ISMS Copilot
Safeguards

How We Keep ISMS Copilot Safe & Accurate

ISMS Copilot helps compliance professionals draft policies, analyze audit requirements, and navigate complex frameworks like ISO 27001 and SOC 2. We built safeguards into every layer of the platform to protect your sensitive data and ensure our AI delivers reliable, audit-ready outputs — not generic advice that could derail your certification.

Our approach combines technical protections, accuracy controls, and operational safeguards across the entire lifecycle of your data.

Data protection by design

Compliance work involves sensitive organizational data. We protect it through:

  • End-to-end encryption: TLS 1.3 in transit, AES-256 at rest. Your data is encrypted before it reaches our servers and while stored.

  • EU hosting & GDPR compliance: All infrastructure runs in Frankfurt (AWS EU-Central-1). We act as your GDPR processor with full Article 28 obligations, Standard Contractual Clauses, and Data Processing Agreement.

  • Workspace isolation: Row-level security ensures clients and projects never mix. Each workspace is a separate environment.

  • Zero training on your data: We contractually prohibit AI providers (Mistral AI, OpenAI, xAI) from using your inputs or outputs for model training. Your compliance data stays yours.

  • User-controlled retention: Configure retention from 1 day to 7 years or delete data immediately. Auto-deletion runs daily. Account deletion wipes all data within 30 days.

For maximum privacy, enable Advanced Data Protection Mode to route all queries through EU-only Mistral AI with zero data retention.

Preventing hallucinations & inaccurate advice

Generic AI tools like ChatGPT can confidently fabricate control requirements or misinterpret standards. We prevent this through:

  • Dynamic Framework Knowledge Injection: When you mention a framework (ISO 27001, SOC 2, GDPR, etc.), our system automatically injects verified knowledge from our proprietary database before the AI responds. This eliminates hallucinations on controls and requirements.

  • Proprietary knowledge base: Built from hundreds of real consulting projects — not scraped web content. We maintain accuracy through version control and regular updates as standards evolve.

  • Uncertainty disclaimers: When the AI is unsure, it says so and prompts you to verify against the official standard. We scope responses strictly to compliance — no off-topic generation.

ISMS Copilot accelerates compliance workflows but doesn't replace professional judgment. Always verify critical outputs against official framework documentation and consult qualified auditors for certification decisions.

Authentication & access controls

We enforce secure access through:

  • Mandatory email verification: All accounts require verified email before access.

  • OAuth with MFA support: Sign in via Google or Microsoft with multi-factor authentication. We recommend enabling MFA on your identity provider.

  • Password hashing: Passwords are hashed with bcrypt. We never store plaintext credentials.

  • Session management: JWT tokens auto-expire to limit unauthorized access windows.

Abuse prevention & monitoring

We monitor for misuse while preserving privacy:

  • Automated content moderation: AI provider APIs screen all messages for prohibited content. Flagged content is retained for 1 year for admin review; non-flagged metadata is deleted after 30 days.

  • Rate limiting: Free tier users are limited to 10 messages per 4 hours to prevent abuse. Paid plans have higher quotas.

  • Error monitoring: Sentry tracks technical errors using anonymized UUIDs — no message content is logged.

  • Privacy-preserving analytics: Cookieless PostHog with no personally identifiable information.

Sensitive data redaction

Enable PII Reduction Mode to automatically redact names, email addresses, and phone numbers before sending data to AI providers. This adds an extra layer of protection when uploading documents or discussing personnel matters.

Incident response

If a security issue arises, our incident response process ensures:

  • Assessment within 24 hours

  • Communication to affected users within 72 hours for data breaches (GDPR Article 33)

  • Remediation tracking and post-incident review

Report security concerns to [email protected].

What makes us different

Unlike general AI tools, ISMS Copilot is purpose-built for compliance:

  • No hallucinations on controls: Framework injection ensures accuracy on ISO 27001, SOC 2, and other standards.

  • EU-hosted with zero training: Your data never leaves the EU (with Advanced Mode) and is never used to train models.

  • Audit-ready outputs*: Structured policies and gap analyses — not conversational responses you need to reformat. *Always review anyways, it's just the right thing to do.

  • Workspace organization: Multi-client and project separation built in.

For detailed information on data processing, see our Privacy Policy and Data Processing Agreement.

Was this helpful?