Overview
This Register of Processing Activities (RopA) documents all personal data processing activities carried out by the ISMS Copilot platform in compliance with Article 30 of the General Data Protection Regulation (GDPR). This register serves as a comprehensive record of how personal data is collected, processed, stored, and protected within the platform.
This RopA is maintained by ISMS Copilot and updated regularly to reflect changes in data processing activities. Last updated: Nov 2025.
Who This Is For
This document is intended for:
Data Protection Officers (DPOs) evaluating ISMS Copilot
Compliance teams conducting vendor risk assessments
Organizations requiring sub-processor documentation
Legal and security teams performing due diligence
Auditors assessing GDPR compliance
GDPR Compliance Overview
ISMS Copilot 2.0 is designed as a B2B SaaS tool for compliance professionals. We process data primarily in the EU using Supabase (EU region) for storage and authentication. We minimize data collection, ensure user control, and avoid using your data for AI training. As a small company, we focus on pragmatic, high-impact controls while pursuing formal certifications like ISO 27001 and implementing AI security controls.
Data Controller Information
Controller Details
Name: ISMS Copilot
Jurisdiction: France (European Union)
Primary Data Location: Frankfurt, Germany (AWS EU-Central-1)
GDPR Representative: French Data Protection Authority (CNIL)
Primary data processing occurs within the European Union (Frankfurt, Germany). Some limited data transfers to the United States occur for AI processing (configurable via Advanced Data Protection Mode) and email communications (SendGrid, Kit), with appropriate safeguards including Standard Contractual Clauses.
Processing Activity #1: User Authentication & Account Management
Purpose of Processing
To provide secure user authentication, session management, and account access control for the ISMS Copilot platform.
Legal Basis
Primary: Contract Performance (Article 6(1)(b) GDPR) - necessary to provide the service
Secondary: Legitimate Interest (Article 6(1)(f) GDPR) - security and fraud prevention
Categories of Data Subjects
Platform users (compliance professionals, consultants, security teams)
Trial users and prospective customers
Workspace members and collaborators
Categories of Personal Data
Email addresses
Password hashes (encrypted, not reversible)
Authentication tokens and session identifiers
User unique identifiers (UUIDs)
Password reset tokens (temporary)
Account creation timestamps
Last login timestamps
Data Processors
Supabase Auth (PostgreSQL-based authentication)
Location: EU (Frankfurt, Germany)
Processing: User authentication, session management
DPA Status: GDPR-compliant Data Processing Agreement in place
Retention Period
Active accounts: Retained while account is active
After account deletion: Permanently deleted within 30 days
Session tokens: Expire automatically after inactivity period
Password reset tokens: Expire after 24 hours or first use
Security Measures
Password hashing using industry-standard algorithms
Encrypted data transmission (TLS 1.3)
Row-level security in database
Mandatory multi-factor authentication (MFA) option
Session timeout controls
Processing Activity #2: AI Chat Processing & Conversation Management
Purpose of Processing
To provide AI-powered compliance assistance, generate responses to user queries, and maintain conversation context for improved user experience.
Legal Basis
Primary: Contract Performance (Article 6(1)(b) GDPR) - core service functionality
Categories of Data Subjects
Authenticated platform users
Temporary/anonymous chat users
Individuals mentioned in user queries (indirect data subjects)
Categories of Personal Data
User messages and queries
AI-generated responses
Conversation thread metadata (titles, timestamps, status)
User workspace configurations
Custom instructions and personas
Potentially sensitive compliance data (policies, procedures, audit information)
Users may input special category data (Article 9 GDPR) such as information about security incidents or compliance violations. Users are responsible for ensuring they have legal basis to process such data before inputting it into the platform.
