ISMS Scope
This document defines the scope of the Information Security Management System (ISMS) for ISMS Copilot, operated by Better ISMS (France). It identifies the boundaries and applicability of the ISMS, considering our organizational context, interested parties, and interfaces with external services.
This scope document follows ISO 27001:2022 Clause 4.3 and is reviewed annually or when significant changes occur to our services, integrations, or organizational structure.
Organization
Field | Value |
|---|---|
Legal Entity | Better ISMS |
Jurisdiction | France (EU) |
Product | ISMS Copilot — AI-powered compliance assistant |
Business Model | B2B SaaS (subscription-based) |
Users | ~800 (primarily EU-based, globally available) |
ISMS Scope Statement
The ISMS applies to the development, operation, and management of the ISMS Copilot platform — a cloud-hosted, AI-powered SaaS application that assists organizations with information security management system compliance.
Applications and Services in Scope
Component | Technology | Hosting |
|---|---|---|
Frontend web application | React, TypeScript, Vite | Vercel (global CDN) |
Backend chat service | Deno, TypeScript | Fly.io (CDG region, Paris) |
Database and authentication | PostgreSQL, Supabase Auth | Supabase Cloud (EU — Frankfurt) |
File storage | S3-compatible | Supabase Storage (EU — Frankfurt) |
Edge functions | Deno | Supabase Edge |
Third-Party Integrations in Scope
Integration | Purpose | Scope Coverage |
|---|---|---|
Anthropic (Claude) | Default AI chat provider | Data flows, key management, provider monitoring |
OpenAI (GPT-4.1) | Document detection | Data flows, key management |
xAI (Grok) | Document formatting | Data flows, key management |
Mistral AI | Advanced Data Protection mode | Data flows, key management, ZDR verification |
Google (Gemini) | Alternative AI chat provider | Data flows, key management |
Stripe | Payment processing | Webhook security, subscription management |
ConvertAPI | File conversion (PDF, DOCX, XLSX) | Data flows, file handling |
SendGrid | Security alert emails | Alert delivery |
Data in Scope
Data Category | In Scope |
|---|---|
User chat messages and AI responses | Yes |
Uploaded files and extracted content | Yes |
User account and authentication data | Yes |
Subscription and billing metadata | Yes |
User settings and workspace instructions | Yes |
Token consumption and usage records | Yes |
Application logs and error reports | Yes |
Processes in Scope
Process | In Scope |
|---|---|
Software development lifecycle (SDLC) | Yes |
Change management and deployment | Yes |
Incident detection, response, and recovery | Yes |
Risk assessment and treatment | Yes |
Access management and review | Yes |
Vulnerability management | Yes |
Supplier management | Yes |
Data protection and privacy | Yes |
Business continuity and disaster recovery | Yes |
Monitoring and Development Tools in Scope
Tool | Purpose | Scope Coverage |
|---|---|---|
Sentry | Error tracking (frontend + backend) | PII scrubbing, log hygiene |
PostHog | Product analytics | Data minimization |
BetterStack | Uptime monitoring, status page | Alert configuration |
GitHub | Source code, CI/CD pipelines | Access control, secrets management, pipeline security |
Vercel CI/CD | Frontend deployment | Deployment security |
Exclusions from Scope
Exclusion | Justification |
|---|---|
Physical office infrastructure | Team is fully remote; no physical office to secure |
Employee personal devices | BYOD environment; security controls are at the application and platform layer, not endpoint |
Customer-side security | Customer environments, endpoints, and internal networks are outside ISMS Copilot's control |
Third-party internal operations | Supplier internal security is governed by their own certifications (SOC 2, ISO 27001) and our supplier management policy |
Marketing website | Static marketing site on separate infrastructure; no user data processing |
ISMS Boundary Diagram
The ISMS boundary includes the management of interfaces with external entities:
End users connect via browsers to the Frontend (Vercel), which communicates with Supabase (DB/Auth/Storage/Edge Functions) and the Fly.io Chat Service
Fly.io Chat Service interfaces with AI Providers (Anthropic, OpenAI, xAI, Mistral, Gemini) and Supabase DB
Stripe and ConvertAPI are accessed via Supabase Edge Functions
GitHub Actions manages the CI/CD pipeline
Sentry, PostHog, and BetterStack provide monitoring and observability
All data at rest is stored within EU infrastructure (Frankfurt). The backend chat service runs in Paris (CDG). AI provider API calls may transit to non-EU endpoints, which is documented in our Transfer Impact Assessment.
Applicable Standards and Frameworks
Standard | Scope of Application |
|---|---|
ISO/IEC 27001:2022 | Full ISMS — all clauses and applicable Annex A controls |
ISO/IEC 42001:2023 | AI Management System — applicable to AI components |
GDPR | All personal data processing activities |
SOC 2 | Trust Services Criteria — Security, Availability, Confidentiality |
French Data Protection Law | National GDPR implementation |
Scope Review
This scope document is reviewed annually, when new services or integrations are added, when organizational structure changes, when entering new markets or jurisdictions, and following management review findings. Changes to the ISMS scope require CEO approval and trigger a review of the Statement of Applicability, risk assessment, and affected policies.