Transfer Impact Assessment (TIA)

ISMS Copilot has conducted a Transfer Impact Assessment (TIA) for international data transfers to the United States under GDPR Chapter V requirements. This article explains the assessment findings, supplementary measures implemented, and how Advanced Data Protection Mode affects your transfer obligations.

What Is a Transfer Impact Assessment

Under GDPR and the Schrems II ruling, organizations transferring personal data to countries outside the EU/EEA must assess whether the destination country's laws provide adequate protection. Standard Contractual Clauses (SCCs) alone may not be sufficient—you must evaluate whether additional safeguards are needed.

A TIA evaluates:

• Laws in the destination country that might allow government access to data

• Whether your data importer (sub-processor) could be subject to those laws

• Technical and organizational measures that mitigate identified risks

• Whether the combination of SCCs + supplementary measures provides adequate protection

EU-US Data Privacy Framework Monitoring

In July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF). However, ISMS Copilot does not rely solely on the DPF and implements supplementary measures regardless of adequacy decisions.

Organizations should monitor for any challenges to the DPF (similar to Schrems I/II decisions).

ISMS Copilot's TIA: US-Based AI Providers

Scope of Assessment

ISMS Copilot conducted a Transfer Impact Assessment for US-based sub-processors used when Advanced Data Protection Mode is disabled:

• Anthropic (Claude) [DEFAULT]: AI conversation processing

• OpenAI: AI conversation and document analysis

• xAI (Grok): AI conversation processing

• Google Gemini: AI conversation processing

• SendGrid (Twilio): Transactional email delivery

• Kit (ConvertKit): Onboarding and product update emails

Legal Framework: US Government Access

The TIA evaluated US surveillance laws that could allow government access:

FISA Section 702

• Permits US intelligence agencies to compel US companies to provide communications of non-US persons

• Applies to "electronic communication service providers"

• Targeting must be for foreign intelligence purposes

Executive Order 12333

• Governs foreign intelligence activities

• May allow interception of data in transit

CLOUD Act

• Allows US law enforcement to compel disclosure of data held by US companies, even if stored abroad

• Requires legal process (warrant or subpoena)

Risk Assessment Findings

ISMS Copilot's TIA concluded that risks are mitigated by the following factors:

Nature of Data Processed

• Compliance-related queries and policy drafts

• Generally not communications content targeted by FISA 702

• Unlikely to meet "foreign intelligence" threshold for targeting

Limited Retention by AI Providers

• xAI/OpenAI: 30-day retention for abuse monitoring only

• Not permanently stored or indexed for intelligence purposes

• Contractual prohibition on using data for model training

End-to-End Encryption

• TLS 1.3 encryption protects data in transit

• Reduces risk of bulk interception under EO 12333

No Evidence of Government Requests

• xAI, OpenAI, and email providers have not reported receiving government access requests for ISMS Copilot customer data

• Transparency reports show targeted law enforcement requests, not bulk surveillance

Supplementary Measures

Beyond Standard Contractual Clauses, ISMS Copilot implements these supplementary technical and organizational measures:

Technical Measures

• Encryption in transit: TLS 1.3 for all data transfers

• Encryption at rest: EU database encrypted with AES-256

• Limited retention: 30-day AI provider cache vs. permanent storage

• User-controlled retention: Customers set their own data retention periods (1 day to 7 years)

• PII Reduction Mode: Optional client-side redaction of personal data before AI processing

Contractual Measures

• No training on data: AI providers contractually prohibited from using customer data for model training

• Standard Contractual Clauses: EU Commission-approved SCCs with all US sub-processors

• Abuse monitoring only: 30-day retention limited to detecting platform abuse, not commercial use

User Control Measures

• Advanced Data Protection Mode: Users can switch to EU-only processing (Mistral AI, zero retention) to avoid US transfers entirely

• Workspace isolation: Client data separated to limit exposure in any single request

• Data minimization: Only essential data collected; no demographic or unnecessary personal information

How Advanced Data Protection Mode Changes TIA Obligations

Default Mode (Advanced Data Protection OFF)

When Advanced Data Protection is disabled:

