Torna al Trust Center
In vigore dal: 2026-04-27
Disponibile solo in inglese. Questo documento legale è fornito in inglese come versione ufficiale. L'interfaccia del Trust Center è tradotta nella sua lingua.

Terms of Service — ISMS Copilot

Effective Date: 2026-04-27.

1. Introduction and Acceptance of Terms

(i) These Terms of Service ("Terms") govern the relationship between you ("You" or "User") and ISMS Copilot, a Better ISMS initiative ("ISMS Copilot," "we," "us," or "our") with respect to Your access to and use of our products and services, including but not limited to ISMS Policy Generator and ISMS Copilot AI assistants (collectively, the "Services").

(ii) By accessing or using any part of the Services, You acknowledge that You have read, understood, and agree to be bound by these Terms and any additional guidelines, policies, or documents referenced herein, including the Privacy Policy and Data Processing Agreement (DPA).

(iii) Geographic Availability: The Services are available to customers globally, including in the United Kingdom. For UK customers, payments are processed through Paddle to ensure compliance with HMRC VAT requirements, as detailed in Section 4(iv).

(iv) If You do not agree with these Terms, in whole or in part, You must refrain from using the Services.

2. Definitions

(i) "User" or "You" refers to the individual or entity accessing the Services.

(ii) "Sub-processor" means a third party engaged by ISMS Copilot to process User data.

(iii) "Partner" refers to any individual or entity that participates in ISMS Copilot's partner program or whose services are promoted or referenced by ISMS Copilot through any medium.

3. Services Description and Scope

(i) ISMS Copilot provides AI-driven tools that assist in understanding, implementing, and managing compliance frameworks (e.g., ISO 27001), generating policies (via ISMS Policy Generator), and offering guidance on information security and regulatory standards.

(ii) The Services are provided on an "as is" and "as available" basis. ISMS Copilot does not warrant that the Services will meet any specific legal, regulatory, or compliance standards, nor does it guarantee error-free or uninterrupted operation.

(iii) While certain functionalities may relate to compliance, security, or data protection, none of the Services constitute legal, compliance, or professional advice. You remain solely responsible for verifying the accuracy, completeness, and suitability of the outputs for Your purposes.

4. Use of the Services; User Obligations and Restrictions

(i) You represent and warrant that You have the legal capacity and authority to enter into these Terms.

(ii) When using the Services on behalf of a third party (e.g., as a consultant), You must have all necessary rights and consents. Corporate Users must secure any required internal approvals.

(iii) You shall not:

  • Attempt to hack, exploit, interfere with, or compromise the security or functionality of the Services.
  • Access or attempt to access system prompts, internal data, or underlying models without authorization.
  • Abuse the Services by generating excessive load or taking actions that materially degrade performance.
  • Use the Services for unlawful, fraudulent, or malicious activities, or instruct the AI assistants to engage in or facilitate such activities.
  • Misrepresent Your identity or affiliation with any person or entity in connection with the Services.

All chat messages are processed through automated content moderation to detect violations of these Terms and our Acceptable Use Policy. See the Privacy Policy for details on what is retained and the DPA §2.8 for the moderation retention exception (including the thread-deletion lock for flagged content).

(iv) Special Note for UK Customers

ISMS Copilot serves customers located in the United Kingdom through a dedicated payment process using Paddle, a Merchant of Record, to handle VAT compliance with HMRC requirements. UK customers must subscribe via the UK-specific subscription page at https://www.ismscopilot.com/subscription-uk. Please note that subscriptions for UK customers are activated manually, and activation may take up to 24 hours after payment. You will receive a confirmation email once your account is activated.

(v) You agree to comply with all applicable laws, regulations, and industry standards when using the Services.

5. Intellectual Property Rights

(i) The Services, including AI assistants, are designed to provide general guidance on compliance frameworks and do not include or reproduce copyrighted materials in their body of knowledge. The assistants' knowledge base is built solely on internal resources and expertise developed by Better ISMS. ISMS Copilot is not a substitute for official standards, and users must purchase or access official ISO documents from authorized sources, such as the International Organization for Standardization (ISO) or its authorized distributors, for specific requirements.

(ii) All intellectual property rights in and to the Services and their underlying technology, excluding User-provided data, belong to ISMS Copilot or its licensors.

(iii) Subject to Your compliance with these Terms, ISMS Copilot grants You a limited, non-exclusive, non-transferable, revocable license to access and use the Services for Your internal purposes.

(iv) Nothing herein transfers or assigns any intellectual property rights to You. You shall not reverse engineer, decompile, or otherwise attempt to derive source code, trade secrets, or other proprietary information related to the Services.

6. Payment Terms and Subscription Fees

(i) Some Services may be provided on a subscription or usage-based fee model. Payment processing is conducted via Stripe for non-UK customers or Paddle for UK customers. ISMS Copilot does not store Your payment details.

