This Data Processing Addendum (“DPA”) forms part of the agreement governing the use of the services provided by Virtuosis Artificial Intelligence SA and, where applicable, its affiliates identified in the applicable Order Form or agreement (“Virtuosis”,“we”, “us”, or “Processor”) to the customer identified in the applicable Order Form, online subscription, statement of work, or other agreement (“Customer”,“you”, or “Controller”).
This DPA applies where Virtuosis processes Personal Data on behalf of Customer in connection with the Virtuosis Service, including the Virtuosis Teams App, Virtuosis Web Application, Virtuosis API, or any other Virtuosis service described in the applicable agreement or order form (the “Service”).
This DPA is intended to satisfy the requirements of Article 28 of Regulation (EU) 2016/679 (“GDPR”), the Swiss Federal Act on DataProtection (“FADP”), and other applicable privacy and data protection laws.
If there is a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data, unlessthe Standard Contractual Clauses or other mandatory data transfer terms require a different result. If there is a conflict between this DPA and any applicable Standard Contractual Clauses, the Standard Contractual Clauses shall prevail for the relevant international data transfer.
1. Definitions
1.1 “Agreement” means the Terms of Service, the applicableOrder Form, this DPA, the Privacy Policy, any applicable Standard ContractualClauses, and any other written agreement governing Customer’s use of theService.
1.2 “Applicable Data Protection Laws” means all privacy,data protection, and data security laws applicable to the processing of Personal Data under the Agreement, including, where applicable, the GDPR, the FADP, and any implementing or supplementary national laws.
1.3 “Controller”, “Processor”, “Data Subject”, “PersonalData”, “Personal Data Breach”, “Processing”, and “Special Categories ofPersonal Data” have the meanings given to them under Applicable Data ProtectionLaws.
1.4 “Customer Personal Data” means Personal Data processed by Virtuosis on behalf of Customer in connection with the Service.
1.5 “Content” means audio recordings, audio streams, files, metadata, account information, questionnaire responses, clinical or wellbeing inputs, generated insights, outputs, reports, and any other data submitted to, generated through, or made accessible to Virtuosis by or on behalf of Customer or its Permitted Users through the Service.
1.6 “Permitted Users” means individuals authorized by Customer to access or use the Service, including Customer’s employees, contractors, clinicians, agents, patients, beneficiaries, end users, or other users, as applicable.
1.7 “Sub-processor” means any third party engaged by Virtuosis to process Customer Personal Data on behalf of Customer.
2. Parties and roles
2.1 For the purposes of this DPA, Customer is the Controller of Customer Personal Data and Virtuosis is the Processor of Customer Personal Data, except where the parties expressly agree otherwise in writing.
2.2 Where Customer acts as a processor on behalf of a third-party controller, Customer represents and warrants that it is authorized to instruct Virtuosis to process Customer Personal Data and that its instructions to Virtuosis are lawful and consistent with the instructions of the relevant controller.
2.3 Virtuosis may process certain Personal Data as an independent controller, including business contact data, billing data, website data, customer relationship data, security logs, and usage data processed for Virtuosis’ own legal, administrative, security, compliance, or commercial purposes. Such processing is governed by Virtuosis’ Privacy Policy and is not covered by this DPA, except to the extent required by Applicable Data Protection Laws.
3. Subject matter and duration of processing
3.1 The subject matter of the processing is Virtuosis’ provision of the Service to Customer under the Agreement.
3.2 The duration of processing is the term of the Agreement and any additional period during which Virtuosis processes Customer Personal Data for deletion, return, backup, legal compliance, dispute resolution, audit,or security purposes, in accordance with the Agreement and this DPA.
4. Nature and purpose of processing
4.1 Virtuosis processes Customer Personal Data to provide, operate, secure, maintain, support, and improve the Service in accordance with the Agreement and Customer’s documented instructions.
4.2 Depending on the Service configuration, the processing may include:
(a) collection, receipt, upload, transmission, or ingestion of audio recordings, audio streams, files, or associated metadata;
(b) conversion, standardization, segmentation, feature extraction, model inference, analysis, or other automated processing of audio or related inputs;
(c) generation of communication, wellbeing, screening, monitoring, clinical decision-support, or other health-related insights, scores, reports, outputs, or suggestions;
(d) hosting, storage, backup, retrieval, display, export, deletion, and support of Customer Personal Data;
(e) account administration, authentication, access control, logging, audit, troubleshooting, security monitoring, and incident response;
(f) service maintenance, performance monitoring, quality assurance, and error correction; and
(g) other processing described in the applicable Order Form, statement of work, product documentation, or written instructions fromCustomer.