Data Processors
Database Storage (Always Active)
Supabase PostgreSQL Database
Location: EU (Frankfurt, Germany)
Processing: Message storage, retrieval, conversation management
DPA Status: GDPR-compliant
AI Processing (User-Configurable via Advanced Data Protection Mode)
Users can choose between two AI processing modes. The active mode determines which sub-processor is used:
Default Mode (Advanced Data Protection OFF):
xAI (Grok) and OpenAI
Location: United States
Processing: AI response generation
Retention: 30 days (temporary processing cache)
Data Usage: API data is NOT used for model training
DPA Status: Standard API Terms (no training on customer data)
Advanced Data Protection Mode (ON):
Mistral AI
Location: European Union
Processing: AI response generation
Retention: Zero (no data retention)
Data Usage: NOT used for model training
DPA Status: EU-based processor with zero retention guarantee
Organizations with EU data residency requirements should document the use of Advanced Data Protection Mode in their own Register of Processing Activities. When enabled, this eliminates US-based AI processing and ensures zero retention by AI providers.
Backend Infrastructure (Always Active)
Fly.io - Chat API Service
Location: EU-based deployment
Processing: Chat orchestration, streaming responses, message routing
DPA Status: GDPR-compliant hosting agreement
Retention Period
User-configurable retention: 1 day to 7 years (this is what "Keep Forever" means)
Default retention: As configured by user in account settings
Automated deletion: Daily automated process deletes messages older than user-specified retention period
Temporary chats: Automatically deleted after 30 days
After account deletion: All conversations permanently deleted within 30 days
Users control their data retention period through Settings. Configure retention to match your organization's data protection policies and legal requirements.
Security Measures
End-to-end TLS encryption for data in transit
Row-level security ensures users can only access their own conversations
Workspace isolation prevents cross-contamination of client data
User authentication required for persistent conversations
Automated deletion of expired data
Processing Activity #3: File Upload & Document Processing
Purpose of Processing
To enable users to upload compliance documents for AI analysis, gap assessment, and document generation.
Legal Basis
Primary: Contract Performance (Article 6(1)(b) GDPR) - service feature
Categories of Data Subjects
Platform users uploading documents
Individuals mentioned in uploaded documents (employees, customers, third parties)
Categories of Personal Data
Uploaded files (PDF, DOCX, XLSX)
Extracted document content and metadata
File names, sizes, upload timestamps
Document processing status
Potentially sensitive organizational data (policies, audit reports, risk assessments)
Uploaded documents may contain special category data or confidential business information. Users must ensure they have appropriate legal authority to upload and process such documents.
Data Processors
Supabase Storage
Location: EU (Frankfurt, Germany)
Processing: Secure file storage in "uploads" bucket
DPA Status: GDPR-compliant
ConvertAPI
Endpoint: EU (convertapi.com)
Processing: Document format conversion (PDF/DOCX/XLSX to HTML and vice versa)
DPA Status: EU-based processor with GDPR compliance
Fly.io
Processing: Document conversion orchestration
DPA Status: GDPR-compliant
Retention Period
Active files: Retained according to user's data retention settings (linked to conversation retention)
Orphaned files: Automatically deleted via background cleanup process
After account deletion: All uploaded files permanently deleted within 30 days
ConvertAPI processing: Files processed in memory, not stored permanently by processor
Security Measures
User-scoped file access (files linked to user ID)
Encrypted storage
Secure file upload over HTTPS
Automated orphaned file cleanup
Authentication required for file upload and deletion
Processing Activity #4: Payment & Subscription Management
Purpose of Processing
To process subscription payments, manage billing, and provide access to premium features.
Legal Basis
Primary: Contract Performance (Article 6(1)(b) GDPR) - billing and payment processing
Secondary: Legal Obligation (Article 6(1)(c) GDPR) - tax and accounting compliance
Categories of Data Subjects
Premium subscribers
Trial users converting to paid plans
Billing contacts for organizational accounts
Categories of Personal Data
Stripe customer IDs
Subscription IDs and status
Payment metadata (no full credit card numbers stored)
Billing events and timestamps
Invoice information
Data Processors
Stripe
Location: US
Processing: Payment processing, subscription management, customer portal
DPA Status: GDPR-compliant Data Processing Agreement
Supabase
Processing: Stores subscription status and customer IDs (not payment card data)
DPA Status: GDPR-compliant
Retention Period
Active subscriptions: Retained while subscription is active
After cancellation: Subscription data retained for 7 years (tax and accounting compliance)
Billing records: Anonymized after 7 years
Payment card data: NEVER stored by ISMS Copilot (handled exclusively by Stripe)
Security Measures
PCI DSS Level 1 compliant payment processing (via Stripe)
No credit card data stored in ISMS Copilot systems
Webhook signature verification
Encrypted transmission of payment data
Duplicate payment prevention
Processing Activity #5: Analytics & Product Improvement
Purpose of Processing
To analyze platform usage, improve user experience, identify bugs, and monitor system performance.
