Data Processing Agreement

Pursuant to Swiss FADP and EU GDPR Article 28

Article 1 - Definitions

In this Agreement, the following definitions apply:

1. "Personal Data" means any information relating to an identified or identifiable natural person.
2. "Processing" means any operation performed on Personal Data.
3. "Sub-processor" means any third party engaged by the Processor.

Article 2 - Subject Matter and Duration

2.1 This Agreement governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the AIAgens AI assistant services.

2.2 This Agreement shall come into force on the date of last signature and shall remain in effect for the duration of the main service agreement.

Article 3 - Scope of Processing

The Processor shall process the following categories of Personal Data:

• Contact information (name, phone number, email)
• Appointment details (date, time, appointment type)
• Communication metadata (call duration, timestamps)

Important Note: By default, AIAgens does not retain voice audio and conversation text beyond the duration of the interaction. AIAgens operates with zero retention — all voice and conversation data is processed in real-time and never stored. Call recording and transcription are disabled by default. Long-term retention of triage outcomes in the patient's medical record is the sole responsibility of the controller (healthcare provider) in accordance with applicable professional retention obligations.

Article 4 - Obligations of the Processor

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller;
2. Ensure that persons authorized to process Personal Data are committed to confidentiality;
3. Implement appropriate technical and organizational measures;
4. Comply with the conditions for sub-processors under Article 5;
5. Assist the Controller in fulfilling its obligations.

Article 5 - Sub-processing

5.1 The Controller hereby grants general authorization for the engagement of sub-processors.

5.2 The Processor shall inform the Controller of any changes to sub-processors and give the Controller the opportunity to object.

5.3 Current sub-processors are listed at /sub-processors.

Article 6 - Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests regarding:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability

Response time for requests is 72 hours.

Article 7 - Security Measures

The Processor implements and maintains the following security measures:

• TLS 1.3 encryption for all data transmissions
• AES-256 encryption for data at rest
• Infrastructure hosted on SOC 2 Type II certified providers
• Regular security audits and penetration testing
• Access controls and audit logging

Article 8 - Breach Notification

8.1 The Processor shall notify the Controller without undue delay after becoming aware of a confirmed personal data breach, in accordance with Art. 33 GDPR.

8.2 Notification shall include all relevant information per Art. 33 GDPR / Art. 24 FADP.

Article 9 - Audit Rights

9.1 The Processor shall make available upon request current SOC 2 Type II reports.

9.2 On-site audits may be conducted with reasonable notice (30 days) and at the Controller's expense.

Article 10 - Termination

10.1 Upon termination, the Processor shall delete all Personal Data within 30 days unless longer retention is required by law.

10.2 Upon request, the Processor shall provide a certificate of deletion.

Article 11 - Governing Law

This Agreement shall be governed by Swiss law. The place of jurisdiction is Lugano, Switzerland.