Overview
This Data Processing Agreement ("DPA") forms part of the terms of service between you (the "Customer" or "Data Controller") and ISMS Copilot (the "Processor" or "Data Processor") for the use of the ISMS Copilot AI compliance platform. This DPA complies with Article 28 of the General Data Protection Regulation (GDPR) and governs the processing of personal data on behalf of the Customer.
Effective Date: November 2025. This DPA automatically applies to all ISMS Copilot customers processing personal data through the platform. No separate signature is required - your use of the service constitutes acceptance.
Who This Is For
This Data Processing Agreement is for:
Organizations using ISMS Copilot to process personal data
Compliance consultants handling client data through the platform
Data Protection Officers conducting vendor assessments
Legal and procurement teams evaluating data processing arrangements
Auditors reviewing GDPR Article 28 compliance
Definitions
Key Terms
"Customer" or "Data Controller": The organization or individual subscribing to ISMS Copilot services and determining the purposes and means of processing personal data.
"Processor" or "Data Processor": ISMS Copilot, processing personal data on behalf of the Customer.
"Customer Personal Data": Any personal data processed by ISMS Copilot on behalf of the Customer, including conversation content, uploaded documents, and associated metadata.
"Sub-processor": Any third-party processor engaged by ISMS Copilot to process Customer Personal Data.
"Data Subject": The identified or identifiable natural person to whom Customer Personal Data relates.
"Processing": Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
"Personal Data Breach": A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
1. Scope and Applicability
1.1 Application of DPA
This DPA applies to all processing of Customer Personal Data by ISMS Copilot in the course of providing the platform services described in the Terms of Service.
1.2 Subject Matter of Processing
ISMS Copilot processes Customer Personal Data to provide AI-powered compliance assistance, including:
Processing user queries and generating AI responses
Storing conversation history and context
Analyzing uploaded compliance documents
Maintaining workspace configurations and custom instructions
1.3 Duration of Processing
Processing continues for the duration of the Customer's active subscription and according to the Customer's configured data retention period (1 day to 7 years, or "keep forever"). Upon termination, all Customer Personal Data is deleted within 30 days unless longer retention is required by law.
1.4 Nature and Purpose of Processing
Nature: Automated processing using AI models, database storage, and file processing
Purpose: Provide compliance guidance, document analysis, policy generation, and knowledge management as instructed by the Customer
1.5 Categories of Data Subjects
Customer's employees and authorized users
Customer's clients and end-users (when mentioned in uploaded documents or queries)
Individuals referenced in compliance documentation
Security incident subjects
1.6 Categories of Personal Data
User account information (email addresses, authentication credentials)
Conversation content and AI interactions
Uploaded document content (policies, procedures, audit reports)
Workspace configurations and custom instructions
Usage metadata and timestamps
Potentially special category data (Article 9 GDPR) if uploaded by Customer
Customer is responsible for ensuring appropriate legal basis and safeguards exist before uploading special category data (Article 9 GDPR) such as security incident reports containing health data, employee information, or other sensitive categories.
2. Processor's Obligations (Article 28(3) GDPR)
2.1 Processing Instructions
ISMS Copilot shall process Customer Personal Data only on documented instructions from the Customer, including:
Instructions provided through the platform interface (queries, document uploads, workspace configurations)
Data retention settings configured by the Customer
Advanced Data Protection Mode selection (EU-only vs. default AI processing)
Deletion requests submitted through the platform or support
If ISMS Copilot believes an instruction violates GDPR or other data protection laws, we will immediately inform the Customer and have the right to suspend processing until the instruction is confirmed or modified.
