Data Processing Agreement (DPA) — ISMS Copilot
Overview
This Data Processing Agreement ("DPA") forms part of the terms of service between you (the "Customer" or "Data Controller") and ISMS Copilot (the "Processor" or "Data Processor") for the use of the ISMS Copilot AI compliance platform. This DPA complies with Article 28 of the General Data Protection Regulation (GDPR) and governs the processing of personal data on behalf of the Customer.
Effective Date: 2026-04-27 (current version). Pending amendment: Last updated 2026-05-26 — effective 2026-06-25 (30-day notice). The pending amendment narrows the sub-processor notice mechanism in §2.4 to distinguish materially-adverse from control-neutral changes, and names three additional OpenRouter underlying providers (Together AI, Fireworks AI, Nebius) under the resulting control-neutral category. Customers may object before 2026-06-25 by emailing privacy@ismscopilot.com.
This DPA automatically applies to all ISMS Copilot customers processing personal data through the platform. No separate signature is required — your use of the service constitutes acceptance.
Who This Is For
This Data Processing Agreement is for:
- Organizations using ISMS Copilot to process personal data
- Compliance consultants handling client data through the platform
- Data Protection Officers conducting vendor assessments
- Legal and procurement teams evaluating data processing arrangements
- Auditors reviewing GDPR Article 28 compliance
Definitions
- "Customer" or "Data Controller": The organization or individual subscribing to ISMS Copilot services and determining the purposes and means of processing personal data.
- "Processor" or "Data Processor": ISMS Copilot, processing personal data on behalf of the Customer.
- "Customer Personal Data": Any personal data processed by ISMS Copilot on behalf of the Customer, including conversation content, uploaded documents, and associated metadata.
- "Sub-processor": Any third-party processor engaged by ISMS Copilot to process Customer Personal Data.
- "Data Subject": The identified or identifiable natural person to whom Customer Personal Data relates.
- "Processing": Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- "Personal Data Breach": A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
1. Scope and Applicability
1.1 Application of DPA
This DPA applies to all processing of Customer Personal Data by ISMS Copilot in the course of providing the platform services described in the Terms of Service.
1.2 Subject Matter of Processing
ISMS Copilot processes Customer Personal Data to provide AI-powered compliance assistance, including:
- Processing user queries and generating AI responses
- Storing conversation history and context
- Analyzing uploaded compliance documents
- Maintaining workspace configurations and custom instructions
- Automated content moderation of chat messages (see §2.8 for retention)
- For paid Customers whose organization owner has installed the heygrc Slack bot: receiving messages addressed to the bot from the Customer's Slack workspace, processing them through the same AI pipeline as web chat, and posting AI responses back to the workspace
1.3 Duration of Processing
Processing continues for the duration of the Customer's active subscription and according to the Customer's configured data retention period (1 day to 7 years, or "keep forever"). Upon termination, all Customer Personal Data is deleted within 30 days unless longer retention is required by law or by §2.8 (moderation retention exception).
1.4 Nature and Purpose of Processing
- Nature: Automated processing using AI models, database storage, file processing, and content moderation
- Purpose: Provide compliance guidance, document analysis, policy generation, and knowledge management as instructed by the Customer
1.5 Categories of Data Subjects
- Customer's employees and authorized users
- Customer's clients and end-users (when mentioned in uploaded documents or queries)
- Individuals referenced in compliance documentation
- Security incident subjects
- Slack workspace users (heygrc bot only): members of the Customer's Slack workspace who interact with the heygrc bot. These users typically do not hold an ISMS Copilot account; their messages addressed to the bot are processed under the Customer's organization (Slack-originated traffic rolls up to the organization owner for billing and quota purposes, and inherits the organization's Advanced Data Protection setting). Customer remains responsible for informing its Slack workspace users that messages addressed to the bot are processed by ISMS Copilot.
1.6 Categories of Personal Data
- User account information (email addresses, authentication credentials)
- Conversation content and AI interactions
- Uploaded document content (policies, procedures, audit reports)
- Workspace configurations and custom instructions
- Usage metadata and timestamps
- Potentially special category data (Article 9 GDPR) if uploaded by Customer
- Slack integration data (heygrc bot only, paid Customers who install): Slack workspace metadata (team ID, team name, bot user ID), the OAuth bot token issued by Slack, the installer's ISMS Copilot user ID (audit trail), Slack message content of messages addressed to the bot (DMs to heygrc or
@heygrcchannel mentions only — no other workspace messages are read), and Slack user identifiers (slack_user_id) of users who interact with the bot
Customer is responsible for ensuring appropriate legal basis and safeguards exist before uploading special category data (Article 9 GDPR) such as security incident reports containing health data, employee information, or other sensitive categories.
