Overview
Advanced Data Protection Mode gives you control over where your AI conversations are processed and how long AI providers retain your data. When enabled, all conversations use EU-based AI processing with zero data retention. When disabled, conversations use US-based AI providers with 30-day data retention.
Who This Is For
This feature is for:
Organizations with strict EU data residency requirements
Compliance teams subject to GDPR or EU privacy regulations
Consultants handling highly sensitive client data
Users who want maximum privacy and zero AI provider data retention
Anyone concerned about data sovereignty and cross-border data transfers
How Advanced Data Protection Works
Two Processing Modes
Advanced Data Protection OFF (Default Mode)
AI Providers: xAI (Grok) and OpenAI models
Processing Location: United States
Data Retention by AI Providers: 30 days
Use Case: Standard compliance work where EU-only processing is not mandatory
Privacy Commitment: API data is NOT used for AI model training
Even in default mode, your conversation data stored in ISMS Copilot's database remains in the EU (Frankfurt, Germany) and follows your configured retention period. The 30-day retention applies only to the AI provider's temporary processing cache.
Advanced Data Protection ON (EU-Only Mode)
AI Provider: Mistral AI (EU-based)
Processing Location: European Union (100% EU processing)
Data Retention by AI Provider: Zero (no retention agreement)
Use Case: Maximum privacy, EU data sovereignty requirements, highly sensitive data
Privacy Guarantee: No data retention by AI provider; processed in real-time only
When Advanced Data Protection is enabled, your conversations are processed exclusively in the EU by Mistral AI with zero data retention. The AI provider does not store conversation data even temporarily—it's processed in real-time and immediately discarded.
What Changes Between Modes
Aspect | Default Mode (OFF) | Advanced Protection (ON) |
|---|---|---|
AI Provider | xAI/OpenAI (US-based) | Mistral AI (EU-based) |
Processing Location | United States | European Union |
AI Provider Data Retention | 30 days (temporary cache) | Zero (no retention) |
Your Database Storage | EU (Frankfurt) - user-controlled retention | EU (Frankfurt) - user-controlled retention |
AI Model Training | NOT used for training | NOT used for training |
Plan Availability | All users (Free + Premium) | All users (Free + Premium) |
Regardless of which mode you choose, ISMS Copilot NEVER uses your data to train AI models. Your conversations and uploaded documents remain confidential. The difference is where processing occurs (US vs EU) and how long the AI provider temporarily retains data (30 days vs zero).
How to Enable Advanced Data Protection
Prerequisites
Active ISMS Copilot account (Free or Premium)
No special permissions required—available to all users
Compatibility
Plans: All plans (Free, Individual, Team)
User Roles: All authenticated users
Feature Status: Production (January 2025)
Steps to Enable
Click the user icon (top-right corner of the screen)
Select Settings from the dropdown menu
In the left sidebar, click the Data Protection tab (shield icon)
Scroll to the Advanced Data Protection section
Toggle the switch to ON (enabled position)
You'll see confirmation text: "When mode is ON, AI processors don't retain any data."
Click the Save Settings button at the bottom of the dialog
Expected result: A success toast notification appears confirming "Settings updated successfully." All new conversations will now use Mistral AI with EU-only processing and zero data retention.
The toggle change takes effect immediately after saving. Your next message in any conversation will automatically route to Mistral AI instead of the default US-based models.
How to Disable (Return to Default Mode)
Click the user icon → Settings
Navigate to the Data Protection tab
Toggle the Advanced Data Protection switch to OFF
Confirmation text: "When mode is OFF, AI processors retain data for 30 days."
Click Save Settings
Expected result: New conversations will use xAI/OpenAI models with US processing and 30-day retention.
Verify Your Protection Mode
Check Current Setting
Open Settings → Data Protection tab
Look at the Advanced Data Protection toggle position:
ON (right position): EU-only processing (Mistral), zero retention
OFF (left position): US processing (xAI/OpenAI), 30-day retention
Review the descriptive text below the toggle to confirm the active mode
There is no visual indicator in the chat interface itself showing which mode is active. You must check the Settings dialog to verify your current protection mode.
Important Limitations
Not Retroactive
The setting only affects NEW messages:
Conversations sent before enabling Advanced Data Protection were already processed by the previous AI provider
Changing the setting does NOT retroactively change how past messages were processed
Only messages sent AFTER toggling the setting will use the new processing mode
If you have existing conversations with sensitive data and want to ensure EU-only processing going forward, enable Advanced Data Protection before continuing those conversations. Past messages in those threads were already processed according to your previous setting.
