Important Hosting Update (13/01/25)
Mid-december, we announced that as of February 1st, 2025, ISMS Copilot would no longer offer EU-hosted conversations due to the closure of our EU provider. In the meantime, we hosted conversations in the US, with GDPR compliance ensured through Standard Contractual Clauses (SCCs) and robust data protection measures.
But, we’re happy to announce that our ability to offer 100% EU hosted assistants is finally maintained.
So, we’ll keep supporting assistance for EU regulations (DORA, NIS2, EU AI ACT, Cyber Resilience Act, GDPR), and these assistants will be hosted in the EU. This information supersedes any other information about EU hosting. We confirm as of 13/01/2025 that ISMS Copilot EU is back in the game.
For more details, please visit our FAQ for EU users.
This Data Protection Policy outlines the internal standards, responsibilities, and practices adopted by ISMS Copilot (“ISMS Copilot,” “we,” “us,” or “our”) to ensure the confidentiality, integrity, and availability of all data under our care. Although ISMS Copilot is managed by a small team, these principles apply to anyone who has authorized access to our systems or data, including contracted advisors or service providers.
The requirements set forth here must be followed consistently. Non-compliance may result in contract termination or other appropriate measures.
ISMS Copilot’s data handling approach is guided by global data protection laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Canada’s PIPEDA, Brazil’s LGPD, India’s DPDP Act, and other applicable regulations. While we align our practices with GDPR as a baseline, we also consider region-specific obligations.
We employ Standard Contractual Clauses (SCCs) or other lawful mechanisms for any necessary international data transfers and remain vigilant in adapting to legal developments.
Due to ISMS Copilot’s streamlined structure, the founder assumes primary responsibility for implementing security measures, monitoring compliance, managing data inventories, and handling incidents. Where necessary, the founder may consult external specialists (e.g., security advisors, legal counsel) for guidance on technical controls or regulatory requirements.
Anyone with authorized access to our data—be they a contracted developer, a technical consultant, or a service provider—must adhere to this Policy, complete any required training or briefings, and promptly report suspected issues.
All data is classified by its level of sensitivity and potential risk if compromised. At a minimum, data falls into categories of Confidential (e.g., personal data, proprietary information), Internal Use, or Public.
ISMS Copilot maintains a clear inventory of data assets, documenting storage locations, formats, applicable retention periods, and assigned custodians. While the founder typically manages this inventory, external advisors may assist with periodic reviews and updates.
Access to data and systems follows a least-privilege principle. The founder, as the primary data custodian, grants permissions only as needed for a specific project or purpose. Anyone accessing sensitive or production environments must use multi-factor authentication and adhere to established password and session management standards.
Access rights are reassessed periodically, especially after role changes or the completion of contracted projects, to ensure only authorized individuals retain permissions.
Data at rest must be encrypted using industry-standard algorithms (e.g., AES-256) to prevent unauthorized access if storage media or backups are compromised. Data in transit, whether internal or external, must be protected by secure communication protocols such as TLS 1.3.
The founder (with input from security advisors if needed) is responsible for selecting and periodically reviewing encryption methods, managing encryption keys, and ensuring ongoing compliance with evolving best practices.