Legal Basis
Primary: Legitimate Interest (Article 6(1)(f) GDPR) - product improvement and service reliability
Categories of Data Subjects
All platform users
Website visitors
Categories of Personal Data
User behavior events (page views, button clicks, feature usage)
Session data and session duration
Browser and device information
Error logs and exception data
Performance metrics (page load times, interaction metrics)
IP addresses (anonymized)
Analytics systems are configured with sendDefaultPii: false to prevent automatic collection of personally identifiable information. No conversation content or uploaded documents are shared with analytics providers.
Data Processors
PostHog
Location: EU (eu.i.posthog.com)
Processing: Product analytics, user behavior tracking
DPA Status: GDPR-compliant, EU-hosted
PII Protection: Configured to NOT send default PII
Sentry
Location: Germany (de.sentry.io)
Processing: Error tracking, performance monitoring
DPA Status: GDPR-compliant, Germany-based
PII Protection: Configured to NOT send default PII
Vercel Web Analytics
Processing: Web vitals, performance metrics
DPA Status: GDPR-compliant
Retention Period
PostHog analytics: According to PostHog retention policy (typically 7 years max)
Sentry error logs: 90 days default retention
Vercel analytics: According to Vercel retention policy
Security Measures
Anonymized IP addresses
No PII sent by default
No conversation content shared
EU-based analytics infrastructure
Production-only tracking (no development environment data)
Processing Activity #6: Infrastructure & Deployment
Purpose of Processing
To host and deliver the ISMS Copilot application securely to users.
Legal Basis
Primary: Contract Performance (Article 6(1)(b) GDPR) - service delivery
Categories of Data Subjects
All platform users and visitors
Categories of Personal Data
HTTP request logs
IP addresses (temporary, for routing)
Connection metadata
Session cookies
Data Processors
Vercel
Processing: Frontend hosting and content delivery
DPA Status: GDPR-compliant
Fly.io
Processing: Backend API hosting
DPA Status: GDPR-compliant
AWS (via Supabase)
Location: Frankfurt, Germany (EU-Central-1)
Processing: Database and storage infrastructure
DPA Status: GDPR-compliant
Retention Period
Access logs: Retained according to infrastructure provider policies (typically 30-90 days)
Session data: Expires after user session ends
Security Measures
TLS 1.3 encryption for all connections
Content Security Policy headers
DDoS protection
Regular security updates and patches
Processing Activity #7: Email Communications & Updates
Purpose of Processing
To send occasional legal updates, product updates, onboarding guidance, and service-related communications to users as part of the platform experience.
Legal Basis
Primary: Legitimate Interest (Article 6(1)(f) GDPR) - product improvement, user education, and service communications related to platform usage
Categories of Data Subjects
All platform users (new signups and existing users)
Trial users receiving onboarding sequences
Premium subscribers receiving product updates
Categories of Personal Data
Email addresses
Subscription preferences (legal updates, product updates)
Email engagement data (opens, clicks)
Unsubscribe status
Send timestamps
Data Processors
SendGrid (by Twilio)
Purpose: Transactional and occasional legal update emails
Location: Likely United States (exact server location not confirmed)
Processing: Email delivery, bounce handling, engagement tracking
DPA Status: GDPR-compliant Data Processing Agreement; Standard Contractual Clauses (SCC) in place for EU-US transfers
Kit (formerly ConvertKit)
Purpose: Onboarding email sequences and monthly product update emails
Location: Likely United States (exact server location not confirmed)
Processing: Email delivery, subscriber management, engagement analytics
DPA Status: GDPR-compliant Data Processing Agreement; Standard Contractual Clauses (SCC) in place for EU-US transfers
Users can unsubscribe from product updates and onboarding emails at any time via the unsubscribe link in each email. Essential service notifications (e.g., security alerts, account changes) may still be sent as required by law or contract.