4.3 Virtuosis shall not process Customer Personal Data for purposes outside the Agreement or Customer’s documented instructions, unless required by applicable law. If Virtuosis is required by law to process Customer Personal Data outside Customer’s instructions, Virtuosis shall inform Customer before such processing unless legally prohibited from doing so.
5. Categories of Data Subjects
Customer Personal Data may relate to the following categories of Data Subjects, depending on Customer’s use of the Service:
(a) Customer’s employees, contractors, consultants, representatives, clinicians, care teams, or other workforce members;
(b) Customer’s patients, beneficiaries, insured persons, students, members, users, applicants, or other end users;
(c) participants in research, clinical studies, pilots, evaluations, or validation projects;
(d) speakers or other individuals whose voice, audio, metadata, or related information is submitted to the Service;
(e) Customer’s administrators, technical users, support users, and other Permitted Users; and
(f) other individuals whose Personal Data is included in Content submitted by or on behalf of Customer.
6. Categories of Personal Data
Customer Personal Data may include the following categories, depending on Customer’s use of the Service:
(a) identification and account data, such as name, username, user ID, email address, organization, role, access rights, and authentication information;
(b) contact and professional data, such as business contact details, job title, department, organization, and professional role;
(c) audio data, such as voice recordings, audio streams, speech segments, extracted acoustic features, voice-derived metrics, and related technical representations;
(d) metadata, such as timestamps, recording duration, language or locale settings, device/browser information, IP address, session identifiers, file format, sampling rate, channel configuration, and processing status;
(e) health, wellbeing, clinical, or questionnaire data, such as responses to clinical or wellbeing scales, symptoms, disease-related information, risk indicators, screening outputs, monitoring outputs, clinician notes, or other health-related inputs or outputs submitted to or generated through the Service;
(f) generated outputs, such as personal or group insights, scores, dashboards, reports, alerts, recommendations, classifications, or other AI-generated outputs;
(g) support and communication data, such as support tickets, messages, logs, troubles hooting information, and customer communications; and
(h) any other Personal Data submitted to the Service by Customer or Permitted Users.
7. Special categories of PersonalData and voice data
7.1 Customer acknowledges that, depending on the use case,Customer Personal Data may include Special Categories of Personal Data, in particular health data, health-related inferences, clinical data, wellbeing data, and voice recordings or voice-derived information.
7.2 Voice recordings and voice-derived data may constitute Personal Data. They may also raise biometric-data issues where they are processed through specific technical means for the purpose of uniquely identifying or authenticating a natural person. Unless expressly agreed in writing, the Service is not intended to identify or authenticate individuals by voice.
7.3 Customer is responsible for identifying the appropriate legal basis and any applicable Article 9 GDPR exception, consent, ethics approval, clinical authorization, employee consultation, patient information notice, or other authorization required for its use of the Service and its submission of Customer Personal Data to Virtuosis.
7.4 Virtuosis shall process Special Categories of Personal Data only in accordance with the Agreement, this DPA, Customer’s documented instructions, and Applicable Data Protection Laws.
8. Customer instructions
8.1 Customer instructs Virtuosis to process CustomerPersonal Data for the purposes described in this DPA, the Agreement, the applicable Order Form, the product documentation, and any other written instructions agreed by the parties.
8.2 Customer is responsible for ensuring that its instructions are lawful and that it has provided all required notices and obtained all required rights, authorizations, legal bases, consents, or approvals necessary for Virtuosis to process Customer Personal Data.
8.3 Virtuosis shall promptly inform Customer if, in Virtuosis’ opinion, an instruction infringes Applicable Data Protection Laws, unless Virtuosis is legally prohibited from doing so.
9. Confidentiality
9.1 Virtuosis shall ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or professional.
9.2 Virtuosis shall limit access to Customer Personal Data to personnel and Sub-processors who need such access to provide, secure, support, or maintain the Service, or to comply with applicable law.
10. Security measures
10.1 Virtuosis shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
10.2 These measures shall take into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, and the risk to Data Subjects, including the heightened sensitivity of health-related and voice-related data.
10.3 The technical and organizational measures are described in Appendix B. Customer acknowledges that security measures may be updated from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data.
11. Sub-processors
11.1 Customer authorizes Virtuosis to engage Sub-processors to process Customer Personal Data for the purpose of providing the Service, subject to this Section 11.
11.2 Virtuosis shall maintain an up-to-date list of Sub-processors in Appendix A or at another location notified to Customer. The Sub-processor list shall identify the Sub-processor, the processing activity, and the relevant location or hosting region where applicable.
