DATA PROCESSING AGREEMENT

Last Updated: [Month Year]

INTRODUCTION

(i) This Data Processing Agreement (“DPA”) is entered into between the Customer (“You” or “Customer”) and ISMS Copilot (“ISMS Copilot,” “we,” “us,” or “our”), a Better ISMS initiative incorporated in France under registration number 87848573900022, with its registered office at 60 rue François 1er, 75008 Paris, France.

(ii) This DPA forms part of the main agreement or Terms of Service (“Agreement”) governing the Customer’s use of ISMS Copilot’s services (the “Services”), which include but are not limited to AI-driven compliance assistants (chatbots) and the ISMS Policy Generator feature.

(iii) By accepting the Agreement, the Customer also accepts this DPA. In the event of any conflict between the Agreement and this DPA regarding data protection matters, this DPA prevails.

SHORT OVERVIEW

• Roles: The Customer is the Data Controller, and ISMS Copilot is the Data Processor when processing Personal Data on the Customer’s behalf.
• Scope: ISMS Copilot processes limited Personal Data (e.g., account email) to provide the Services. Conversation data with chatbots is not linked to the user’s identity and is retained only briefly.
• No Use of Personal Data for Training: We do not use Personal Data or confidential data provided by users to train AI models. Model improvements are conceptual and may be informed by user feedback, but never incorporate identifiable personal or company data into training.
• Transfers & Subprocessors: We may rely on Standard Contractual Clauses or other safeguards for international transfers. A current list of Subprocessors (including providers like OpenAI, MistralAI, Anthropic) is publicly available in our Trust Center.
• Retention & Deletion: User account data can be returned or deleted upon request or at Agreement termination. Chat conversations are ephemeral and deleted after a maximum of 30 days.
• Global Compliance: This DPA is drafted with GDPR as a baseline. We do not guarantee compliance with all jurisdictions, and Customers are responsible for understanding and meeting local data protection requirements.

1. DEFINITIONS

Capitalized terms used herein shall have the meanings defined in the Applicable Data Protection Law, the Agreement, or below:

“Agreement”: The main contract (including Terms of Service) between ISMS Copilot and the Customer for the provision of Services.

“Applicable Data Protection Law”: The GDPR and any other data protection laws applicable to the Parties, including those of EU Member States and equivalent jurisdictions.

“Controller”: The entity determining the purposes and means of Processing Personal Data. The Customer acts as Controller.

“Data Subject”: An identified or identifiable natural person.

“GDPR”: Regulation (EU) 2016/679.