Account-Wide Setting
Scope: The setting applies to ALL your conversations across all workspaces
No per-workspace control: You cannot use EU processing for some workspaces and US processing for others
No per-message control: Every new message uses the currently active mode
Settings Must Be Saved
Toggling the switch alone does NOT activate the change
You MUST click "Save Settings" to apply the new mode
If you close the Settings dialog without saving, your toggle change will be lost
No confirmation prompt when closing unsaved settings
Always click "Save Settings" after changing Advanced Data Protection mode. Closing the dialog without saving will discard your changes and keep the previous setting active.
When to Use Each Mode
Use Advanced Data Protection ON (EU-Only) When:
EU data residency is mandatory: Your organization or client requires all data processing to occur within the EU
Handling highly sensitive data: Compliance audits, security incidents, confidential client information
GDPR strict interpretation: You want to minimize cross-border data transfers
Zero retention requirement: Your policies prohibit ANY data retention by third-party AI providers
Public sector or regulated industries: Government, healthcare, financial services with strict data sovereignty rules
Client contracts require it: Specific contractual obligations for EU-only processing
EU-only mode is ideal for consultants working with European clients who have strict GDPR compliance requirements or data sovereignty mandates. It provides the strongest privacy guarantees available.
Use Default Mode OFF (US Processing) When:
EU-only processing is not required: Your work doesn't have specific geographic processing restrictions
General compliance work: Standard policy drafting, risk assessments, documentation
30-day retention is acceptable: Temporary AI provider retention doesn't conflict with your policies
Performance considerations: You prefer the default AI models for specific use cases
Data Retention Clarification
Two Separate Retention Concepts
1. ISMS Copilot Database Retention (User-Controlled)
What it is: Your conversation history stored in ISMS Copilot's EU database
Location: Frankfurt, Germany (AWS EU-Central-1)
Control: YOU control this via Settings → Data Retention Period (1 day to 7 years or forever)
Applies to both modes: This setting works the same regardless of Advanced Data Protection mode
2. AI Provider Retention (What Advanced Data Protection Controls)
What it is: How long the AI service (xAI/OpenAI/Mistral) keeps a copy of your messages during processing
Default Mode (OFF): xAI/OpenAI retain data for 30 days in their processing cache
Advanced Protection (ON): Mistral has ZERO retention—data is processed in real-time and immediately discarded
Purpose: AI providers use temporary retention for abuse monitoring and service improvement (NOT training)
Think of it this way: Your ISMS Copilot retention setting controls your permanent conversation history in the EU database. Advanced Data Protection controls whether the AI provider temporarily keeps a copy during processing (30 days vs zero).
Combined Retention Example
Scenario: Consultant with 90-day ISMS Copilot retention + Advanced Data Protection ON
Storage Location | Retention Period | Purpose |
|---|---|---|
ISMS Copilot Database (EU) | 90 days | Your conversation history for reference |
Mistral AI Provider (EU) | Zero (no retention) | Real-time processing only |
Result: Your conversation is available in ISMS Copilot for 90 days (your setting), but Mistral AI never retains a copy—it's processed once and discarded immediately.
GDPR and Privacy Implications
Advanced Data Protection and GDPR Compliance
Data Controller Responsibilities
You (the user) remain the data controller for any personal data you input into ISMS Copilot
ISMS Copilot and the AI provider act as data processors
You must have legal basis to process personal data before uploading it
Advanced Data Protection helps you meet GDPR data residency and minimization principles
Advanced Data Protection mode helps you comply with EU data residency requirements, but it does NOT replace your obligation to have a legal basis for processing personal data. Always ensure you have appropriate consent or legal grounds before uploading sensitive information.
Data Processing Agreement (DPA) Implications
Default Mode (OFF):
Data processors include: ISMS Copilot (EU), xAI (US), OpenAI (US)
Cross-border data transfer: YES (EU to US for AI processing)
Standard Contractual Clauses may apply for EU-US transfers
AI provider 30-day retention must be documented in your RopA
Advanced Protection (ON):
Data processors include: ISMS Copilot (EU), Mistral AI (EU)
Cross-border data transfer: NO (100% EU processing)
No US data transfer mechanisms needed
Simpler GDPR compliance documentation
Zero AI provider retention strengthens data minimization compliance
Update Your Register of Processing Activities (RopA)
If you enable Advanced Data Protection, update your RopA to reflect:
Sub-processor change: Mistral AI (EU) instead of xAI/OpenAI (US)
Data location: 100% EU processing (no US transfer)
Retention period: Zero retention by AI provider
Transfer mechanisms: None required (EU-only processing)
See our Register of Processing Activities article for guidance on documenting AI provider changes.
Best Practices
For Compliance Consultants
Enable by default for EU clients: Turn on Advanced Data Protection when working with European organizations
Disclose in client contracts: Inform clients that you use EU-based AI with zero retention
Document in DPAs: Include Mistral AI as a sub-processor in your data processing agreements
Client-specific toggling: Switch modes based on each client's data residency requirements
Verify before sensitive work: Always check your current setting before handling highly confidential data
Create a checklist for new client onboarding that includes verifying Advanced Data Protection mode is correctly configured based on the client's data residency requirements.