Retention Period
Active subscriptions: Retained while user remains subscribed
After unsubscribe: Email removed from mailing lists immediately
Engagement data: Retained according to email service provider policies (typically up to 2 years)
After account deletion: All email preferences and data removed within 30 days
Security Measures
Encrypted email transmission (TLS)
Secure API connections to email providers
One-click unsubscribe functionality
Email authentication (SPF, DKIM, DMARC)
Bounce and complaint handling
Data Subject Rights Implementation
ISMS Copilot provides comprehensive support for all GDPR data subject rights through both self-service features and support-assisted processes.
Right to Access (Article 15)
Self-Service: Users can view all conversations and files through the platform interface
Full Export: Contact support for complete data export in JSON format
Response Time: Within 72 hours (legally up to 30 days)
Right to Rectification (Article 16)
Self-Service: Users can update settings through the Settings dialog
Email Changes: Contact support for email address changes
Response Time: Immediate for self-service; within 30 days for support requests
Right to Erasure (Article 17)
Process: Contact support to request account deletion
Scope: All personal data, conversations, files, and settings
Timeline: Permanent deletion within 30 days
Exceptions: Anonymized billing records retained for 7 years (legal obligation)
Right to Data Portability (Article 20)
Format: JSON export including all user data
Process: Request through support
Response Time: Within 72 hours (up to 5 days for large accounts)
Right to Restrict Processing (Article 18)
Process: Contact support with reason for restriction
Response Time: Within 30 days
Right to Object (Article 21)
Process: Contact support to object to specific processing
Response Time: Within 30 days
Data Breach Notification Procedures
Detection & Assessment
Continuous monitoring via Sentry error tracking
Security incident review within 24 hours of detection
Risk assessment for potential data breach impact
Notification Timeline
To Supervisory Authority (CNIL): Within 72 hours of becoming aware (Article 33)
To Data Subjects: Without undue delay if high risk to rights and freedoms (Article 34)
Notification Contents
Nature of the breach
Categories and approximate number of data subjects affected
Likely consequences
Measures taken or proposed to address the breach
International Data Transfers
Data Transfers Depend on Advanced Data Protection Mode Setting
Whether data is transferred outside the EU depends on the user's Advanced Data Protection Mode configuration:
When Advanced Data Protection is ON (EU-Only Mode):
Core data processing occurs within the European Union. Email addresses for users who opt-in to newsletters are transferred to US-based email providers (SendGrid, Kit) with Standard Contractual Clauses in place.
Database storage: EU (Frankfurt, Germany)
AI processing: EU (Mistral AI)
Analytics: EU endpoints (PostHog EU, Sentry Germany)
File conversion: EU endpoint (ConvertAPI EU)
Email communications: US (SendGrid, Kit) - Standard Contractual Clauses
Result: EU-to-US data transfer only for email communications (opt-in based)
When Advanced Data Protection is OFF (Default Mode):
Conversation content is transferred to the United States for AI processing via xAI/OpenAI, and email addresses are transferred for email communications (SendGrid, Kit). While database storage remains in the EU, these constitute international data transfers subject to GDPR transfer requirements.
Database storage: EU (Frankfurt, Germany)
AI processing: United States (xAI/OpenAI)
Email communications: United States (SendGrid, Kit) - Standard Contractual Clauses
Retention by AI provider: 30 days (temporary processing cache)
Transfer mechanism: Standard API Terms for AI; Standard Contractual Clauses for email
Result: EU-to-US data transfer for AI processing and email communications
Organizations subject to strict EU data residency requirements should enable Advanced Data Protection Mode and document this configuration in their data processing records. This ensures full EU data sovereignty.
Data Location Summary by Component
Primary storage: Frankfurt, Germany (AWS EU-Central-1) - Always EU
AI processing: EU or US depending on Advanced Data Protection Mode
Analytics: EU endpoints only (PostHog EU, Sentry Germany) - Always EU
File conversion: ConvertAPI EU endpoint - Always EU
Email communications: United States (SendGrid, Kit) - Standard Contractual Clauses in place
Email service providers (SendGrid and Kit) are located in the United States. Data transfers to these processors are protected by Standard Contractual Clauses (SCC) approved by the European Commission. Users can unsubscribe from marketing emails at any time to minimize data transfers.