11.3 Virtuosis shall impose data protection obligations on each Sub-processor that are substantially similar to those imposed on Virtuosis under this DPA, to the extent applicable to the nature of the services provided by the Sub-processor.
11.4 Virtuosis remains responsible to Customer for the performance of its Sub-processors’ data protection obligations, subject to the limitations of liability set out in the Agreement.
11.5 Virtuosis may add or replace Sub-processors. Virtuosis shall provide reasonable notice of any material new Sub-processor, for example by updating the Sub-processor list or notifying Customer by email or throughthe Service. Customer may object to a new Sub-processor on reasonable data protection grounds within thirty (30) days of notice. The parties shall work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the affected Service to the extent the new Sub-processor is necessary for that Service.
12. Microsoft Azure and Microsoft DPA
12.1 Virtuosis uses Microsoft Azure cloud services as infrastructure and platform services for the Service, unless otherwise specified in the applicable Order Form.
12.2 Microsoft acts as a Sub-processor of Virtuosis where Microsoft processes Customer Personal Data on behalf of Virtuosis in connection with Azure services used to provide the Service.
12.3 Microsoft’s processing as Virtuosis’ Sub-processor is governed by the Microsoft Products and Services Data Protection Addendum, available at https://aka.ms/dpa, as updated by Microsoft from time to time.
12.4 The Microsoft DPA does not replace this DPA between Customer and Virtuosis. It governs the relationship between Virtuosis and Microsoft for Microsoft’s processing of Customer Personal Data as Virtuosis’ Sub-processor.
12.5 Where Customer requires a particular Azure region, tenant configuration, dedicated environment, HDS-compatible hosting, or other specific hosting arrangement, such requirement must be specified in the applicable Order Form or statement of work.
13. International transfers
13.1 Customer Personal Data shall be hosted in the region specified in the applicable Order Form. If no region is specified, Virtuosis may host Customer Personal Data in Switzerland, the European Economic Area, oranother region reasonably necessary to provide the Service, subject toApplicable Data Protection Laws.
13.2 Virtuosis shall not transfer Customer Personal Data to a country or recipient that does not provide an adequate level of protection under Applicable Data Protection Laws unless appropriate safeguards are inplace.
13.3 Where required, the parties shall enter into the applicable Standard Contractual Clauses, the Swiss addendum or adaptations required by the FDPIC, or another lawful transfer mechanism.
13.4 For transfers involving Microsoft Azure or other Sub-processors, Virtuosis may rely on the transfer safeguards implemented by the relevant Sub-processor, provided that they comply with Applicable Data Protection Laws.
14. Personal Data Breach
14.1 Virtuosis shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer PersonalData.
14.2 The notification shall include, to the extent known and legally permissible: the nature of the Personal Data Breach, the categories and approximate number of affected Data Subjects and records, the likely consequences, the measures taken or proposed to address the breach, and a contact point for further information.
14.3 Virtuosis shall take reasonable steps to mitigate the effects of the Personal Data Breach and shall provide reasonable assistance to Customer in meeting Customer’s breach notification obligations under Applicable Data Protection Laws.
14.4 Virtuosis’ notification of a Personal Data Breach shall not be construed as an admission of fault or liability.
15. Assistance to Customer
15.1 Taking into account the nature of the processing and the information available to Virtuosis, Virtuosis shall provide reasonable assistance to Customer in fulfilling Customer’s obligations under Applicable Data Protection Laws, including obligations relating to:
(a) Data Subject rights requests;
(b) security of processing;
(c) Personal Data Breach notifications;
(d) data protection impact assessments;
(e) prior consultation with supervisory authorities where required; and
(f) audits, inspections, and regulatory inquiries.
15.2 Customer shall be responsible for responding to Data Subject requests. If Virtuosis receives a request directly from a Data Subject relating to Customer Personal Data, Virtuosis shall, where legally permissible, either inform the Data Subject to contact Customer or forward the request to Customer.
15.3 Virtuosis may charge reasonable fees for assistance that exceeds standard support, unless the assistance is required because of Virtuosis’ breach of this DPA.
16. Return and deletion of CustomerPersonal Data
16.1 Upon termination or expiry of the Agreement, Virtuosis shall, at Customer’s written request, make available for export or download Customer Personal Data or generated outputs available through the Service for a period of thirty (30) days, unless otherwise specified in the applicable Order Form.
16.2 After the applicable export period, Virtuosis may delete or anonymize Customer Personal Data in accordance with the Agreement, its retention practices, and Applicable Data Protection Laws.