2. Processor's Obligations (Article 28(3) GDPR)
2.1 Processing Instructions
ISMS Copilot shall process Customer Personal Data only on documented instructions from the Customer, including:
- Instructions provided through the platform interface (queries, document uploads, workspace configurations)
- Data retention settings configured by the Customer
- Advanced Data Protection Mode selection (EU-only vs. default AI processing)
- Deletion requests submitted through the platform or to privacy@ismscopilot.com
Prohibited Processing. ISMS Copilot enforces the following prohibitions through layered contractual and account-level controls:
(a) No training of AI models on Customer Personal Data. Enforced via Anthropic's and Mistral's commercial API terms (which prohibit training on Customer Content), and via account-level "Free Training Disallowed" and "Paid Training Disallowed" flags at OpenRouter, applied to all seven allowlisted underlying providers (Inceptron, DeepInfra, Cerebras, Google Vertex, Together AI, Fireworks AI, Nebius).
(b) No publication of model outputs derived from Customer Personal Data. OpenRouter "Free Publication Disallowed" is set at the account level.
(c) Retention by AI sub-processors is minimized to the request lifetime where contractually possible. OpenRouter Zero Data Retention is mandatory at the account level — per OpenRouter's published policy, ZDR-mandatory accounts can only route to endpoints with a Zero Data Retention policy. Mistral retains no data under its commercial API terms. Anthropic retains API data for up to 30 days for abuse monitoring only — this data is not used for model training. Customers requiring zero retention on every routing path can enable Advanced Data Protection Mode at any time to route all AI requests through Mistral (EU, Frankfurt) regardless of plan.
(d) No routing through PRC-jurisdiction infrastructure. Alibaba Cloud International, Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, and Z.AI are all blocked at the OpenRouter account level. The control is jurisdiction-based: no Customer Personal Data may transit infrastructure under People's Republic of China jurisdiction. This is a Schrems II–style supplementary measure aligned with EDPB Recommendations 01/2020.
If ISMS Copilot believes an instruction violates GDPR or other data protection laws, we will immediately inform the Customer and have the right to suspend processing until the instruction is confirmed or modified. If Customer confirms an instruction that ISMS Copilot reasonably believes violates applicable data protection law, ISMS Copilot may refuse to execute the instruction and, if the disagreement cannot be resolved, terminate the affected processing activities with 30 days notice.
2.2 Confidentiality of Processing
ISMS Copilot ensures that all persons authorized to process Customer Personal Data:
- Are subject to confidentiality obligations (contractual or statutory)
- Receive appropriate training on data protection
- Access data only on a need-to-know basis
- Follow documented data handling procedures
2.3 Technical and Organizational Measures (Article 32 GDPR)
ISMS Copilot implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Access Control Measures:
- Row-level security in database preventing cross-user data access
- User authentication required for all protected resources
- Workspace isolation preventing cross-contamination of client data
- Multi-factor authentication (MFA) support
- Automatic session timeout controls
Encryption Measures:
- TLS 1.3 encryption for data in transit
- Database encryption at rest
- Password hashing using industry-standard algorithms (irreversible)
- Encrypted file storage in Supabase
Data Minimization Measures:
- Only essential data collected (email, messages, files)
- No unnecessary demographic or contact information collected
- Analytics configured with
sendDefaultPii: false - Customer-controlled retention periods with automated deletion
Availability and Resilience:
- Automated database backups
- Disaster recovery procedures
- 24/7 monitoring and alerting via Sentry
- Real-time uptime monitoring via BetterStack with instant Slack alerting
- Public status page for transparency (status.ismscopilot.com)
- Progressive incident escalation via email and SMS
- Multi-provider AI failover: Anthropic → Mistral via circuit breaker for paid plans Plus and above; OpenRouter aggregator-level failover for the Essential plan (between Google Vertex and Cerebras) and for free / null-plan users (across the seven allowlisted underlying providers)
Testing and Evaluation:
- Regular security assessments
- Continuous error monitoring and logging
- Automated data deletion testing
- Access control verification procedures
For detailed technical and organizational measures and the per-activity Article 30 processing inventory, refer to our Register of Processing Activities (RoPA).