2.2 Confidentiality of Processing
ISMS Copilot ensures that all persons authorized to process Customer Personal Data:
Are subject to confidentiality obligations (contractual or statutory)
Receive appropriate training on data protection
Access data only on a need-to-know basis
Follow documented data handling procedures
2.3 Technical and Organizational Measures (Article 32 GDPR)
ISMS Copilot implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Access Control Measures:
Row-level security in database preventing cross-user data access
User authentication required for all protected resources
Workspace isolation preventing cross-contamination of client data
Multi-factor authentication (MFA) support
Automatic session timeout controls
Encryption Measures:
TLS 1.3 encryption for data in transit
Database encryption at rest
Password hashing using industry-standard algorithms (irreversible)
Encrypted file storage in Supabase
Data Minimization Measures:
Only essential data collected (email, messages, files)
No unnecessary demographic or contact information collected
Analytics configured with sendDefaultPii: false
Customer-controlled retention periods with automated deletion
Availability and Resilience:
Automated database backups
Disaster recovery procedures
24/7 monitoring and alerting via Sentry
Public status page for transparency (isms-copilot.instatus.com)
Testing and Evaluation:
Regular security assessments
Continuous error monitoring and logging
Automated data deletion testing
Access control verification procedures
For detailed technical and organizational measures, refer to our Register of Processing Activities (RopA) or visit the Trust Center.
2.4 Sub-processor Engagement
General Authorization: Customer provides general authorization for ISMS Copilot to engage sub-processors for the processing of Customer Personal Data, subject to the conditions in this section.
Current Sub-processors: The complete list of sub-processors is maintained in our Register of Processing Activities and includes:
Sub-Processor | Purpose | Location | DPA Status |
|---|---|---|---|
Supabase (PostgreSQL + Storage) | Database and file storage | EU (Frankfurt) | ✓ GDPR-compliant |
xAI (Grok) + OpenAI * | AI processing (Default Mode) | United States | ✓ No training on data |
Mistral AI * | AI processing (Advanced Data Protection) | European Union | ✓ GDPR-compliant |
Stripe | Payment processing | Global (EU DPA) | ✓ GDPR-compliant |
ConvertAPI | Document conversion | EU endpoint | ✓ GDPR-compliant |
PostHog | Product analytics | EU (Frankfurt) | ✓ GDPR-compliant |
Sentry | Error monitoring | Germany | ✓ GDPR-compliant |
Vercel | Frontend hosting | Global CDN | ✓ GDPR-compliant |
Fly.io | Backend API hosting | EU deployment | ✓ GDPR-compliant |
SendGrid (Twilio) | Email communications | US (SCC) | ✓ GDPR + SCC |
Kit (ConvertKit) | Email communications | US (SCC) | ✓ GDPR + SCC |
* User-Configurable: Only ONE AI processor is active at any time, depending on the Customer's Advanced Data Protection Mode setting.
Sub-processor Requirements: ISMS Copilot ensures all sub-processors:
Provide sufficient guarantees of GDPR compliance
Agree to data processing terms substantially equivalent to this DPA
Implement appropriate technical and organizational measures
Remain subject to ISMS Copilot's supervision and audit rights
Changes to Sub-processors:
ISMS Copilot will notify Customers at least 30 days before adding or replacing sub-processors
Notifications will be sent via email and in-app announcement
Customers may object to new sub-processors within 30 days
If Customer objects, ISMS Copilot will either not use the new sub-processor or allow Customer to terminate the service without penalty
Subscribe to sub-processor change notifications by reviewing your email preferences in Settings. Updated sub-processor lists are always available in the Register of Processing Activities.
2.5 Data Subject Rights Assistance
ISMS Copilot will assist the Customer in fulfilling data subject rights requests, including:
Right of Access (Article 15):
Self-service access to all conversations and files through the platform
Complete data export in JSON format available upon request to support (within 72 hours)
Right to Rectification (Article 16):
Self-service updates to account settings
Support-assisted email address changes (within 30 days)
Right to Erasure (Article 17):
Account deletion requests processed through support
Complete data deletion within 30 days
Confirmation provided to Customer upon completion
Right to Data Portability (Article 20):
Machine-readable JSON export including all Customer Personal Data
Delivered within 72 hours (up to 5 days for large accounts)
Right to Restrict Processing (Article 18) and Right to Object (Article 21):
Processed through support on a case-by-case basis
Response within 30 days
Customer is responsible for verifying data subject identity before requesting data access or export. ISMS Copilot provides the tools and processes, but Customer maintains primary responsibility for responding to data subject requests.
