Security & Privacy
at ISMS Copilot
We build compliance tools for security professionals. That means your data security is not just a feature — it's our foundation.
Full GDPR compliance with DPA available
Full EU data residency with Advanced Data Protection
Infrastructure providers (AWS, Supabase) hold SOC 2 Type II attestations
Security Practices
How we protect your compliance data
Encryption in Transit
All connections secured with TLS 1.3. No unencrypted data ever leaves your browser.
Encryption at Rest
AES-256 encryption for all stored data. Database and file storage encrypted by default.
Row-Level Security
Database-enforced access isolation. Users can only access their own data at the database level.
EU Data Center
Primary infrastructure hosted in Frankfurt, Germany (AWS EU-Central-1). Data stays in the EU.
SOC 2 Type II Infrastructure
Built on Supabase and AWS, both SOC 2 Type II attested. Enterprise-grade security by default.
No AI Training
Your data is never used to train AI models. All AI providers are contractually bound to this commitment.
PII Redaction
Built-in PII redaction automatically strips sensitive personal data before it reaches AI providers.
Data Residency
Choose where your data is processed
Standard Mode
- DatabaseEUEU (Frankfurt)
- File StorageEUEU (Frankfurt)
- AI ProcessingUSAnthropic Claude (direct) and OpenRouter → Inceptron / DeepInfra / Cerebras / Google Vertex (allowlist + ZDR)
- AI Retention30 days
- Content ModerationEUMistral AI
- AI FailoverEUMistral AI (EU)
- Data SafeguardsStandard Contractual Clauses
Advanced Data Protection
- DatabaseEUEU (Frankfurt)
- File StorageEUEU (Frankfurt)
- AI ProcessingEUMistral AI only
- AI RetentionZero retention
- Content ModerationEUMistral AI
- AI FailoverEUMistral AI (EU)
- US Data TransfersEliminated
Database and file storage are always hosted in the EU (Frankfurt, Germany), regardless of the selected mode.
Moderation metadata is retained 12 months for safety review (no message content). Threads with flagged messages are locked from user deletion. See DPA §2.8.
Email addresses are processed by SendGrid and Kit (US) with Standard Contractual Clauses in all modes.
Subprocessors
Third-party services that process data on our behalf
| Service | Purpose | Location | Retention |
|---|---|---|---|
| Supabase | Database & Authentication | EUEU (Frankfurt, Germany) | User-controlled |
| AWS | Infrastructure | EUEU (Frankfurt, Germany) | User-controlled |
| Anthropic (Claude) | AI Processing (default routing, ADP off) | USUnited States | 30 days (abuse monitoring only, not training) |
| OpenRouter | Routing aggregator (ADP off) — routes only to the four allowlisted underlying providers below; mandatory Zero Data Retention enforced at account level | USUnited States | Zero retention (mandatory at OpenRouter account level) |
| ↳ Inceptron | AI Processing (via OpenRouter, ZDR enforced) | USUnited States | Zero retention |
| ↳ DeepInfra | AI Processing (via OpenRouter, ZDR enforced) | USUnited States | Zero retention |
| ↳ Cerebras | AI Processing (via OpenRouter, ZDR enforced) | USUnited States | Zero retention |
| ↳ Google Vertex | AI Processing (via OpenRouter, ZDR enforced) | USUnited States | Zero retention |
| Mistral AI | AI Processing (ADP), content moderation, failover, conversation summaries | EUEU (Frankfurt) | Zero retention |
| Fly.io | Chat API Service | EUEU-based deployment | 7 days (logs) |
| ConvertAPI | Document Format Conversion (ISO 27001:2022) | EUEU (Frankfurt) | Zero retention (in-memory only) |
| Stripe | Payment Processing | USUnited States | Per Stripe policy (PCI DSS Level 1) |
| PostHog | Product Analytics | EUEU (Frankfurt) | Up to 7 years (anonymized) |
| Sentry | Error Tracking & Monitoring | EUGermany | Up to 90 days (PII-scrubbed, no IP stored) |
| Vercel | Web Hosting & Analytics | EUEU (Frankfurt) | Anonymized (cookieless) |
| SendGrid (Twilio) | Legal Update Emails | USUnited States | Until account deletion or unsubscribe |
| Kit (ConvertKit) | Onboarding & Product Emails | USUnited States | Until account deletion or unsubscribe |
Customer-Activated Integrations
Active for your data only when your organization installs them.
| Service | Purpose | Location | Retention |
|---|---|---|---|
| Slack Technologies, Inc. | heygrc bot — receives messages addressed to the bot, posts AI responses back. Activated only when a paid-organization owner installs from the Connectors page; uninstall hard-deletes integration records. | USUnited States | Active while integration installed |
Last updated: April 2026 · 30 days advance notice before adding new sub-processors. Customer-Activated Integrations are not subject to this rule because no data flows until your organization explicitly installs them.
Legal Documents
Transparency documentation available for review