2.4 Sub-processor Engagement
General Authorization. Customer provides general authorization for ISMS Copilot to engage sub-processors for the processing of Customer Personal Data, subject to the conditions in this section.
Active Sub-processors. The following sub-processors actively process Customer Personal Data:
| Sub-processor | Role / when invoked | Location | DPA / Transfer mechanism |
|---|---|---|---|
| Supabase (PostgreSQL + Storage) | Database and file storage (always) | EU (Frankfurt) | GDPR-compliant |
| AWS | Underlying infrastructure for Supabase | EU-Central-1 (Frankfurt) | GDPR-compliant |
| Anthropic Claude | AI processing for paid plans Plus and above (Plus, Standard, Pro, Business) with ADP off | United States | SCCs; no training under Anthropic's commercial API terms; 30-day abuse-monitoring cache only (not training). Customers needing zero retention can enable Advanced Data Protection. |
| OpenRouter (routing aggregator) | AI processing for free / null-plan users with ADP off (may route to any of the seven allowlisted underlying providers below) and for the Essential plan with ADP off (restricted to a closed two-provider subset: Google Vertex and Cerebras) | United States | OpenRouter's role is account-level enforcement (mandatory ZDR, training-disallowed, allowlist, PRC-blocklist — see below); legal transfer mechanism for Customer Personal Data leaving the EU is anchored at the underlying-provider layer (per-provider rows below) |
| ↳ Inceptron | OpenRouter underlying provider (allowlisted) | United States | SCCs; ZDR + no-training enforced via OpenRouter account config |
| ↳ DeepInfra | OpenRouter underlying provider (allowlisted) | United States | SCCs; ZDR + no-training enforced via OpenRouter account config |
| ↳ Cerebras | OpenRouter underlying provider (allowlisted) | United States | SCCs; ZDR + no-training enforced via OpenRouter account config |
| ↳ Google Vertex | OpenRouter underlying provider (allowlisted) | United States | SCCs + EU-US Data Privacy Framework certification; ZDR + no-training enforced via OpenRouter account config |
| ↳ Together AI | OpenRouter underlying provider (allowlisted, added 2026-05-25) | United States (default routing to North America inference data centers per Together docs; region pinning not exposed by OpenRouter) | SCCs; ZDR + no-training enforced via OpenRouter account config; SOC 2 Type II; published DPA |
| ↳ Fireworks AI | OpenRouter underlying provider (allowlisted, added 2026-05-25) | United States (multi-region fleet: US, EU Frankfurt + Iceland, APAC Tokyo only; no PRC infrastructure; region pinning not exposed by OpenRouter) | SCCs; ZDR + no-training enforced via OpenRouter account config; SOC 2 Type II; published DPA |
| ↳ Nebius | OpenRouter underlying provider (allowlisted, added 2026-05-25) | Netherlands HQ; primary inference in Finland (EU) with US secondary per Nebius docs (region pinning not exposed by OpenRouter) | SCCs; ZDR + no-training enforced via OpenRouter account config; published DPA + sub-processor list |
| Mistral AI | AI processing for ADP users (any plan); circuit-breaker failover destination for paid Anthropic; content moderation for all users; conversation compaction; conversation summaries | EU (Frankfurt) | EU residency — no transfer; no training under Mistral's commercial API terms; zero retention |
| Stripe | Payment processing | Global (EU DPA) | GDPR-compliant; PCI DSS Level 1 |
| ConvertAPI | Document format conversion | EU endpoint | GDPR-compliant; ISO 27001:2022; signed DPA |
| PostHog | Product analytics | EU (Frankfurt) | GDPR-compliant |
| Sentry | Error monitoring | Germany | GDPR-compliant |
| Vercel | Frontend hosting | Global CDN | GDPR-compliant |
| Fly.io | Backend API hosting (chat orchestration) | EU deployment | GDPR-compliant |
| SendGrid (Twilio) | Transactional email | United States | SCCs |
| Kit (ConvertKit) | Onboarding email | United States | SCCs |
OpenRouter account-level controls (enforced by Better ISMS as the OpenRouter account holder, applied to every request, applicable to all seven allowlisted underlying providers):
- Zero Data Retention is mandatory — per OpenRouter's published policy, ZDR-mandatory accounts can only route to endpoints with a Zero Data Retention policy.
- Free Training Disallowed and Paid Training Disallowed are both set.