(ii) You agree to pay all applicable fees promptly. Failure to do so may result in suspension or termination of access to the Services.

(iii) All prices and fees are subject to change. Continued use of the Services after changes to fees constitutes acceptance of such changes.

(iv) User responsibility for payment method management. Upon cancellation of your subscription or completion of a product purchase, you are responsible for promptly removing or updating your payment method details with Stripe (or any other payment processor) to prevent any potential unexpected charges. While ISMS Copilot takes reasonable measures to ensure that no unauthorized charges are processed after cancellation or purchase, we strongly recommend that you verify and manage your payment method directly with the payment processor to ensure full protection against unintended charges.

7. Data Management, Hosting, and International Transfers

(i) Data residency depends on your routing.

  • Database storage (account data, conversation history, uploaded files) always remains in the European Union (Frankfurt, Germany — AWS EU-Central-1, Supabase).
  • AI processing depends on your subscription plan and whether Advanced Data Protection (ADP) Mode is enabled in your settings:
    • When ADP is enabled (any plan), all AI requests are processed by Mistral AI in Frankfurt, EU, with zero retention.
    • When ADP is off and you are on a paid plan, AI requests are routed to Anthropic Claude in the United States under Standard Contractual Clauses (SCCs). Anthropic retains API data for up to 30 days for abuse monitoring and does not use it for model training. Customers who need zero retention can enable Advanced Data Protection at any time to route all AI requests through Mistral (EU, Frankfurt) instead.
    • When ADP is off and you are on a free or null plan, AI requests are routed via the OpenRouter aggregator to one of four allowlisted underlying providers in the United States (Inceptron, DeepInfra, Cerebras, Google Vertex) under SCCs (and EU-US Data Privacy Framework certification for Google Vertex). OpenRouter account-level controls enforce mandatory Zero Data Retention, no training, and a Schrems II-style block on PRC-jurisdiction infrastructure.

For full detail on routing, sub-processors, and transfer mechanisms, see the Privacy Policy and DPA.

(ii) By using the Services, You consent to the transfer and processing of Your data as described in (i) above. ISMS Copilot relies on Standard Contractual Clauses and (where applicable) the EU-US Data Privacy Framework for cross-border transfers. Customers requiring fully EU-based AI processing should enable Advanced Data Protection Mode.

(iii) You should practice data minimization and refrain from providing unnecessary sensitive or confidential information. When generating documents, use roles rather than personal names whenever possible.

(iv) Optional Slack integration (heygrc bot). Paid organizations may, at their option, install the heygrc Slack bot via the Connectors page to interact with the Services from inside Slack. Free / null-plan organizations cannot install. When installed, message content addressed to the bot (DMs to heygrc or @heygrc channel mentions) is routed through the same AI pipeline described in §7(i), inheriting the organization's ADP setting; Slack workspace users who interact with the bot inherit the organization's settings and cannot independently select their own routing. The organization owner who performs the install is responsible for informing Slack workspace users that messages addressed to the bot are processed by ISMS Copilot. The integration can be removed at any time by uninstalling from Slack or via the Connectors page; uninstall hard-deletes all Slack-side records held by ISMS Copilot per the DPA §2.8.

8. Disclaimers and Limitations of Liability

(i) To the fullest extent permitted by law, ISMS Copilot disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non-infringement.

(ii) ISMS Copilot shall not be liable for any direct, indirect, incidental, consequential, special, or punitive damages, including loss of profits, revenue, data, goodwill, or other intangible losses arising from or related to Your use of or inability to use the Services, even if ISMS Copilot has been advised of the possibility of such damages.

(iii) In no event shall ISMS Copilot's total cumulative liability exceed the amount paid by You for the Services during the twelve (12) months preceding the event giving rise to liability.

9. No Guarantee of Compliance, Safety, or Specific Outcomes

(i) Use of the Services does not guarantee compliance with ISO 27001, any other standard, or any regulatory requirements. The Services are not a substitute for professional judgment, legal consultation, or certified audits.

(ii) The Services may refer to compliance frameworks, regulatory standards, or legal norms, but such references are for informational purposes only. ISMS Copilot does not guarantee any particular outcome, such as certification or regulatory approval.

(iii) You bear sole responsibility for verifying the accuracy, applicability, and timeliness of all outputs. You agree to consult qualified professionals before taking any action that could result in legal liability, financial loss, or other harm.

10. Product Liability, Software Defects, and Regulatory Changes

(i) Software and AI-driven services may, under certain jurisdictions including evolving EU regulations, be considered "products" potentially subject to product liability rules.

(ii) ISMS Copilot does not represent or warrant that the Services or their outputs meet any product safety standards under current or future laws, including revisions to the EU Product Liability Directive. The Services may contain defects, errors, or "hallucinations" common to AI-driven tools.

(iii) To the fullest extent permitted by law, ISMS Copilot disclaims any strict or no-fault liability arising from alleged product defects. It is Your responsibility to determine the suitability of the Services for Your intended use and to remain informed about applicable laws.