Sub-Processor List
Sub-Processor | Purpose | Location | Retention | DPA Status |
|---|---|---|---|---|
Supabase (PostgreSQL + Storage) | Database and file storage | EU (Frankfurt) | User-controlled | ✓ GDPR-compliant |
xAI (Grok) + OpenAI * | AI processing (Default Mode) | United States | 30 days | ✓ No training on data |
Mistral AI * | AI processing (Advanced Data Protection) | European Union | Zero | ✓ GDPR-compliant |
Stripe | Payment processing | Global (EU DPA) | 7 years | ✓ GDPR-compliant |
ConvertAPI | Document conversion | EU endpoint | Temporary | ✓ GDPR-compliant |
PostHog | Product analytics | EU (Frankfurt) | 7 years max | ✓ GDPR-compliant |
Sentry | Error monitoring | Germany | 90 days | ✓ GDPR-compliant |
Vercel | Frontend hosting | Global CDN | 30-90 days | ✓ GDPR-compliant |
Fly.io | Backend API hosting | EU deployment | 30-90 days | ✓ GDPR-compliant |
SendGrid (Twilio) | Legal update emails | US (SCC) | Up to 2 years | ✓ GDPR + SCC |
Kit (ConvertKit) | Onboarding & product emails | US (SCC) | Up to 2 years | ✓ GDPR + SCC |
* User-Configurable AI Processors: Only ONE of these AI providers is active at any time, depending on the user's Advanced Data Protection Mode setting. When Advanced Data Protection is OFF (default), xAI/OpenAI process conversations in the US with 30-day retention. When Advanced Data Protection is ON, Mistral AI processes conversations in the EU with zero retention.
This sub-processor list is current as of November 2025. ISMS Copilot will notify users at least 30 days before adding new sub-processors or making material changes to existing arrangements.
Technical & Organizational Measures (TOMs)
Access Control
Row-level security in database
User authentication required for all protected resources
Workspace isolation preventing cross-user data access
MFA available for enhanced account security
Session timeout controls
Encryption
TLS 1.3 for data in transit
Database encryption at rest
Password hashing (irreversible)
Encrypted file storage
Data Minimization
Only essential data collected (email, messages, files)
No unnecessary demographic or contact information
Analytics configured to exclude PII
User-controlled retention periods
Availability & Resilience
Database backups (automated)
Disaster recovery procedures
Monitoring and alerting (Sentry)
Status page for transparency (isms-copilot.instatus.com)
Testing & Evaluation
Regular security assessments
Error monitoring and logging
Automated data deletion testing
Access control verification
User Responsibilities
While ISMS Copilot provides GDPR-compliant infrastructure, users (as data controllers) are responsible for ensuring their use of the platform complies with GDPR and other applicable regulations.
As a Data Controller, Users Must:
Ensure legal basis exists before uploading personal data
Configure appropriate data retention periods for their organization
Maintain separate workspaces for different clients or data categories
Inform individuals when their data is processed through ISMS Copilot
Include ISMS Copilot in their own data processing records
Conduct Data Protection Impact Assessments (DPIA) when processing high-risk data
Not upload special category data (Article 9) without appropriate safeguards
Compliance Documentation
Available Compliance Resources
Trust Center - Detailed security and privacy documentation
Status Page - System availability and incident notifications
Record Maintenance
Review & Update Schedule
Quarterly review: Verify accuracy of processing activities
Change-driven updates: Within 30 days of new sub-processor or processing activity
Annual audit: Comprehensive review of all RopA entries
Version control: Maintain dated versions of RopA for audit trail
Contact Information
For GDPR Requests or Questions
Access the Help Center through the user menu
Email from your registered account address
Include "GDPR Request" in subject line for priority handling
Visit the Trust Center for detailed documentation
Data Protection Officer
Organizations requiring DPO contact information should submit a request through the Help Center.
Getting Help
For questions about this Register of Processing Activities:
Review the Data Privacy & GDPR Compliance article for detailed rights information
Contact support through the Help Center for clarification on specific processing activities
Request additional compliance documentation through support
Visit the Trust Center for comprehensive security and privacy resources