• AI processing location: United States (Anthropic Claude [DEFAULT], OpenAI, xAI, or Google Gemini - user selectable)

• Transfer mechanism: Standard Contractual Clauses + supplementary measures

• TIA requirement: Organizations subject to GDPR should conduct or rely on ISMS Copilot's TIA

• Retention by AI providers: 30 days (temporary cache for abuse monitoring)

• Email transfers: Still occur to US providers (SendGrid/Kit) regardless of AI setting

Advanced Data Protection ON (EU-Only Mode)

When Advanced Data Protection is enabled:

• AI processing location: European Union (Mistral AI, Frankfurt)

• Transfer mechanism: No international transfer for AI processing (EU-to-EU)

• TIA requirement: Not required for AI processing (no transfer outside EU/EEA)

• Retention by AI provider: Zero retention—data processed in real-time and discarded

• Email transfers: Still occur to US providers (SendGrid/Kit); TIA still required for emails

Email Transfers Remain Regardless of Mode

Even with Advanced Data Protection enabled, email communications involve US transfers:

• SendGrid (Twilio): Transactional emails (account verification, password resets, security alerts)

• Kit (ConvertKit): Onboarding sequences and product updates (optional, user can unsubscribe)

• Data transferred: Email addresses, engagement data (opens, clicks), message metadata

• Safeguards: Standard Contractual Clauses, encryption in transit, GDPR-compliant DPAs

To minimize email transfers, users can unsubscribe from non-essential communications.

Conducting Your Own TIA

When You Need Your Own Assessment

Organizations should conduct their own TIA if:

• You process special category data (Article 9 GDPR) through ISMS Copilot

• Your risk tolerance differs from ISMS Copilot's assessment

• Your data protection authority requires organization-specific TIAs

• Client contracts mandate independent transfer assessments

• You process large volumes of personal data of EU residents

Key Questions for Your TIA

When conducting your own assessment, consider:

Data Sensitivity

• What types of personal data are you uploading?

• Does it include special category data (health, biometric, political opinions)?

• How would unauthorized government access harm data subjects?

Likelihood of Access

• Could your compliance data meet the "foreign intelligence" threshold under FISA 702?

• Are you or your clients potential targets of government surveillance?

• Do you handle data related to national security, terrorism, or organized crime?

Supplementary Measures

• Are ISMS Copilot's technical measures (encryption, limited retention) sufficient for your use case?

• Should you enable Advanced Data Protection Mode for EU-only processing?

• Should you enable PII Reduction Mode to redact personal data before AI processing?

• Do you need additional anonymization before uploading documents?

Alternative Solutions

• If risks cannot be mitigated, can you avoid the transfer by enabling Advanced Data Protection Mode?

• Can you anonymize data before using ISMS Copilot?

• Should you restrict ISMS Copilot use to non-personal data only?

Resources for Your TIA

• UK ICO: Transfer Risk Assessments

• EDPB Recommendations 01/2020 on supplementary measures

• CNIL: How to carry out a Transfer Impact Assessment

• ISMS Copilot Data Processing Agreement (Section 3: International Data Transfers)

• Register of Processing Activities for detailed sub-processor information

Decision Guide: Which Mode Should You Use

Use Advanced Data Protection Mode (EU-Only) When:

• Your organization has mandatory EU data residency requirements

• You handle personal data of EU residents and want to simplify TIA compliance

• Client contracts prohibit US-based data processing

• You process special category data (Article 9 GDPR)

• Your data protection authority requires EU-only processing

• Your risk assessment concludes US transfers pose unacceptable risks

• You want zero AI provider retention for maximum privacy

Default Mode May Be Acceptable When:

• You process only compliance documentation without personal data

• Your TIA concludes supplementary measures provide adequate protection

• You're not subject to GDPR (non-EU organization, no EU data subjects)

• You handle only non-sensitive compliance content (generic policies, frameworks)

• 30-day AI provider retention is acceptable under your policies

Documenting Transfers in Your ROPA

If you use ISMS Copilot to process personal data, document it in your Register of Processing Activities:

Default Mode (Advanced Data Protection OFF)