(iv) The regulatory environment is evolving. ISMS Copilot may update the Services or these Terms to reflect changes in applicable law but does not guarantee ongoing compliance with every emerging standard or liability regime.

11. Data Collection, Use, and Privacy

(i) ISMS Copilot collects limited business-related data (e.g., company name, industry) to provide Services. Emails are collected to deliver outputs and process subscriptions.

(ii) Personal data not requested should not be provided. Please refer to our Privacy Policy for full details on data handling, and to our DPA for the contractual data-processing terms.

(iii) No training of AI models on Your data. ISMS Copilot will not use Your data to train AI models. This applies whether the data is in original or anonymized form, and is enforced through Anthropic's and Mistral's commercial API terms (which prohibit training on Customer Content) and through account-level training-disallowed flags with OpenRouter applied to all underlying providers in the closed 4-provider allowlist (Inceptron, DeepInfra, Cerebras, Google Vertex). Monitoring of inputs and outputs may occur solely for abuse detection (automated content moderation, retained per the DPA §2.8) and quality assurance. Anthropic separately retains API data for up to 30 days for abuse monitoring (not training) on the paid default path; customers who need zero retention can enable Advanced Data Protection at any time to route all AI requests through Mistral (EU, no retention).

12. Third-Party Affiliates, Partners, and Promotions

(i) ISMS Copilot may display affiliate links, Partner promotions, or references to third-party services. Such inclusion does not constitute an endorsement, warranty, or guarantee of performance, quality, or suitability.

(ii) ISMS Copilot assumes no responsibility or liability for the actions, products, or services of any Partner or third party. You acknowledge and agree that:

  • ISMS Copilot is under no obligation to ensure that any Partner will receive customers, leads, revenue, or any other benefit from such promotions.
  • Partners shall have no claim against ISMS Copilot for lack of conversions, business results, or any indirect or consequential losses resulting from their participation in or association with ISMS Copilot's Services.

(iii) Your interactions with third parties or Partners, including payment and delivery of goods or services, are solely between You and the applicable third party. ISMS Copilot shall not be liable for any damages or losses arising from these interactions.

13. Refund Policy

(i) For details on refunds, please refer to our separate Refund Policy. Annual plan refunds, if offered, may be calculated on a pro-rata basis.

(ii) Initiation of refunds does not guarantee that funds will be immediately available; Stripe, Paddle, or other payment processors may control the timing of refunds.

14. Termination and Suspension of Services

(i) ISMS Copilot reserves the right to suspend or terminate Your access to the Services at any time, for any reason, including violations of these Terms, suspected fraud, or for the maintenance and integrity of the Services.

(ii) Upon termination, any licenses granted to You shall cease, and You must discontinue all use of the Services.

(iii) Cost Recovery for Abuse and Security Incidents.

If Your use of the Services violates these Terms, our Acceptable Use Policy, or applicable law — including but not limited to attempting to compromise system security, generating excessive load, conducting unauthorized security testing, or engaging in fraudulent activity — ISMS Copilot reserves the right to invoice You for all reasonable costs incurred in investigating, mitigating, and remediating such violations.

Such costs may include, but are not limited to: infrastructure costs associated with mitigating attacks or abuse, third-party security analysis or incident response fees, legal expenses, administrative costs, and any fees imposed by our service providers or sub-processors as a result of Your actions.

ISMS Copilot will provide itemized documentation of costs upon request. This provision does not limit any other remedies available to ISMS Copilot under these Terms or applicable law.

15. Dispute Resolution and Governing Law

(i) These Terms and any disputes arising out of or in connection with them shall be governed by and construed in accordance with the laws of France, without regard to conflict of laws principles.

(ii) Any dispute, controversy, or claim arising out of or relating to these Terms or the breach, termination, or invalidity thereof shall be submitted to the exclusive jurisdiction of the competent courts located in France.

16. Amendments to These Terms

(i) ISMS Copilot may amend these Terms at any time. Any amended Terms will be posted at https://trust.ismscopilot.com/terms and become effective upon posting.

(ii) Continued use of the Services after such amendments have been posted constitutes acceptance of the revised Terms.

17. Miscellaneous Provisions

(i) If any provision of these Terms is found to be invalid or unenforceable, that provision shall be enforced to the maximum extent permissible, and the remaining provisions shall remain in full force and effect.

(ii) No waiver of any term or condition shall be deemed a further or continuing waiver of such term or condition or any other term or condition.

(iii) These Terms constitute the entire agreement between You and ISMS Copilot regarding the subject matter hereof and supersede all prior or contemporaneous understandings, communications, and agreements, written or oral, regarding such subject matter.

By using the ISMS Policy Generator, ISMS Copilot, or any related Services, You acknowledge that You have read, understood, and agree to these Terms, including all disclaimers and limitations of liability.