vertex AI)AI model
AI services.
EU
EUStripePaymentsNo PHI
Payment processing.
EU + US (SCC/DPF)
EU+USSentryError monitoringNo PHI
Error monitoring.
EU
EUMailgun (Sinch)Transactional emailNo PHI
Transactional email.
EU
EU
Marketing-site processors (analytics, demo scheduler) are listed in the Website Privacy Policy.
Frequently Asked Questions about Security and Compliance
Where is my patient data stored?
All patient data is processed in the EU and stored in Frankfurt, Germany. Data does not leave the EU at any point. Encrypted in transit (TLS 1.3) and at rest (AES-256).
Does Nixi AI have a BSI C5 certificate?
Nixi AI runs on BSI C5-certified cloud infrastructure. The C5 certification refers to the infrastructure provider, not Nixi AI itself. We deliberately disclose this distinction.
Is my patient data used to improve the service?
Audio is not stored. De-identified data may be used to improve the model under the terms of the DPA. Patient data is never sold or shared with third parties. See the Privacy Policy for the full mechanism.
How is medical confidentiality under §203 StGB maintained?
Nixi AI is integrated as an 'auxiliary person' under §203 para. 3 StGB (2017 reform) into medical confidentiality. The DPA contains the obligation to data secrecy. This is the same mechanism used by EMR providers and billing services.
Can I audit Nixi AI?
Yes. The DPA grants an audit right under Art. 28(3)(h) GDPR. You can verify compliance at any time. Through your own review, through your DPO or through an external auditor.
What happens to audio after documentation?
Audio is deleted after processing. No permanent storage, no backup, no archive, no 'stored for quality purposes.' This deletion is contractually guaranteed in the DPA.
Updates.
Recent changes to Nixi AI's security and privacy posture. Newest first.
DPA request flow consolidated
The dedicated /legal/request-dpa page was retired. Visitors now request the DPA (and every other compliance document) from this page's modal-driven document checklist.