Torna al Trust Center
Disponibile solo in inglese. Questo documento legale è fornito in inglese come versione ufficiale. L'interfaccia del Trust Center è tradotta nella sua lingua.

Customer-facing legal documents — change log

Cumulative summary of revisions to the four customer-facing legal documents in this folder (PRIVACY-POLICY.md, DATA-PROCESSING-AGREEMENT.md, REGISTER-OF-PROCESSING-ACTIVITIES.md, TERMS-OF-SERVICE.md).

This file is append-only. Each revision adds a new dated entry at the top; older entries are never edited or removed. The most recent entry is the current state.

For the binding documents themselves, see the trust center: https://trust.ismscopilot.com/privacy-policy, https://trust.ismscopilot.com/dpa, https://trust.ismscopilot.com/ropa, https://trust.ismscopilot.com/terms.

Sub-processor and data-handling changes are notified per DPA §2.4: through (a) the Trust Center, (b) the in-app changelog (with blue-point unread indicator on next login), (c) this change log, and (d) the regular customer product-update / changelog email. For materially-adverse changes (a new sub-processor with a new retention or jurisdiction posture, a weakening of an existing control, etc.), ISMS Copilot will provide at least 30 days' advance notice by in-app announcement and email. For control-neutral sub-processor changes (adding a vetted provider to an existing closed allowlist where the same zero-retention, no-training, transfer-mechanism, and jurisdiction-blocking controls continue to apply), notice is via Trust Center publication and in-app changelog. A more detailed internal change record for each sub-processor change is available on request via privacy@ismscopilot.com.

2026-05-26 — DPA §2.4 sub-processor-notice amendment + OpenRouter allowlist expansion (effective 2026-06-25)

Documents touched: PRIVACY-POLICY.md, DATA-PROCESSING-AGREEMENT.md, REGISTER-OF-PROCESSING-ACTIVITIES.md, TERMS-OF-SERVICE.md.

  • DPA §2.4 sub-processor notice mechanism amended. Aligned with industry norm (Anthropic, OpenAI, Vercel) by distinguishing materially-adverse sub-processor changes (which continue to get at least 30 days' advance notice by in-app announcement and email) from control-neutral changes (notified by Trust Center publication and in-app changelog). The privacy bar itself — zero data retention, no training on customer data, no PRC-jurisdiction infrastructure, Advanced Data Protection Mode available on every plan for EU-only processing — is unchanged. Privacy Policy §2 sub-processor paragraph updated to cross-reference the new §2.4 wording.
  • OpenRouter underlying-provider allowlist expanded from four to seven. Under the new §2.4 wording, this is the first control-neutral change: the named providers are now Inceptron, DeepInfra, Cerebras, Google Vertex (the original four) plus Together AI, Fireworks AI, and Nebius. Each addition was evaluated against the same privacy and jurisdiction bar applied to the original four: zero-retention posture for inference, no training on customer data, published DPA, non-PRC jurisdiction, public deployment-region disclosure. Together AI publishes default routing to North America inference data centers; Fireworks AI operates a multi-region fleet (US, EU Frankfurt + Iceland, APAC Tokyo only — no PRC or Hong Kong infrastructure); Nebius runs primary inference in Finland (EU) with US secondary. Region pinning at the per-provider layer is not exposed by OpenRouter's aggregator API; the §3.1.4 PRC-jurisdiction control relies on each provider's published default region NOT being PRC, verified provider-by-provider during this review.
  • Novita AI evaluated and not added. Novita's corporate HQ is recorded as US, but their public materials describe their inference infrastructure only as "20+ locations, 4+ continents" without naming any region. They do not publish a DPA, a sub-processor list, a governing-law clause in their ToS, or a sub-processor enumeration. For a control framed as a Schrems II-style supplementary measure (no Customer Content transits PRC infrastructure), public opacity makes the control unevidenceable. Re-evaluation requires a written commitment on regional pinning and a published DPA.
  • Account-level controls unchanged. Mandatory Zero Data Retention, Free/Paid Training Disallowed, Free Publication Disallowed, and the PRC-jurisdiction blocklist (Alibaba Cloud International, Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, Z.AI) all remain in force.

