This is an English translation provided for convenience. The legally binding version of this document is the German original (German original). In case of any discrepancy, the German version prevails.
Download PDF · Version 1.1 — Signature-ready PDF. Convenience translation; the German PDF is the legally binding version.
This agreement governs the processing of personal data by Lucid AI Labs (hereinafter "Processor") on behalf of the contracting clinic (hereinafter "Controller") within the scope of the voice agent service ("Voice Agent"). It forms the legal basis pursuant to Art. 28 para. 3 GDPR for any operational data processing within the scope of the main service.
In case of doubt, this DPA takes precedence over the main contract insofar as data protection is concerned.
The terms of the GDPR (Regulation (EU) 2016/679) apply, in particular Art. 4 No. 1 (personal data), No. 2 (processing), No. 7 (controller), No. 8 (processor), No. 12 (data breach) and No. 15 (health data in conjunction with Art. 9 para. 1).
Categories of data subjects:
Data categories (Art. 4 No. 1 GDPR):
Special categories of data (Art. 9 para. 1 GDPR): Health data to the extent that callers voluntarily disclose it in the conversation (e. g. "I have pain in my molar tooth"). Lawful basis: Art. 9 para. 2 lit. h GDPR (processing for healthcare provision within the scope of a treatment contract). The clinic, as a healthcare institution, is a professional secrecy holder within the meaning of § 203 StGB.
The Processor undertakes pursuant to Art. 28 para. 3 GDPR in particular the following (§§ 4.1–4.8 correspond to the minimum elements lit. a–h):
The Processor processes personal data exclusively on documented instruction of the Controller, including with regard to transfers to third countries (cf. § 9). If it is obliged to process by Union or Member State law, it informs the Controller of these legal requirements before the processing, unless the law in question prohibits such information on important grounds of public interest. Verbal instructions are confirmed in writing (including by email) without undue delay.
The Processor ensures that all persons authorised to process the personal data have committed themselves to confidentiality or are subject to a statutory obligation of secrecy. This applies in particular with regard to § 203 para. 4 StGB for assisting persons.
The Processor takes all necessary technical and organisational measures pursuant to Art. 32 GDPR. These are concretely set out in the Annex "Technical and Organisational Measures (TOM)" and cover at least: pseudonymisation and encryption (TLS 1.3 in transit, AES-256 at rest), availability and resilience (Hetzner hosting in Falkenstein/Nuremberg), procedures for regular review, access control (least privilege, audit logging).
The Controller grants the Processor general written authorisation pursuant to Art. 28 para. 2 sentence 2 GDPR for the engagement of the sub-processors listed in Annex A (List of Sub-Processors). The Annex A list in the version at the time of conclusion of the contract is separately approved by the clinic during onboarding (clickwrap confirmation with timestamp); the authorisation relates specifically to this snapshot version. The website version serves as an ongoing reference. In the case of engagement of further sub-processors or replacement of existing ones, the Processor informs the Controller at least 30 days in advance in text form and thereby gives it the opportunity to object to this change.
In the event of objection by the Controller, the parties negotiate in good faith on a solution. If no agreement can be reached within 14 days, either party may terminate the main contract without observing a notice period.
The Processor obligates every sub-processor to the same data protection obligations as in this DPA, in particular with regard to sufficient guarantees pursuant to Art. 32 GDPR.
The Processor supports the Controller, taking into account the nature of the processing, with appropriate technical and organisational measures in the fulfilment of the requests of data subjects pursuant to Chapter III GDPR (Art. 15 access, Art. 16 rectification, Art. 17 erasure, Art. 18 restriction, Art. 20 data portability, Art. 21 objection). Requests to the Processor are forwarded to the Controller within 5 working days.
The Processor supports the Controller, taking into account the nature of the processing and the information available to it, in the compliance with the obligations pursuant to Art. 32 to 36 GDPR, in particular with data protection impact assessments (Art. 35) and consultations with the supervisory authority (Art. 36).
After termination of the main contract, the Processor, at the choice of the Controller, deletes all personal data or returns it, insofar as no statutory retention obligations exist. The deletion is confirmed in text form on request. Standard deletion period after end of contract: 30 days for live data, 90 days for backup snapshots.
The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA. It enables and supports reviews by the Controller or an auditor mandated by the Controller (audits, inspections). The Controller may request one audit per calendar year with a notice period of 30 days; further audits in the case of substantiated suspicion (e. g. after a data breach) at any time without a notice period.
Should an instruction of the Controller in the opinion of the Processor infringe the GDPR or other data protection provisions, it informs the Controller without undue delay (Art. 28 para. 3 sentence 3 GDPR).
The Processor informs the Controller without undue delay, at the latest within 48 hours of becoming aware, of any breach of the protection of personal data (Art. 33 para. 2 GDPR). The notification contains at minimum: description of the nature of the breach, affected data categories and number of persons, likely consequences, measures taken or proposed.