2.6 Data Breach Notification
In the event of a Personal Data Breach affecting Customer Personal Data, ISMS Copilot will:
Detection and Assessment:
Continuously monitor for security incidents via Sentry and automated alerting
Conduct security incident review within 24 hours of detection
Assess risk and potential impact on Customer Personal Data
Notification to Customer:
Notify Customer without undue delay (target: within 48 hours of becoming aware)
Provide description of the breach, including categories and approximate numbers of affected data subjects
Describe likely consequences of the breach
Outline measures taken or proposed to address the breach and mitigate its effects
Provide contact point for further information
Cooperation:
Cooperate with Customer's investigation and remediation efforts
Provide reasonable assistance for Customer's notification to supervisory authorities and data subjects
Document all breaches and remediation measures
Customer remains responsible for determining whether notification to supervisory authorities (within 72 hours per Article 33) and data subjects (Article 34) is required. ISMS Copilot provides information to support Customer's decision and obligations.
2.7 Data Protection Impact Assessment (DPIA) Support
ISMS Copilot will provide reasonable assistance when Customer conducts a Data Protection Impact Assessment or prior consultation with a supervisory authority, including:
Providing the Register of Processing Activities for reference
Describing technical and organizational measures implemented
Clarifying data flows and sub-processor arrangements
Answering specific questions about processing operations
2.8 Deletion and Return of Data
Upon termination of services or Customer request, ISMS Copilot will:
Standard Deletion (Default):
Delete all Customer Personal Data within 30 days of termination
Overwrite backup data within 90 days
Provide written confirmation of deletion upon request
Data Export Before Deletion:
Customer may request complete data export before termination
Export provided in JSON format within 72 hours
Deletion proceeds after export delivery confirmation
Legal Retention Exceptions:
Anonymized billing records retained for 7 years (tax and accounting compliance)
Anonymized analytics data may be retained
Data required to be retained by applicable law will be isolated and protected until the legal retention period expires
2.9 Audit Rights
Customer has the right to audit ISMS Copilot's compliance with this DPA, subject to reasonable limitations:
Documentation Review:
Customer may review publicly available compliance documentation at the Trust Center
Request additional documentation through support (e.g., sub-processor agreements, security policies)
Review the Register of Processing Activities at any time
On-Site Audits:
Customer may conduct on-site audits with 60 days advance written notice
Maximum of one audit per year unless necessitated by a data breach
Audits must be conducted during business hours and not interfere with operations
Customer is responsible for audit costs unless the audit reveals material non-compliance
Results remain confidential and may not be shared except as required by law
Third-Party Certifications:
ISMS Copilot will obtain and maintain relevant security certifications (ISO 27001 in progress)
Certification reports may be shared upon request subject to NDA
Customers may rely on third-party certifications in lieu of conducting their own audits
3. International Data Transfers
3.1 Data Transfer Mechanisms
ISMS Copilot processes Customer Personal Data in accordance with Chapter V of the GDPR:
Primary Storage (Always EU):
All database storage occurs in Frankfurt, Germany (AWS EU-Central-1)
Conversation history, uploaded files, and account data remain in the EU
No adequacy decision required for primary storage
AI Processing (Customer-Configurable):
When Advanced Data Protection Mode is ON: AI processing occurs within the EU via Mistral AI with zero data retention. No international data transfer occurs for AI processing.
When Advanced Data Protection is OFF (default): Conversation content is transferred to the United States for AI processing via xAI/OpenAI with 30-day retention. Standard Contractual Clauses apply to these transfers.