• Sub-processors: ISMS Copilot (EU), xAI (US), OpenAI (US), SendGrid (US), Kit (US)

• Transfer destinations: United States

• Transfer mechanisms: Standard Contractual Clauses, encryption, limited retention

• TIA reference: "Relying on ISMS Copilot's Transfer Impact Assessment dated [date]" or "Conducted internal TIA on [date]"

Advanced Data Protection Mode (ON)

• Sub-processors: ISMS Copilot (EU), Mistral AI (EU), SendGrid (US), Kit (US)

• Transfer destinations: United States (email only)

• Transfer mechanisms: Standard Contractual Clauses for email providers

• TIA reference: "AI processing occurs in EU (no transfer); email transfers covered by SCCs"

See ISMS Copilot's Register of Processing Activities for a template you can reference.

Best Practices

For EU Organizations

• Enable Advanced Data Protection Mode by default to avoid TIA complexity

• Document ISMS Copilot in your ROPA with appropriate sub-processor details

• Inform data subjects that you use AI tools for compliance processing (privacy notice)

• Anonymize personal data before uploading when possible

• Conduct a DPIA if processing special category data or large-scale personal data

For Compliance Consultants

• Assess each client's data residency requirements before choosing a mode

• Create separate workspaces per client to isolate data

• Include ISMS Copilot as a sub-processor in your client DPAs

• Inform clients about the mode you're using and why

• Enable PII Reduction Mode for extra protection when handling audit reports with employee names

Minimizing Transfer Risks

• Enable Advanced Data Protection Mode: Eliminates AI processing transfers entirely

• Enable PII Reduction Mode: Redacts personal data before it reaches AI providers

• Unsubscribe from non-essential emails: Reduces email provider transfers

• Set short retention periods: Limits how long data is stored

• Anonymize before upload: Remove or pseudonymize personal identifiers

Frequently Asked Questions

Do I need to conduct my own TIA if I use ISMS Copilot?

It depends. If you use default mode and process personal data of EU residents, you should either conduct your own TIA or document your reliance on ISMS Copilot's assessment. If you enable Advanced Data Protection Mode, AI processing remains in the EU and does not require a TIA (though email transfers still do).

Does Advanced Data Protection Mode completely eliminate transfer obligations?

No. It eliminates transfers for AI processing, but email communications still involve US-based providers (SendGrid, Kit). These email transfers remain subject to GDPR Chapter V requirements and should be documented in your ROPA.

What if my data protection authority rejects ISMS Copilot's TIA?

If your DPA concludes that US transfers pose unacceptable risks, enable Advanced Data Protection Mode to process AI workloads exclusively in the EU. This removes the need for TIA on AI processing.

Can I use ISMS Copilot for special category data?

Yes, but with precautions. Enable Advanced Data Protection Mode for EU-only processing, enable PII Reduction Mode, set short retention periods, and conduct a Data Protection Impact Assessment (DPIA) as required by Article 35 GDPR. Ensure you have a lawful basis under Article 9.

How often should I review my TIA?

Review your TIA whenever:

• ISMS Copilot changes sub-processors or data flows

• US surveillance laws change

• Your data protection authority issues new guidance

• The nature or volume of data you process changes significantly

Where can I find ISMS Copilot's Standard Contractual Clauses?

SCCs are incorporated into sub-processor agreements. Contact support through the Help Center to request copies of SCCs for your vendor assessment or audit purposes.

Related Resources

• Data Processing Agreement (DPA) — Full legal framework for ISMS Copilot data processing

• Advanced Data Protection Mode — How to enable EU-only processing

• Data Controls Overview — Retention, PII reduction, and privacy settings

• Data Privacy & GDPR Compliance — Your rights and GDPR implementation

• Register of Processing Activities (ROPA) — Sub-processor list and processing details

Getting Help

For questions about transfer impact assessments or international data transfers:

• Review the Data Processing Agreement for legal transfer mechanisms

• Contact support through the Help Center for TIA documentation or SCC copies

• Include "TIA Request" or "Transfer Impact Assessment" in your subject line

• Visit the Security Collection for comprehensive compliance documentation