At ISMS Copilot, we are committed to legal compliance and securely deploying AI systems. To enhance transparency, we have updated our licensing agreement and created this FAQ.

Key Points to Note

• No Personal Data for Training: We do not use personal or confidential data from user conversations to train our AI models. We encourage users not to include personal details (e.g., names, emails) or sensitive business information in chatbot queries.
• Minimal Personal Data Overall: Beyond user email addresses (for account management and essential communications), we do not require or seek other personal data.
• Manual and Anonymized Improvements: If we need to improve an AI assistant’s knowledge, an administrator may manually select certain insights from anonymized conversation excerpts. These insights are conceptual and not tied to an individual’s personal or company data.
• No Intellectual Property Claims by Users: Users cannot claim ownership or IP rights over conceptual improvements derived from their interactions. The underlying logic and improvements to the AI models remain the property of ISMS Copilot.
• Respecting User Rights and Privacy: Users can request deletion or erasure of their data at any time. We comply with GDPR requirements and have measures in place to safeguard user privacy.

Frequently Asked Questions

1. When does the new agreement come into effect?

The new agreement becomes effective on 1st September, 2024.

2. Which AI chatbots are covered by this agreement?

All AI chatbots accessible within the ISMS Copilot platform are covered, including ISO 27001 Copilot, Risk Assessment Assistant, Policy Assistant, and ISMS Copilot X.

3. Are custom versions integrated into other platforms covered?

No. Custom versions integrated by customers into their own platforms are not covered by this agreement. In any integrated scenario, we do not use those conversations to improve the model.

4. Do you train AI models on conversation data?

In principle, no. Our chatbots do not automatically learn from user conversations. If we identify an error in the AI’s guidance, an admin may manually select and anonymize a relevant Q&A pair to improve the assistant’s conceptual understanding. This process excludes personal or confidential information and focuses only on valuable, general insights (e.g., correcting a control reference for an information security compliance framework or a regulation).

5. Why exclude personal and confidential data from training?

We value user privacy and security. Since our goal is to enhance the AI’s accuracy on information security frameworks and regulations, using personal or company-specific information is unnecessary and undesired. By relying solely on anonymized, conceptual corrections, we ensure no identifiable or sensitive content influences our training process.

6. How is user interaction data chosen for improvement?