Security & Privacy
at ISMS Copilot
We build compliance tools for security professionals. That means your data security is not just a feature — it's our foundation.
Full GDPR compliance with DPA available
Full EU data residency with Advanced Data Protection
Infrastructure providers (AWS, Supabase) hold SOC 2 Type II attestations
Security Practices
How we protect your compliance data
Encryption in Transit
All connections secured with TLS 1.3. No unencrypted data ever leaves your browser.
Encryption at Rest
AES-256 encryption for all stored data. Database and file storage encrypted by default.
Row-Level Security
Database-enforced access isolation. Users can only access their own data at the database level.
EU Data Center
Primary infrastructure hosted in Frankfurt, Germany (AWS EU-Central-1). Data stays in the EU.
SOC 2 Type II Infrastructure
Built on Supabase and AWS, both SOC 2 Type II attested. Enterprise-grade security by default.
No AI Training
Your data is never used to train AI models. All AI providers are contractually bound to this commitment.
PII Redaction
Built-in PII redaction automatically strips sensitive personal data before it reaches AI providers.
Data Residency
Choose where your data is processed
Standard Mode
- DatabaseEUEU (Frankfurt)
- File StorageEUEU (Frankfurt)
- AI ProcessingUSAnthropic, OpenAI, xAI, Gemini
- AI Retention30 days
- Content ModerationEUMistral AI
- AI FailoverEUMistral AI (EU)
- Data SafeguardsStandard Contractual Clauses
Advanced Data Protection
- DatabaseEUEU (Frankfurt)
- File StorageEUEU (Frankfurt)
- AI ProcessingEUMistral AI only
- AI RetentionZero retention
- Content ModerationEUMistral AI
- AI FailoverEUMistral AI (EU)
- US Data TransfersEliminated
Database and file storage are always hosted in the EU (Frankfurt, Germany), regardless of the selected mode.
Flagged content may be stored for up to 1 year for safety review, regardless of mode.
Email addresses are processed by SendGrid and Kit (US) with Standard Contractual Clauses in all modes.
Subprocessors
Third-party services that process data on our behalf
| Service | Purpose | Location | Retention |
|---|---|---|---|
| Supabase | Database & Authentication | EUEU (Frankfurt, Germany) | User-controlled |
| AWS | Infrastructure | EUEU (Frankfurt, Germany) | User-controlled |
| Anthropic (Claude) | AI Processing (Default) | USUnited States | 30 days |
| OpenAI | AI Processing (Alternative) | USUnited States | 30 days |
| xAI (Grok) | AI Processing (Alternative) | USUnited States | 30 days |
| Google Gemini | AI Processing (Alternative) | USUnited States | 30 days |
| Mistral AI | AI Processing, Content Moderation & Failover | EUEuropean Union | Zero retention |
| Fly.io | Chat API Service | EUEU-based deployment | 7 days (logs) |
| ConvertAPI | Document Format Conversion (ISO 27001:2022) | EUEU (Frankfurt) | Temporary (in-memory) |
| Stripe | Payment Processing | USUnited States | Per Stripe policy (PCI DSS Level 1) |
| PostHog | Product Analytics | EUEU (Frankfurt) | Up to 7 years (anonymized) |
| Sentry | Error Tracking & Monitoring | EUGermany | 90 days |
| Vercel | Web Hosting & Analytics | EUEU (Frankfurt) | Per Vercel policy |
| SendGrid (Twilio) | Legal Update Emails | USUnited States | Until account deletion or unsubscribe |
| Kit (ConvertKit) | Onboarding & Product Emails | USUnited States | Until account deletion or unsubscribe |
Last updated: March 2026 · We provide 30 days advance notice before adding new subprocessors.
Legal Documents
Transparency documentation available for review