Data Inventory and Mapping Summary for ISMS Copilot
1. Types of Data Collected:
- Account Information:
- Email Address (Required for authentication and communication)
- Name (Optional, provided at the user's discretion)
- Payment Information (Managed via Stripe for subscription upgrades)
- User-Provided Data:
- ISMS Policy Generator: Inputs such as company details and ISMS information
- ISMS Copilot Chatbots: Conversation data provided during interactions
- Automatic Data Collection:
- Anonymized usage data via PostHog Analytics
2. Processing Activities:
- ISMS Policy Generator:
- Collects user inputs to generate customized information security policies.
- Data is processed to create and email policies to users.
- ISMS Copilot Chatbots:
- Processes conversation data to generate responses for users.
- For EU options, data is hosted in AWS Amsterdam and processed by Mistral in Sweden.
- For US default chatbots, data goes through Chatbase systems and is processed by OpenAI.
3. Data Flows:
- ISMS Policy Generator:
- Data flows from user input to Bubble.io for app development, then to OpenAI for policy text generation.
- Zapier automates policy generation and email delivery.
- Google Docs converts policy text into document format.
- ISMS Copilot Chatbots:
- EU Option: Data flows from AWS Amsterdam to Mistral in Sweden for processing.
- US Default: Data flows through Chatbase systems and is processed by OpenAI.
4. Data Retention Policies:
- ISMS Policy Generator:
- Retains user data for five years post-account closure, with immediate deletion available upon user request. Users have the ability to delete themselves their account data.
- ISMS Copilot Chatbots:
- Retains conversation data indefinitely while ISMS Copilot is a customer of its own AI systems providers. Users are advised to minimize personal data shared with chatbots.
5. Data Security Measures:
- General Security Measures:
- Two-Factor Authentication (2FA) for account protection
- Encryption to safeguard data (TLS 1.2 in transit, AES-256 at rest). Both for policy generation or chatbot conversations.
- Access control limited to the founder