DATA PROCESSING AGREEMENT

Last Updated: 15/12/2025

INTRODUCTION

(i) This Data Processing Agreement (“DPA”) is entered into by and between the Customer (“You” or “Customer”) and ISMS Copilot (“ISMS Copilot,” “we,” “us,” or “our”), a Better ISMS initiative, a French entity incorporated under registration number 87848573900022 with its registered office at 60 rue François 1er, 75008 Paris, France.

(ii) This DPA is established in accordance with Article 28 of the EU General Data Protection Regulation (GDPR) and forms part of the main agreement or Terms of Service (the “Agreement”) between ISMS Copilot and the Customer governing the Customer’s access to and use of the services provided by ISMS Copilot, including, but not limited to, AI-driven compliance chatbots and the ISMS Policy Generator (collectively, the “Services”).

(iii) By accepting the Agreement and/or using the Services, the Customer acknowledges and agrees to be bound by this DPA. In the event of any conflict between the Agreement and this DPA regarding data protection and privacy matters, this DPA shall prevail with respect to such matters.

(iv) The Parties enter into this DPA with the intent to ensure compliance with Applicable Data Protection Law, including but not limited to the GDPR. The Parties recognize and agree that data protection and privacy laws may evolve, and that compliance may require good-faith efforts, flexibility, and potential future amendments.

SHORT OVERVIEW

• Roles: The Customer is the Data Controller, and ISMS Copilot is the Data Processor when processing Personal Data on the Customer’s behalf.
• Scope: ISMS Copilot processes limited Personal Data (e.g., account email) to provide the Services. Conversation data with chatbots is not linked to the user’s identity and is retained only briefly.
• No Use of Personal Data for Training: We do not use Personal Data or confidential data provided by users to train AI models. Model improvements are conceptual and may be informed by user feedback, but never incorporate identifiable personal or company data into training.
• Transfers & Subprocessors: We may rely on Standard Contractual Clauses or other safeguards for international transfers. A current list of Subprocessors (including providers like OpenAI, MistralAI, Anthropic) is publicly available in our Trust Center.
• Retention & Deletion: User account data can be returned or deleted upon request or at Agreement termination. Chat conversations are ephemeral and deleted after a maximum of 30 days.
• Global Compliance: This DPA is drafted with GDPR as a baseline. We do not guarantee compliance with all jurisdictions, and Customers are responsible for understanding and meeting local data protection requirements.

1. DEFINITIONS

For the purposes of this DPA, the capitalized terms used herein shall have the meanings assigned to them below or, if not defined herein, the meanings assigned to them in the Agreement or Applicable Data Protection Law:

(i) “Applicable Data Protection Law” means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under this DPA, including but not limited to the GDPR and any national implementing or supplementary legislation, and, where applicable, laws of other jurisdictions.

(ii) “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer acts as the Controller.

(iii) “Data Subject” means any identified or identifiable natural person to whom the Personal Data relates.

(iv) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.