DATA PROCESSING AGREEMENT

Last Updated: 15/12/2025

INTRODUCTION

(i) This Data Processing Agreement (“DPA”) is entered into by and between the Customer (“You” or “Customer”) and ISMS Copilot (“ISMS Copilot,” “we,” “us,” or “our”), a Better ISMS initiative, a French entity incorporated under registration number 87848573900022 with its registered office at 60 rue François 1er, 75008 Paris, France.

(ii) This DPA is established in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) and forms part of the main agreement or Terms of Service (the “Agreement”) between ISMS Copilot and the Customer governing the Customer’s access to and use of the services provided by ISMS Copilot, including, but not limited to, AI-driven compliance chatbots and the ISMS Policy Generator (collectively, the “Services”).

(iii) By accepting the Agreement and/or using the Services, the Customer acknowledges and agrees to be bound by this DPA. In the event of any conflict between the Agreement and this DPA regarding data protection and privacy matters, this DPA shall prevail with respect to such matters.

(iv) The Parties enter into this DPA with the intent to ensure compliance with Applicable Data Protection Law, including but not limited to the GDPR. The Parties recognize and agree that data protection and privacy laws may evolve, and that compliance may require good-faith efforts, flexibility, and potential future amendments.

SHORT OVERVIEW

1. DEFINITIONS

For the purposes of this DPA, the capitalized terms used herein shall have the meanings assigned to them below or, if not defined herein, the meanings assigned to them in the Agreement or Applicable Data Protection Law:

(i) “Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this DPA, including but not limited to the GDPR and any national implementing or supplementary legislation, and, where applicable, laws of other jurisdictions.

(ii) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer acts as the Controller.

(iii) “Data Subject” means any identified or identifiable natural person to whom the Personal Data relates.

(iv) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.