For Organizations
Establish company policy: Decide whether to mandate Advanced Data Protection for all users
Train your team: Ensure all users understand the difference and know how to toggle the setting
Update compliance documentation: Reflect the chosen mode in your ISMS, privacy policies, and RopA
Regular audits: Periodically verify users are using the correct mode for your compliance requirements
For Highly Sensitive Data
Always enable Advanced Data Protection when working with:
Security incident investigations
Personal data of EU residents
Confidential audit findings
Proprietary business information
Healthcare or financial data
Consider anonymization: Even with zero retention, anonymize sensitive identifiers before uploading
Combine with short retention: Use Advanced Data Protection + short ISMS Copilot retention (e.g., 30 days) for maximum privacy
Troubleshooting
Settings Not Saving
Symptom: Toggle switch reverts to previous position after closing Settings dialog
Likely cause: You didn't click "Save Settings" button
Resolution:
Open Settings → Data Protection tab
Toggle Advanced Data Protection to desired position
Click "Save Settings" at the bottom of the dialog
Wait for "Settings updated successfully" toast notification
Close the dialog
Unsure Which Mode Is Active
Symptom: You don't know whether Advanced Data Protection is currently enabled
Resolution:
Click user icon → Settings
Navigate to Data Protection tab
Check the toggle position and descriptive text
ON = EU-only (Mistral), zero retention
OFF = US (xAI/OpenAI), 30-day retention
Past Conversations Still Showing
Symptom: After enabling Advanced Data Protection, you're concerned about conversations sent before the change
Explanation: This is expected behavior—Advanced Data Protection is NOT retroactive
What happened:
Conversations sent before enabling were already processed by xAI/OpenAI (US, 30-day retention)
Those messages remain in the AI provider's 30-day retention window
Only NEW messages after enabling use Mistral (EU, zero retention)
If this is a concern:
Wait 30 days after enabling—past messages will be purged from xAI/OpenAI cache
For immediate privacy: Delete old conversations in ISMS Copilot to remove them from your own database
Start fresh conversations in new workspaces for maximum privacy assurance
Save Failed Error
Symptom: Error toast: "Failed to update settings"
Likely causes:
Network connectivity issue
Temporary server problem
Session expired
Resolution:
Check your internet connection
Refresh the page and log in again if prompted
Try toggling and saving again
If problem persists, contact support through Help Center
Frequently Asked Questions
Does Advanced Data Protection affect my existing conversations?
No. The setting only affects NEW messages sent after you enable it. Past conversations were already processed according to your previous setting and cannot be retroactively changed.
Can I use different modes for different workspaces?
No. Advanced Data Protection is an account-wide setting. When enabled, ALL new messages across ALL workspaces use EU-only processing. You cannot selectively apply it to specific workspaces.
Is there a performance difference between the two modes?
Both modes deliver high-quality AI responses. Specific performance characteristics may vary slightly between AI models (xAI/OpenAI vs Mistral), but both are optimized for compliance work. The choice should be driven by privacy and data residency requirements, not performance.
Does this setting affect my ISMS Copilot data retention period?
No. Your ISMS Copilot data retention setting (configured separately in Settings → Data Protection → Data Retention Period) continues to work the same way regardless of Advanced Data Protection mode. That setting controls how long YOUR conversation history is stored in the EU database.
Will I be notified if the AI provider changes?
ISMS Copilot will notify users at least 30 days before making material changes to AI providers or data processing arrangements. Check your email and in-app notifications for updates.
Does Advanced Data Protection cost extra?
No. Advanced Data Protection is available to all users at no additional cost, regardless of whether you're on a Free or Premium plan.
If I toggle this frequently, does it cause problems?
You can toggle Advanced Data Protection as often as needed without causing issues. Each new message will use whichever mode was active when you clicked "Save Settings" before sending that message. However, frequent switching makes it harder to track which messages were processed by which provider.
What happens to uploaded files?
Uploaded files (PDF, DOCX, XLSX) are stored in ISMS Copilot's EU-based storage regardless of Advanced Data Protection mode. The AI provider processes file content according to the active mode (US with 30-day retention vs EU with zero retention), but the original files remain in EU storage.
What's Next
Learn about Data Privacy & GDPR Compliance in ISMS Copilot
Review Security & Data Protection Overview for comprehensive security details
Update your Register of Processing Activities to reflect your chosen mode
Read How to Use ISMS Copilot Responsibly for data handling best practices
Configure your data retention period for conversation history
Getting Help
For questions about Advanced Data Protection:
Review the Trust Center for detailed privacy and security documentation
Contact support through the Help Center menu for assistance with settings
Check the Status Page if you experience issues saving settings
Include "Advanced Data Protection" in your support request for priority routing