16.3 Virtuosis may retain Customer Personal Data where required by applicable law, for legitimate legal or audit purposes, or in backups for a limited period, provided that such retained data remains protected in accordance with this DPA and is not processed for any other purpose.
16.4 Unless otherwise agreed in writing, raw audio recordings are deleted after processing or after the retention period configured for the applicable Service, except where Customer has instructed Virtuosis to retain them, where retention is necessary to provide the Service, or where retention is required by law or the Agreement.
17. Anonymized and aggregated data
17.1 Virtuosis may generate aggregated or anonymized data derived from the use of the Service, including metadata, performance statistics, model performance indicators, usage metrics, and service improvement data, provided that such data does not identify Customer, Permitted Users, Data Subjects, or any other natural person and is not reasonably capable of being re-identified.
17.2 Aggregated or anonymized data is not Customer Personal Data where it no longer relates to an identified or identifiable natural person under Applicable Data Protection Laws.
17.3 Virtuosis may use aggregated or anonymized data to operate, maintain, analyze, improve, and develop the Service, to conduct research and validation, to monitor quality and performance, and to create statistical or benchmarking information, provided that such use complies with Applicable Data Protection Laws and the Agreement.
17.4 For clarity, pseudonymized data remains Personal Data and shall be processed in accordance with this DPA.
18. Service improvement and model development
18.1 Virtuosis shall not use identifiable Customer Personal Data to train, improve, or develop models for purposes outside the provision of the Service unless permitted by the Agreement, documented in the applicable Order Form, or otherwise authorized by Customer in writing and supported by an appropriate legal basis.
18.2 Where Customer authorizes the use of Customer Personal Data for research, validation, model improvement, clinical study, regulatory, or product development purposes, the parties shall document the scope, categories of data, purposes, retention period, safeguards, and legal basis in the applicable Order Form, research agreement, informed consent form, ethics protocol, or other written instruction.
18.3 Nothing in this DPA prevents Virtuosis from using anonymized data in accordance with Section 17.
19. Audit and information rights
19.1 Virtuosis shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR, subject to confidentiality, security, and commercial sensitivity restrictions.
19.2 Where available, Virtuosis may satisfy audit requests by providing summaries, security documentation, third-party certifications, penetration test summaries, data protection documentation, or other relevant materials.
19.3 Customer may request an audit no more than once per calendar year, unless required by a competent supervisory authority or following a confirmed Personal Data Breach affecting Customer Personal Data.
19.4 Audits must be conducted during normal business hours, with reasonable prior notice, in a manner that does not disrupt Virtuosis’ business operations, compromise security, or expose data of other customers.
19.5 Customer shall bear its own audit costs and shall reimburse Virtuosis for reasonable costs incurred in supporting an audit,unless the audit reveals a material breach of this DPA by Virtuosis.
20. Compliance with laws
20.1 Customer shall comply with Applicable Data Protection Laws in its use of the Service and in its collection, submission, and processing of Customer Personal Data.
20.2 Customer is responsible for determining whether theService is appropriate for its intended use, including in regulated healthcare, insurance, employment, education, research, or clinical contexts.
20.3 Customer is responsible for configuring the Service, obtaining consent or another valid legal basis, providing notices, managing user permissions, defining retention settings where available, and ensuring that its use of outputs complies with applicable medical, employment, insurance, research, consumer protection, and AI-related laws.
20.4 Virtuosis shall comply with Applicable Data ProtectionLaws that apply directly to Virtuosis in its role as Processor.
21. Government access and legal requests
21.1 If Virtuosis receives a legally binding request from a public authority for access to Customer Personal Data, Virtuosis shall, unless legally prohibited, promptly notify Customer.
21.2 Virtuosis shall review such requests and, where appropriate, challenge or limit requests that are unlawful, excessive, or inconsistent with Applicable Data Protection Laws.
21.3 Virtuosis shall disclose only the minimum amount ofCustomer Personal Data required to comply with a valid legal obligation.
22. Liability
The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set out in the Agreement, unless prohibited by Applicable Data Protection Laws or the applicable Standard Contractual Clauses.
23. Governing law and jurisdiction
Unless Applicable Data Protection Laws or the Standard Contractual Clauses require otherwise, this DPA shall be governed by Swiss substantive law, and the courts of Lausanne, Switzerland shall have exclusive jurisdiction.
Appendix A - Sub-processors
The following Sub-processors are authorized as of the effective date of this DPA. Virtuosis may update this list in accordance with Section 11 and Customers may request it to privacy@virtuosis.ch.
