Data Inventory and Mapping | ISMS Copilot Trust Center

Important Hosting Update (13/01/25)

Mid-december, we announced that as of February 1st, 2025, ISMS Copilot would no longer offer EU-hosted conversations due to the closure of our EU provider. In the meantime, we hosted conversations in the US, with GDPR compliance ensured through Standard Contractual Clauses (SCCs) and robust data protection measures.

But, we’re happy to announce that our ability to offer 100% EU hosted assistants is finally maintained.

So, we’ll keep supporting assistance for EU regulations (DORA, NIS2, EU AI ACT, Cyber Resilience Act, GDPR), and these assistants will be hosted in the EU. This information supersedes any other information about EU hosting. We confirm as of 13/01/2025 that ISMS Copilot EU is back in the game.

For more details, please visit our FAQ for EU users.

Data Inventory and Mapping Summary for ISMS Copilot

1. Types of Data Collected:

Account Information:
- Email Address (Required for authentication and communication)
- Name (Optional, provided at the user's discretion)
- Payment Information (Managed via Stripe for subscription upgrades)
User-Provided Data:
- ISMS Policy Generator: Inputs such as company details and ISMS information
- ISMS Copilot Chatbots: Conversation data provided during interactions
Automatic Data Collection:
- Anonymized usage data via PostHog Analytics

2. Processing Activities:

ISMS Policy Generator:
- Collects user inputs to generate customized information security policies.
- Data is processed to create and email policies to users.
ISMS Copilot Chatbots:
- Processes conversation data to generate responses for users.
- For EU options, data is hosted in AWS Amsterdam and processed by Mistral in Sweden.
- For US default chatbots, data goes through Chatbase systems and is processed by OpenAI.

3. Data Flows:

ISMS Policy Generator:
- Data flows from user input to Bubble.io for app development, then to OpenAI for policy text generation.
- Zapier automates policy generation and email delivery.
- Google Docs converts policy text into document format.
ISMS Copilot Chatbots:
- EU Option: Data flows from AWS Amsterdam to Mistral in Sweden for processing.
- US Default: Data flows through Chatbase systems and is processed by OpenAI.

4. Data Retention Policies:

ISMS Policy Generator:
- Retains user data for five years post-account closure, with immediate deletion available upon user request. Users have the ability to delete themselves their account data.
ISMS Copilot Chatbots:
- Retains conversation data indefinitely while ISMS Copilot is a customer of its own AI systems providers. Users are advised to minimize personal data shared with chatbots.