- Free Publication Disallowed is set; the model-publication channel is closed.
- Closed 7-provider allowlist — only Inceptron, DeepInfra, Cerebras, Google Vertex, Together AI, Fireworks AI, and Nebius may serve our requests. (Expanded from 4 to 7 on 2026-05-25; see the customer-facing change log for the notice.)
- PRC-jurisdiction blocklist — Alibaba Cloud International, Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, and Z.AI are all blocked. This is a Schrems II–style supplementary measure aligned with EDPB Recommendations 01/2020.
Configuration-integrity caveat. OpenRouter account-level controls are configured per the policies above. Better ISMS does not currently rely on an OpenRouter API or signed attestation for real-time integrity. Evidence of the configuration is two-fold: (a) this DPA is itself a contemporaneous record of the configured controls as of its effective date, and (b) Better ISMS will demonstrate the live OpenRouter account configuration via a guided dashboard walkthrough on customer request (typically a recorded screen-share session). Ad-hoc screenshots may be captured on specific customer request or when controls materially change.
Customer-Activated Integrations. The following sub-processors only become active for a Customer's data when that Customer's authorized administrator (e.g., an organization owner) explicitly enables an optional integration in-product. Because activation is contingent on the Customer's affirmative installation step — and because no Customer Personal Data flows to the sub-processor unless and until that step occurs — the 30-day advance-notification rule for Active sub-processors below does not apply. By installing a Customer-Activated Integration, the Customer simultaneously authorizes ISMS Copilot to engage the corresponding sub-processor for the Customer's data only.
| Integration | Sub-processor | Activated by | Location | DPA / Transfer mechanism |
|---|---|---|---|---|
| heygrc Slack bot | Slack Technologies, Inc. | Paid-organization owner installs from the Connectors page; OAuth callback rejects free / null-plan installs with a paid_plan_required error. Uninstall hard-deletes integration records. | United States | SCCs |
When a new Customer-Activated Integration is offered for installation (or replaced), ISMS Copilot will document the integration in this section and announce its availability through normal product-update channels. The 30-day pre-notification rule applies to additions to the Active Sub-processors table above (which run automatically on Customer Personal Data without a per-Customer activation step), not to integrations that require explicit Customer-side activation.
Reserved Sub-processors (code paths exist but are not invoked from any user-facing flow). The following providers have integration code in the platform but are not currently used to serve any user request:
| Sub-processor | Code path purpose | Status |
|---|---|---|
| OpenAI | Direct OpenAI API path | Reserved — not invoked from any current user-facing flow |
| X.AI (Grok) | Direct X.AI API path | Reserved — not invoked from any current user-facing flow |
| Google Gemini | Direct Gemini API path | Reserved — not invoked from any current user-facing flow |
Activation of any Reserved sub-processor for live processing of Customer Personal Data requires customer notice under the change-of-sub-processor procedure in this §2.4 before any Customer Personal Data is processed.
Sub-processor Requirements. ISMS Copilot ensures all sub-processors:
- Provide sufficient guarantees of GDPR compliance
- Agree to data processing terms substantially equivalent to this DPA
- Implement appropriate technical and organizational measures
- Remain subject to ISMS Copilot's supervision and audit rights
Changes to Sub-processors. (This section is being updated — pending amendment effective 2026-06-25; see the Pending amendment notice in the Overview above.)
ISMS Copilot will provide notice of intended changes to sub-processors or sub-processor categories through our Trust Center (https://trust.ismscopilot.com) and in-app changelog, and, where required by this DPA, by email — including through our regular customer product-update or changelog email. Such notice will identify the change, the relevant effective date, and the method for Customer to object.
For materially adverse changes to this DPA or to our sub-processor framework, ISMS Copilot will provide at least 30 days' advance notice by in-app announcement and email, unless a shorter period is required by law or necessary to address an urgent security, legal, or operational issue. A change is materially adverse where it materially changes the nature of processing, introduces a new category of Customer Personal Data processed, materially weakens retention, training, security, transfer, or residency controls, or introduces a materially different jurisdiction or transfer-risk posture.
For control-neutral sub-processor changes, ISMS Copilot may provide notice by publishing the change in the Trust Center and the customer-facing change log. A control-neutral change is one that does not materially weaken the applicable retention, training, publication, security, transfer, or jurisdiction controls and does not expand the categories of Customer Personal Data processed. Examples include adding a vetted provider to an existing closed allowlist where the same zero-retention, no-training, transfer-mechanism, and jurisdiction-blocking controls continue to apply.
