Security & Data Protection Overview

Overview

ISMS Copilot implements enterprise-grade security measures to protect your sensitive compliance data. This article explains how your data is secured, where it's stored, and what controls are in place to ensure confidentiality and privacy.

Who This Is For

This article is for:

• Security teams evaluating ISMS Copilot

• Compliance professionals handling sensitive client data

• Administrators responsible for data protection decisions

• Users who need to understand how their data is protected

Key Security Principles

ISMS Copilot's security architecture follows these core principles:

• Zero Training on User Data - Your conversations, documents, and client information are never used to train AI models

• EU Data Residency - All data is stored in EU-based servers (Frankfurt, Germany)

• End-to-End Encryption - Data is encrypted both in transit and at rest

• User-Controlled Retention - You decide how long your data is kept

• GDPR Compliance - Full compliance with European data protection regulations

Data Encryption

Encryption in Transit

All data transmitted between your browser and ISMS Copilot servers is protected using:

• TLS 1.3 encryption on all HTTPS connections

• Strict Transport Security (HSTS) enforced for 1 year with subdomain inclusion

• Certificate pinning to prevent man-in-the-middle attacks

• Automatic HTTPS upgrade for all insecure requests

Encryption at Rest

All data stored in ISMS Copilot databases is protected with:

• AES-256 encryption for all production databases

• Encrypted backups with the same encryption standards

• Encrypted file storage for uploaded documents (PDF, DOCX, XLS)

• Secure key management with keys stored separately from data

Data Storage & Residency

Where Your Data Is Stored

All ISMS Copilot database storage occurs in:

• Location: EU-based servers (AWS Frankfurt, Germany region)

• Provider: Supabase (built on AWS infrastructure)

• Compliance: GDPR-compliant data centers with EU data residency guarantees

AI Processing Location (User-Configurable):

While your database storage is always in the EU, AI processing location depends on your Advanced Data Protection Mode setting:

• Advanced Data Protection OFF (Default): AI processing occurs in the United States (xAI/OpenAI)

• Advanced Data Protection ON: AI processing occurs in the European Union (Mistral AI)

What Data Is Stored

ISMS Copilot stores the following information:

• Account information: Email address, authentication credentials (hashed passwords)

• Conversation history: Your questions and AI responses within each workspace

• Uploaded documents: Files you upload for analysis (PDF, DOCX, XLS)

• Workspace data: Workspace names, custom instructions, and project organization

• Usage metadata: Timestamps, message counts, and feature usage for billing and service improvement

Authentication & Access Control

Supported Authentication Methods

ISMS Copilot supports multiple secure authentication options:

Email & Password

• Strong password requirements (minimum 8 characters with uppercase, lowercase, numbers, and special characters)

• Passwords hashed using industry-standard bcrypt algorithm

• Secure password reset via email verification

Google OAuth

• Single sign-on using your Google account

• No password stored in ISMS Copilot

• Authentication tokens managed by Google

Microsoft/Azure OAuth

• Single sign-on using your Microsoft or Azure account

• Enterprise-ready for organizations using Microsoft 365

• Authentication tokens managed by Microsoft

Session Management

User sessions are managed using:

• JWT tokens with automatic expiration

• Secure session storage that doesn't persist across browser closures

• Automatic logout when tokens expire

• Manual logout available through the user menu

Row-Level Security (RLS)

ISMS Copilot implements database-level access controls:

• Users can only access their own conversations, workspaces, and uploaded files

• Attempting to access another user's data returns empty results (not error messages)

• All database queries automatically filter by authenticated user ID

• Admin access requires separate authentication and authorization

Data Retention & Deletion

User-Controlled Retention

You have full control over how long your data is kept:

1. Click the user menu icon (top right corner)

2. Select Settings

3. In the Data Retention Period field, enter your preferred retention period:

   • Minimum: 1 day

   • Maximum: 24,955 days (approximately 7 years)

   • Or click Keep Forever to retain indefinitely

4. Click Save Settings

Expected result: The settings dialog closes and your retention preference is saved.

Automatic Data Deletion

ISMS Copilot automatically deletes expired data:

• Deletion job runs daily to remove data older than your retention period

• Deleted data includes conversation history, uploaded files, and workspace content

• Deletion is permanent and cannot be recovered

• Account information (email, settings) is retained until account deletion

Account Deletion

To delete your account and all associated data:

1. Contact ISMS Copilot support through the Help Center

2. Request complete account deletion

3. Support will confirm your identity and process the deletion

4. All data is permanently removed within 30 days

Privacy & Compliance

GDPR Compliance

ISMS Copilot is fully compliant with the General Data Protection Regulation (GDPR):

• Data minimization: Only essential data is collected

• Purpose limitation: Data is only used for providing the service

• Storage limitation: User-controlled retention periods

• Right to access: Users can export their data

• Right to erasure: Users can request complete data deletion

• Right to portability: Data can be exported in standard formats

• Data protection by design: Security built into every feature

AI Training & Your Data

ISMS Copilot guarantees:

• No training on user data: Your conversations, documents, and client information are never used to train AI models

• Isolated processing: Each conversation is processed independently

• No cross-customer data sharing: Your data is never visible to other users

• Workspace isolation: Different workspaces maintain separate data boundaries

AI Provider Processing Options:

You can choose between two AI processing modes via Advanced Data Protection Mode:

• Default Mode (OFF): US-based processing (xAI/OpenAI) with 30-day temporary retention

• Advanced Data Protection (ON): EU-based processing (Mistral AI) with zero retention

Regardless of which mode you choose, your data is NEVER used for AI training.