Email Communications (US-Based):
Email addresses transferred to SendGrid and Kit (United States)
Protected by Standard Contractual Clauses approved by the European Commission
Customers can minimize transfers by unsubscribing from non-essential emails
3.2 Standard Contractual Clauses (SCCs)
For transfers to the United States, ISMS Copilot relies on Standard Contractual Clauses:
SCCs are incorporated into sub-processor agreements with xAI, OpenAI, SendGrid, and Kit
Module Two (Controller to Processor) or Module Three (Processor to Processor) apply as appropriate
EU supervisory authority: Commission Nationale de l'Informatique et des Libertés (CNIL), France
Copies of SCCs available upon request through support
3.3 Supplementary Measures
ISMS Copilot implements supplementary measures to protect data transferred outside the EU:
End-to-end encryption (TLS 1.3) for all data in transit
Contractual prohibition on AI training using Customer data
Limited retention by AI providers (30 days for xAI/OpenAI, zero for Mistral AI)
Customer ability to control transfer destination via Advanced Data Protection Mode
Continuous monitoring of legal developments regarding international transfers
3.4 Transfer Impact Assessment
ISMS Copilot has conducted a Transfer Impact Assessment (TIA) for US-based sub-processors and determined that:
Standard Contractual Clauses provide appropriate safeguards
Supplementary technical measures (encryption, limited retention) enhance protection
Customers have the option to avoid US transfers entirely by enabling Advanced Data Protection Mode
No evidence exists that sub-processors have received government access requests for Customer data
Organizations with strict EU data residency requirements should enable Advanced Data Protection Mode and unsubscribe from non-essential email communications to minimize or eliminate US-based data transfers.
4. Customer Obligations as Data Controller
4.1 Lawfulness of Processing Instructions
Customer warrants that:
All processing instructions comply with GDPR and applicable data protection laws
Customer has a lawful basis for processing all personal data uploaded to the platform
Customer has informed data subjects about the processing and their rights
Customer maintains appropriate records of processing activities (Article 30 GDPR)
4.2 Special Category Data
If Customer uploads special category data (Article 9 GDPR), Customer confirms that:
Appropriate Article 9 conditions are met (e.g., explicit consent, legal claims, substantial public interest)
Additional safeguards are in place as required by law
Customer has conducted a Data Protection Impact Assessment if required
4.3 Data Subject Rights Management
Customer is responsible for:
Receiving and responding to data subject rights requests
Verifying data subject identity before requesting data from ISMS Copilot
Determining whether to notify supervisory authorities and data subjects in case of breaches
Ensuring data subjects are informed about ISMS Copilot's role as processor
4.4 Data Retention Configuration
Customer must:
Configure appropriate data retention periods matching their data protection policies
Review retention settings periodically to ensure compliance
Request deletion when data is no longer necessary for the original purpose
4.5 Workspace Isolation
Customer should:
Create separate workspaces for different clients or data categories
Avoid mixing personal data from different data subjects in single workspaces
Delete workspaces when projects are completed and data is no longer needed
5. Liability and Indemnification
5.1 Allocation of Liability
Under Article 82 GDPR:
Customer and ISMS Copilot are each liable for damages caused by their own GDPR violations
ISMS Copilot is exempt from liability if it proves it was not responsible for the event giving rise to the damage
ISMS Copilot is not liable for damages resulting from Customer's unlawful processing instructions
5.2 Indemnification
Customer will indemnify ISMS Copilot against any claims, fines, or damages arising from:
Customer's violation of GDPR or other data protection laws
Customer's unlawful processing instructions
Customer's failure to obtain necessary consents or legal basis for processing
Customer's upload of special category data without appropriate safeguards
6. Term and Termination
6.1 Term
This DPA takes effect on the date Customer first uses ISMS Copilot services and continues for as long as ISMS Copilot processes Customer Personal Data.