Customer may object during the stated notice period by contacting privacy@ismscopilot.com. If Customer objects on reasonable data-protection grounds, the parties will work in good faith to resolve the objection, which may include making an available product configuration — such as Advanced Data Protection Mode (which routes all AI processing to Mistral AI in Frankfurt regardless of plan and is available to every user) — available for the affected processing path. Where Customer's contract grants formal sub-processor objection rights and the objection cannot be resolved, Customer may terminate the affected service without penalty.
2.5 Data Subject Rights Assistance
ISMS Copilot will assist the Customer in fulfilling data subject rights requests, including:
ISMS Copilot will respond to Customer requests for data subject rights assistance within the timeframes specified below. Customer remains responsible for meeting GDPR's one-month response deadline to data subjects (Article 12(3)).
Right of Access (Article 15):
- Self-service access to all conversations and files through the platform
- Self-service complete data export in JSON format via Settings → Data Protection (available to all plans)
Right to Rectification (Article 16):
- Self-service updates to account settings
- Email-assisted email address changes (privacy@ismscopilot.com, within 30 days)
Right to Erasure (Article 17):
- Self-service account deletion via Settings → Data Protection (available to all plans)
- Email-mediated path for deletion within flagged threads (see §2.8 — moderation retention exception)
- Complete data deletion within 30 days, subject to §2.8
Right to Data Portability (Article 20):
- Machine-readable JSON export including all Customer Personal Data, available self-service in Settings → Data Protection
Right to Restrict Processing (Article 18) and Right to Object (Article 21):
- Email-mediated to privacy@ismscopilot.com, processed on a case-by-case basis
- Response within 30 days
Customer is responsible for verifying data subject identity before requesting data access or export. ISMS Copilot provides the tools and processes, but Customer maintains primary responsibility for responding to data subject requests.
2.6 Data Breach Notification
In the event of a Personal Data Breach affecting Customer Personal Data, ISMS Copilot will:
Detection and Assessment:
- Continuously monitor for security incidents via Sentry and automated alerting
- Conduct security incident review within 24 hours of detection
- Assess risk and potential impact on Customer Personal Data
Notification to Customer:
- Notify Customer within 48 hours of confirming a Personal Data Breach affects Customer Personal Data
- For suspected breaches under investigation, provide preliminary notification within 24 hours with updates as information becomes available
- Provide description of the breach, including categories and approximate numbers of affected data subjects
- Describe likely consequences of the breach
- Outline measures taken or proposed to address the breach and mitigate its effects
- Provide contact point for further information
Cooperation:
- Cooperate with Customer's investigation and remediation efforts
- Provide reasonable assistance for Customer's notification to supervisory authorities and data subjects
- Document all breaches and remediation measures
Customer remains responsible for determining whether notification to supervisory authorities (within 72 hours per Article 33) and data subjects (Article 34) is required. ISMS Copilot provides information to support Customer's decision and obligations.
2.7 Data Protection Impact Assessment (DPIA) Support
ISMS Copilot will provide reasonable assistance when Customer conducts a Data Protection Impact Assessment or prior consultation with a supervisory authority, including:
- Providing the Register of Processing Activities for reference
- Describing technical and organizational measures implemented
- Clarifying data flows and sub-processor arrangements
- Answering specific questions about processing operations
2.8 Deletion and Return of Data
Upon termination of services or Customer request, ISMS Copilot will:
Standard Deletion (Default):
- Delete all Customer Personal Data within 30 days of termination
- Overwrite backup data within 90 days
- Provide written confirmation of deletion upon request
Data Export Before Deletion:
- Customer may export their data self-service via Settings → Data Protection at any time
- Export provided in JSON format
Legal Retention Exceptions:
- Anonymized billing records retained for 7 years (tax and accounting compliance)
- Anonymized analytics data may be retained
- Data required to be retained by applicable law will be isolated and protected until the legal retention period expires
- Slack integration data (heygrc bot only): if the Customer disconnects the integration (uninstall via Slack's app management UI, or removing the integration from the ISMS Copilot Connectors page), all Slack-specific records are hard-deleted within seconds via the
app_uninstalledevent handler — the OAuth bot token, workspace metadata inslack_integrations, and Slack-thread-to-ISMS-thread mappings inslack_threadsare removed via cascading delete. Conversation content stored in the mainmessagesandthreadstables is preserved (it belongs to the Customer's organization and follows the Customer-configured retention setting), but the link from a Slack thread back to a specific Slack workspace user is severed at uninstall.
