<aside> ℹ️

Hey, this trust center was built for the good old ISMS Copilot v1. ⛩️

Now, we’re on ISMS Copilot v2. It’s a completely separate app (so, different providers, different security measures 😍) ****

Since we wanted to do things well, we made a dedicated help center just for v2! 🤯

But that’s maybe too much information at once, right? 🙅‍♂️ That’s why we made your life easier by crafting this security and data protection overview!

And what if you have no time for reading?

We would tell you that we’re a small independent team (actually 2 persons, one GRC expert - me - with a long ISO 27001/SOC2/GDPR/AI security background + one experimented Engineer that cares a lot about security, reliability, resilience).

We´ve been building ISMS Copilot with high compliance standards from day one. All our subprocessors, data processing activities, and implemented controls are public (yes, you can verify this). And most importantly, we don’t train on your data (we believe it’s not a good idea) or anyone else’s data by the way.

If you still have any questions, please reach out directly to us.

</aside>

EU AI Act Compliance

1. Purpose and Scope

This document outlines how ISMS Copilot complies with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). It confirms the system’s classification as a non-high-risk AI system, ensures it avoids prohibited practices, and details transparency and governance measures. Our aim is to foster trust, protect health, safety, and fundamental rights, and align with the Act’s principles for a trustworthy AI ecosystem.

2. Classification as an AI System

ISMS Copilot is an AI system under Article 3(1) AI Act. It uses machine learning and algorithmic techniques, powered by third-party general-purpose AI (GPAI) models (e.g., Claude 3.7, GPT-4), to process user queries and generate advisory outputs, such as ISO 27001 compliance guidance, policy drafts, and gap analyses. Its automated reasoning subjects it to the Act’s provisions for AI systems.

3. Use Within the EU Market

ISMS Copilot is available to users across the European Union, constituting placement on the EU market per Article 3(9) AI Act. As the provider, we ensure deployment, documentation, and updates comply with EU law and are prepared to demonstrate adherence to authorities upon request.

4. No Military or National Security Application

ISMS Copilot is a civilian tool for compliance support, not used for military, defense, or national security purposes (Article 2(3) AI Act). It is fully subject to the Act’s requirements with no exemptions.

5. Not a General-Purpose AI System

Unlike general-purpose AI (GPAI) systems adaptable across domains (Article 3(63) AI Act), ISMS Copilot is specialized for compliance tasks, primarily assisting consulting firms with ISO 27001 certification and related infosec, AI governance, and data protection frameworks (e.g., SOC 2, GDPR, DORA, NIS2). This focused scope simplifies risk assessment and compliance, as outlined in the Commission’s GPAI guidelines (Section 3.1.1).

6. Provider and Deployer Roles

As the provider, we ensure ISMS Copilot meets AI Act requirements before market placement (Article 3(3)). As a deployer, when using the system to serve clients, we ensure responsible use, transparency, and alignment with its advisory purpose (Article 26). This includes:

• Informing users they are interacting with an AI system via in-app alerts and output labels.
• Advising verification of outputs with official standards (e.g., ISO 27001:2022) or experts.
• Preventing misuse through user guidance and system design.

7. No Engagement in Prohibited Practices

ISMS Copilot avoids prohibited practices under Article 5 AI Act, including:

• Manipulative or subliminal techniques causing harm.