Data Inventory and Mapping | ISMS Copilot Trust Center

Important Hosting Update (25/01/25)

We’re now able to offer assistants that keep your conversations within the EU 🇪🇺. If you’re located in the European Union, we encourage you to use the ISMS Copilot EU, and our specialized assistants for EU regulations (DORA, NIS2, EU AI ACT, Cyber Resilience Act, GDPR) based on your compliance needs. Conversations are hosted in France and deleted after 90 days.

If you’re fine with US hosting, know that ISMS Copilot Free or ISMS Copilot X are also knowledgeable on these regulations, even if less specialized. This information supersedes any other information about EU hosting.

For more details, please visit our FAQ for EU users.

Data Inventory and Mapping Summary for ISMS Copilot

1. Types of Data Collected:

Account Information:
- Email Address (Required for authentication and communication)
- Name (Optional, provided at the user's discretion)
- Payment Information (Managed via Stripe for subscription upgrades)
User-Provided Data:
- ISMS Policy Generator: Inputs such as company details and ISMS information
- ISMS Copilot Chatbots: Conversation data provided during interactions
Automatic Data Collection:
- Anonymized usage data via PostHog Analytics

2. Processing Activities:

ISMS Policy Generator:
- Collects user inputs to generate customized information security policies.
- Data is processed to create and email policies to users.
ISMS Copilot Chatbots:
- Processes conversation data to generate responses for users.
- For EU options, data is hosted in AWS Amsterdam and processed by Mistral in Sweden.
- For US default chatbots, data goes through Chatbase systems and is processed by OpenAI.

3. Data Flows:

ISMS Policy Generator:
- Data flows from user input to Bubble.io for app development, then to OpenAI for policy text generation.
- Zapier automates policy generation and email delivery.
- Google Docs converts policy text into document format.
ISMS Copilot Chatbots:
- EU Option: Data flows from AWS Amsterdam to Mistral in Sweden for processing.
- US Default: Data flows through Chatbase systems and is processed by OpenAI.

4. Data Retention Policies:

ISMS Policy Generator:
- Retains user data for five years post-account closure, with immediate deletion available upon user request. Users have the ability to delete themselves their account data.
ISMS Copilot Chatbots:
- Retains conversation data indefinitely while ISMS Copilot is a customer of its own AI systems providers. Users are advised to minimize personal data shared with chatbots.