Application Security

Protection Against Common Attacks

ISMS Copilot implements multiple security headers and policies:

Clickjacking Protection

• X-Frame-Options: DENY prevents embedding in iframes

• Content Security Policy frame-ancestors directive blocks framing

Content Security Policy (CSP)

• Restricts script execution to approved sources only

• Blocks inline scripts except where explicitly required

• Prevents object-src and base-uri attacks

• Upgrades insecure HTTP requests to HTTPS automatically

MIME Type Protection

• X-Content-Type-Options: nosniff prevents MIME type confusion attacks

Referrer Policy

• strict-origin-when-cross-origin limits information leakage in cross-site requests

Permissions Policy

ISMS Copilot disables unnecessary browser features to reduce attack surface:

• Camera: Disabled

• Microphone: Disabled

• Geolocation: Disabled

• Interest Cohort (FLoC tracking): Blocked

Third-Party Services

AI Processing Services

ISMS Copilot gives you control over which AI provider processes your conversations.

Available AI Providers (User-Configurable via Advanced Data Protection Mode):

• xAI (Grok) and OpenAI:

  • Location: United States

  • Retention: 30 days (temporary cache)

  • Training: API data NOT used for model training

  • Active when: Advanced Data Protection is OFF (default)

• Mistral AI:

  • Location: European Union

  • Retention: Zero (no retention)

  • Training: NOT used for model training

  • Active when: Advanced Data Protection is ON

Analytics & Monitoring

ISMS Copilot uses the following third-party services:

PostHog (Analytics)

• Purpose: Anonymous product analytics and feature usage tracking

• Data shared: Feature usage, page views, anonymized user IDs

• Not shared: Conversation content, uploaded documents, personal information

Sentry (Error Monitoring)

• Purpose: Error tracking and performance monitoring

• Data shared: Error messages, stack traces, browser information

• Not shared: Conversation content, uploaded documents

Payment Processing

Stripe

• Purpose: Secure payment processing and subscription management

• PCI DSS Level 1 certified payment processor

• ISMS Copilot never stores credit card information

• All payment data handled exclusively by Stripe

Limitations & Considerations

What ISMS Copilot Does NOT Currently Offer

• Native Multi-Factor Authentication (MFA): ISMS Copilot doesn't have built-in MFA, but you can use OAuth providers (Google/Microsoft) that support MFA on their end

• Single Sign-On (SSO/SAML): Enterprise SSO integration is not currently available

• Hardware Security Keys: FIDO2/WebAuthn authentication is not supported

• Session Management Dashboard: Users cannot view or manage active sessions from multiple devices

• IP Whitelisting: Access cannot be restricted to specific IP addresses

Data Retention Constraints

• Minimum retention period: 1 day

• Maximum retention period: 24,955 days (approximately 7 years)

• Free users have the same retention controls as premium users

Security Incident Response

Monitoring & Detection

ISMS Copilot monitors for security incidents using:

• Automated error tracking and alerting

• Database audit logs for suspicious access patterns

• Regular security reviews and vulnerability assessments

Reporting Security Issues

If you discover a security vulnerability:

1. Contact ISMS Copilot support immediately through the Help Center

2. Provide detailed information about the issue (without publicly disclosing it)

3. Do not attempt to exploit the vulnerability

4. Allow the security team time to investigate and resolve the issue

Best Practices for Users

Account Security

• Use a strong, unique password (or OAuth providers with MFA enabled)

• Don't share your login credentials with others

• Sign out after using shared or public computers

• Regularly review your workspaces and conversations for unauthorized activity

Data Protection

• Set appropriate data retention periods for your compliance requirements

• Anonymize sensitive client information before uploading when possible

• Use separate workspaces for different clients to prevent data mixing

• Regularly export important data before it expires based on retention settings

Compliance Certifications

Current Status

ISMS Copilot maintains compliance with:

• GDPR (General Data Protection Regulation)

• CCPA (California Consumer Privacy Act) principles

• EU data residency requirements

Infrastructure Provider Certifications

ISMS Copilot's infrastructure providers maintain:

• AWS: ISO 27001, SOC 2 Type II, PCI DSS

• Supabase: SOC 2 Type II, GDPR compliance

• Stripe: PCI DSS Level 1, SOC 2 Type II

What's Next

• Learn how to create a secure account

• Set up workspaces to isolate client data

• Visit the ISMS Copilot Trust Center for detailed security documentation

• Check the Status Page for system uptime and incident reports

Getting Help

If you have security or privacy questions:

• Review the Trust Center for detailed security documentation

• Contact support through the Help Center menu

• For security vulnerabilities, report immediately through support channels