Notice mechanism for this change: in-app changelog (blue-point unread indicator, visible from 2026-05-26 through 2026-06-25, the full 30-day objection window) + Trust Center publication on 2026-05-26 + a clearly labeled entry titled "Legal/privacy update: DPA amendment and OR allowlist notice" in the May 2026 monthly product-changelog email shipping in the first days of June. Both the DPA amendment and the OR allowlist expansion are effective 2026-06-25, giving customers 30 days to object via privacy@ismscopilot.com. A more detailed internal change record is available on request.

2026-04-29 — Terms of Service

Documents touched: TERMS-OF-SERVICE.md only.

  • Added §5(v) Customer Content confirming that, as between the user and ISMS Copilot, the user retains all rights to outputs they create, review, adapt, or publish using the Services. The clause includes four for-clarity carve-outs covering: (a) no rights granted over the Services or their underlying technology; (b) outputs may not be represented as official standards, certifications, or legal advice; (c) outputs may not be used to assert IP claims over content that infringes third-party rights or that was generated by inputting third-party copyrighted material; and (d) ISMS Copilot retains the existing abuse-detection / QA monitoring carve-out under §11(iii).
  • Closes a customer-raised gap on supplier-assurance IP-ownership clarity. The other three documents in this set are unchanged in this revision.

2026-04-27 — Multi-document update (Privacy Policy, DPA, RoPA, Terms)

Documents touched: PRIVACY-POLICY.md, DATA-PROCESSING-AGREEMENT.md, REGISTER-OF-PROCESSING-ACTIVITIES.md, TERMS-OF-SERVICE.md.

  • OpenRouter underlying providers named. The previous vague "United States" reference is replaced with a closed four-provider allowlist (Inceptron, DeepInfra, Cerebras, Google Vertex). Account-level controls are disclosed: mandatory Zero Data Retention; training disallowed (free + paid); publication disallowed (free); PRC-jurisdiction blocklist.
  • Active vs Reserved sub-processor split. OpenAI, X.AI, and Google Gemini are documented as Reserved — code paths exist but no user-facing flow invokes them — and their activation requires customer notice. The Privacy Policy lists Active sub-processors only.
  • Slack (heygrc bot) disclosed as a Customer-Activated Integration. Slack Technologies, Inc. only becomes a sub-processor for a customer's data when that customer's organisation owner explicitly installs the bot. The 30-day advance-notice rule for Active sub-processors does not apply because activation requires explicit customer-side action. New processing activity (RoPA #10), new data-subject category (Slack workspace users without ISMS Copilot accounts), and a ToS §7(iv) acknowledgment.
  • Anthropic retention factually corrected. The prior "zero retention" wording for Anthropic on the paid default path is replaced with the accurate 30-day commercial-API abuse-monitoring cache. Customers requiring zero retention are directed to enable Advanced Data Protection (Mistral, EU).
  • "No-training" wording tightened. Prior wording implied a signed bilateral addendum with Anthropic and Mistral. New wording reflects what is actually relied on: each provider's published commercial-API terms prohibit training on customer content.
  • Per-provider transfer-mechanism stack documented in DPA §3 (SCCs / SCCs + EU-US Data Privacy Framework / EU residency, depending on provider).
  • Moderation correction. Moderation always runs on Mistral (EU, zero retention), regardless of ADP. The Privacy Policy and DPA disclose the metadata-only retention scope of moderation_events and the thread-deletion lock for flagged threads (with the Article 17 email-mediated path for content within flagged threads).
  • ToS §11(iii) and §7(i) tightened — the prior "without anonymization and strict safeguards" carveout is removed, and the prior blanket EU-residency disclaimer is replaced with a factual routing description matching the Privacy Policy and DPA.
  • Advanced Data Protection (ADP) framed as the durable in-product opt-out for any user who needs fully EU-based AI processing.

A 30-day customer objection window for the OpenRouter sub-processor change runs through 2026-05-27.