Appendix B - Technical and organizational measures
Virtuosis maintains technical and organizational measures designed to protect Customer Personal Data, including the following, asapplicable to the Service and deployment configuration.
1. Access control
(a) Role-based access controls and least-privilege access principles.
(b) Access limited to authorized personnel with a legitimate business need.
(c) Authentication controls, including strong passwords and multi-factor authentication where appropriate.
(d) Periodic review and revocation of access rights.
(e) Separation of customer environments or logical segregation of customer data where applicable.
2. Encryption and transmission security
(a) Encryption of data in transit using industry-standard protocols such as TLS.
(b) Encryption of data at rest using cloud-provider encryption mechanisms or equivalent safeguards.
(c) Secure management of credentials, secrets, API keys, and access tokens.
(d) Secure configuration of storage, databases, and network services.
3. Audio and health-data safeguards
(a) Processing of audio recordings and health-related data only as necessary to provide the Service or as otherwise instructed byCustomer.
(b) Deletion or retention of raw audio according to the applicable Service configuration, Order Form, or written Customer instruction.
(c) Use of pseudonymization, separation of identifiers, or minimization measures where appropriate and feasible.
(d) Restricted access to health-related outputs and voice-derived data.
4. Logging and monitoring
(a) Logging of relevant access, processing, and security events where appropriate.
(b) Monitoring for unauthorized access, misuse, errors, and security incidents.
(c) Maintenance of audit trails appropriate to the Service and deployment model.
(d) Protection of logs against unauthorized access or alteration.
5. Availability, backup, and resilience
(a) Use of cloud infrastructure designed to support availability and resilience.
(b) Backup, recovery, or replication measures appropriate to the applicable Service configuration.
(c) Business continuity and incident response procedures.
(d) Maintenance and update processes designed to reduce service interruptions.
6. Secure development andvulnerability management
(a) Secure software development practices appropriate to the Service.
(b) Code review, testing, and deployment controls.
(c) Vulnerability monitoring and remediation processes.
(d) Security patching and dependency management.
7. Personnel and confidentiality
(a) Confidentiality obligations for personnel with access to Customer Personal Data.
(b) Security and privacy awareness measures for relevant personnel.
(c) Access limited according to job responsibilities.
(d) Offboarding procedures to revoke access when personnel no longer require it.
8. Sub-processor management
(a) Due diligence before engaging Sub-processors that process Customer Personal Data.
(b) Written agreements imposing data protection obligations on Sub-processors.
(c) Maintenance of a Sub-processor list.
(d) Review of Sub-processor security and compliance commitments.
9. Data minimization and retention
(a) Processing limited to data necessary for the agreed purposes.
(b) Retention periods configured according to the Agreement, Order Form, Service settings, or Customer instructions.
(c) Deletion, anonymization, or return of Customer Personal Data following termination, subject to legal retention requirements and backup cycles.
(d) Distinction between anonymized data and pseudonymized Personal Data.
10. Incident response
(a) Procedures for identifying, escalating, investigating, and responding to security incidents.
(b) Notification to Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
(c) Mitigation and remediation measures appropriate to the nature of the incident.
(d) Documentation of incidents and response actions.
Appendix C - Details of processing
Subject matter: Provision of the Virtuosis Service, including voice/audio processing, wellbeing or health insights, communication insights, screening, monitoring, clinical decision support, dashboards, API access, and related support.
Duration: Term of the Agreement plus any period necessary for deletion, return, backups, legal compliance, audit, security, or dispute resolution.
Nature of processing: Collection, receipt, hosting, storage, transmission, conversion, standardization, analysis, inference, feature extraction, generation of outputs, display, export, deletion, support, logging, monitoring, and security operations.
Purpose of processing: To provide, operate, secure, maintain, support, and improve the Service in accordance with the Agreement and Customer’s documented instructions.
Categories of Data Subjects: Customer personnel, clinicians, patients, beneficiaries, insured persons, students, research participants, end users, speakers, administrators, technical users, and other individuals whose Personal Data is included in Content.
Categories of Personal Data: Account data, contact data, audio data, voice-derived data, metadata, questionnaire data, health/wellbeing/clinical data, generated insights, outputs, logs, support data, and other data submitted by Customer or Permitted Users.
Special categories: Health data, health-related inferences, wellbeing data, clinical data, voice recordings, and voice-derived data.
Hosting: Microsoft Azure, in the region specified in the Order Form or Azure configuration.
Retention: As specified in the Order Form, Service configuration, Agreement, or Customer instructions. Raw audio is deleted after processing unless otherwise configured or agreed.
Last updated: 14 May 2026