6.2 Termination
This DPA terminates automatically upon:
Termination of the Terms of Service
Completion of all processing activities and deletion of Customer Personal Data
6.3 Effect of Termination
Upon termination:
ISMS Copilot will delete or return all Customer Personal Data as described in Section 2.8
Obligations regarding confidentiality, data security, and legal retention survive termination
Customer's right to audit survives for 12 months after termination
7. Amendments and Updates
7.1 DPA Updates
ISMS Copilot may update this DPA to reflect:
Changes in data protection laws or regulatory guidance
Changes to processing operations or sub-processors
Improvements to security measures or data protection practices
7.2 Notification of Changes
Material changes will be notified at least 30 days in advance via email and in-app notification
Updated DPA will be posted at this URL with a new "Effective Date"
Continued use of services after the effective date constitutes acceptance of the updated DPA
7.3 Objection Rights
Customer may object to material changes within 30 days of notification
If Customer objects, Customer may terminate the service without penalty
8. Governing Law and Jurisdiction
8.1 Governing Law
This DPA is governed by:
The General Data Protection Regulation (EU) 2016/679
French data protection law (Data Protection Act 78-17 of 6 January 1978)
The laws of France for contractual interpretation
8.2 Jurisdiction
Any disputes arising from this DPA will be subject to the jurisdiction of French courts, with the supervisory authority being the Commission Nationale de l'Informatique et des Libertés (CNIL).
9. Contact Information
9.1 Data Protection Contacts
For DPA-related questions or requests:
Contact support through the Help Center (accessible via user menu)
Email from your registered account email address
Include "DPA Request" or "Data Processing Agreement" in the subject line
9.2 Data Protection Officer
Organizations requiring DPO contact information should submit a request through the Help Center. Contact details will be provided upon verification.
9.3 Supervisory Authority
Commission Nationale de l'Informatique et des Libertés (CNIL)
Website: https://www.cnil.fr/en
Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Phone: +33 1 53 73 22 22
10. Additional Resources
Supporting Documentation
Register of Processing Activities (RopA) - Detailed processing operations and sub-processors
Privacy Policy - Consumer-facing privacy notice
Data Privacy & GDPR Compliance - User rights and GDPR implementation guide
Trust Center - Comprehensive security and compliance documentation
Status Page - System availability and incident notifications
Configuration Guides
Advanced Data Protection Mode - Enable EU-only AI processing
Workspace Setup Guide - Isolate client data properly
Account Security Guide - Implement strong authentication
Appendix A: Processing Details Summary
Subject Matter
Provision of AI-powered compliance assistance platform including conversation processing, document analysis, and knowledge management.
Duration
For the term of the Customer's active subscription plus retention period configured by Customer (1 day to 7 years), followed by 30-day deletion window.
Nature and Purpose
Nature: Automated AI processing, database storage, file conversion and analysis
Purpose: Enable compliance professionals to receive AI guidance, analyze documents, generate policies, and manage compliance knowledge
Categories of Data Subjects
Customer employees and authorized platform users
Customer clients (when referenced in documents or queries)
Individuals mentioned in compliance documentation
Security incident subjects
Categories of Personal Data
Contact information (email addresses)
Authentication credentials (hashed passwords)
Conversation content and AI interactions
Uploaded compliance documents
Usage metadata and timestamps
Potentially special category data (Article 9) if uploaded by Customer
Appendix B: Sub-processor Change Log
This appendix tracks all sub-processor additions, removals, and changes since the DPA effective date. Customers are notified 30 days before changes take effect.
Current as of November 2025
Initial sub-processor list established. See Section 2.4 and the Register of Processing Activities for complete current list.
Future Changes
All sub-processor changes will be documented here with:
Effective date of change
Sub-processor name and location
Nature of change (addition, removal, replacement)
Processing purpose
Customer notification date
Getting Help
For questions about this Data Processing Agreement:
Review the Register of Processing Activities for technical processing details
Contact support through the Help Center for clarification
Request additional documentation (e.g., SCCs, security policies) through support
Visit the Trust Center for comprehensive compliance resources
Include "DPA Request" in your subject line for priority handling