The 72-hour notification obligation to the supervisory authority (Art. 33 para. 1 GDPR) remains an obligation of the Controller.
The TOM applicable at the time of signing the contract are listed separately in Annex A (encryption, physical access / system access / data access control, separability, availability, resilience, processing control, pseudonymisation). The Processor is entitled to further develop the TOM, provided that the protection level is not undershot. Material changes are communicated to the Controller.
Primary data storage (transcripts, metadata, application database) takes place in the European Union on servers of Hetzner Online GmbH (Falkenstein and Nuremberg, Germany). Certain sub-processors (speech synthesis, speech-to-text, telephony, LLM) process data in the USA or other third countries; see § 9 and Annex "Sub-Processors".
Insofar as processing takes place in third countries, the Processor ensures an adequate level of protection pursuant to Chapter V GDPR (Art. 44–49):
The Processor plays at the beginning of every call a clear, distinctly intelligible notice that the caller is interacting with an AI system (example: "You are speaking with the AI telephone assistant of the practice Dr. X. If you would prefer to speak with a human, simply say 'human'"). This obligation arises from Art. 50 AI Regulation (EU) 2024/1689; the applicability is dated to 2 August 2026. Lucid AI Labs fulfils this obligation ahead of schedule from the start of the contract.
By signing this DPA, the Controller expressly authorises the Processor as well as all sub-processors named in the Annex as "assisting persons" pursuant to § 203 para. 3 and 4 StGB. The assisting persons are obligated to secrecy by this DPA and by their own confidentiality obligations. The Processor only deploys persons who are obligated to confidentiality or are subject to a statutory obligation of secrecy.
Duty of cooperation of the Controller (patient information): The authorisation as "assisting persons" pursuant to § 203 para. 3 StGB does not replace the separate data protection information of patients pursuant to Art. 13/14 GDPR about the integration of the voice agent service (incl. the sub-processors with US relation listed in the Annex). The Controller ensures that patients, before making use of the practice telephony, are informed about (i) the use of an AI-supported reception service, (ii) the data flows including third-country transfer on the basis of SCC + DPF, and (iii) their data subject rights (Art. 15–22 GDPR). The Processor provides templates for this (practice notice, privacy policy snippet, telephone announcement).
Default: No permanent audio recording takes place. Voice data is processed transiently (streaming) and deleted within 60 seconds after generation of the transcript. Transcripts are stored.
Optional recording: Insofar as the Controller explicitly commissions an additional audio recording in the main contract (e. g. for quality assurance), an additional notice is played at the beginning of every call ("This call is recorded for quality assurance. If you do not agree with this, please say 'no recording'"). In the event of objection, the recording is immediately and verifiably deactivated. A recording without notice and possibility of consent does not take place under any circumstances, as this would constitute a violation of § 201 StGB.
Consent documentation (verifiability): If the recording is activated, the Processor documents per call: (a) call ID, (b) timestamp of the playing of the notice, (c) caller reaction (silence / explicit consent / objection) with timestamp, (d) recording status (started / prevented). Upon the objection word ("no", "do not record", "no recording") or upon detection of an objection by the soft classifier, the recording is stopped within 1 second and the previous audio buffer is irretrievably deleted. The consent logs are retained for the duration of the recording storage period (see § 11) and are to be presented to the Controller on request.
The Voice Agent provides no diagnosis, performs no triage and gives no medical assessments. For any substantive medical concern, an escalation to a human takes place. This functional limitation avoids a classification as a high-risk AI system pursuant to Annex III of the AI Regulation.
The functional limitation is implemented technically through the following safeguards:
docs/voice-agent-notruf-spec.md).The Processor ensures that an escalation to a human is possible at any time and that this takes place at the latest when (a) the caller expressly requests this, (b) the confidence level of the model falls below the agreed threshold (default: 75 %), or (c) a substantive medical concern is detected.
The liability of the parties follows the main contract and, additionally, Art. 82 GDPR. In the case of breaches of duty that are attributable exclusively to fault of the Controller (e. g. insufficient own privacy policy), the liability of the Processor lapses. A professional liability insurance exists (Hiscox IT, 500,000 € insured sum).
This DPA ends with the main contract. A separate termination is not required. § 4.7 (return / deletion) applies independently of the reason for termination.
Complete current list: /sub-processors. Excerpt as of 12 May 2026:
Upon clicking "I accept the DPA" in the onboarding portal or by conclusive conduct (commencement of use of the voice agent service), this agreement enters into force. The acceptance record (user ID, timestamp, IP address, DPA version) is stored in the table avv_acceptances (Art. 28 para. 9 GDPR fulfilled, electronic form). The signature-ready PDF is available via the download button at the top; for a clinic-specific filled-in variant (Annex A snapshot, agreed TOM adjustments), write to [email protected].