Moderation Retention Exception (Article 17 limitation). When a chat message is flagged by our automated content moderation system, a moderation_events record is retained containing only metadata — message identifier, thread identifier, abuse categories, and timestamp. The full message content is not stored in the moderation record itself. In addition, the affected thread is locked from user-initiated deletion to prevent destruction of abuse evidence. This is a security measure required to prevent abuse evidence from being destroyed.
Customer Content within a flagged thread is still subject to deletion on a verified Article 17 erasure request submitted to privacy@ismscopilot.com; we evaluate each such request against the legitimate-interest balancing test (Article 17(3)(e) and recital 47) and respond within 30 days. The audit metadata (no content) is retained for up to 12 months from creation, after which it is automatically purged.
2.9 Audit Rights
Customer has the right to audit ISMS Copilot's compliance with this DPA, subject to reasonable limitations:
Documentation Review:
- Customer may review publicly available compliance documentation in our Trust Center, including the Register of Processing Activities (RoPA)
- Request additional documentation through privacy@ismscopilot.com (e.g., sub-processor agreements, security policies, or a guided live walkthrough of the OpenRouter account configuration per §2.4)
On-Site Audits:
- Customer may conduct on-site audits with 60 days advance written notice
- Maximum of one audit per year unless necessitated by a data breach
- Audits must be conducted during business hours and not interfere with operations
Customer is responsible for audit costs unless the audit reveals non-compliance that: (a) constitutes a personal data breach, or (b) involves systematic failure to implement documented security measures, or (c) results in regulatory enforcement action. In such cases, ISMS Copilot will bear reasonable audit costs incurred after the non-compliance was identified.
Results remain confidential and may not be shared except as required by law.
Third-Party Certifications:
- ISMS Copilot will obtain and maintain relevant security certifications (ISO 27001 in progress)
- Certification reports may be shared upon request subject to NDA
- Customers may rely on third-party certifications in lieu of conducting their own audits
3. International Data Transfers
3.1 Data Transfer Mechanisms
ISMS Copilot processes Customer Personal Data in accordance with Chapter V of the GDPR. Transfer mechanisms apply per Active sub-processor:
Primary Storage (Always EU).
- Database storage occurs in Frankfurt, Germany (AWS EU-Central-1)
- Conversation history, uploaded files, and account data remain in the EU
- No adequacy decision required for primary storage
AI Processing — per routing path.
- ADP enabled (any plan): Mistral AI in Frankfurt. EU residency, no transfer.
- Paid (Plus and above) + ADP off: Anthropic Claude (United States). Transfer mechanism: SCCs (Module Three, Processor-to-Processor); supplementary measures: encryption in transit; no training under Anthropic's commercial API terms; 30-day abuse-monitoring retention only (not training). Customers needing zero retention can enable Advanced Data Protection at any time to route through Mistral (EU).
- Essential + ADP off: OpenRouter aggregator (United States), restricted to a closed two-provider subset of the allowlist: Google Vertex (multi-region; SCCs and EU-US Data Privacy Framework certification) and Cerebras (United States; SCCs). The same OpenRouter account-level controls (mandatory ZDR, training-disallowed, publication-disallowed, PRC-blocklist) apply as the enforcement layer. Customers needing contractual EU-only data residency can enable Advanced Data Protection at any time to route through Mistral (EU).
- Free / null-plan + ADP off: OpenRouter aggregator (United States) routing to one of seven allowlisted underlying providers:
- Inceptron, DeepInfra, Cerebras (United States): SCCs.
- Google Vertex (multi-region; EU residency available at the underlying provider): SCCs and EU-US Data Privacy Framework certification.
- Together AI (default routing to North America data centers per Together docs; region pinning not exposed by OpenRouter aggregator): SCCs.
- Fireworks AI (multi-region fleet covering US, EU Frankfurt + Iceland, and APAC Tokyo only; no PRC infrastructure; region pinning not exposed by OpenRouter aggregator): SCCs.
- Nebius (Amsterdam HQ; primary inference in Finland (EU) with US secondary per Nebius docs; per-request region pinning not currently exposed by OpenRouter aggregator, so the EU-primary posture is the published default but not contractually guaranteed via OpenRouter): SCCs for any US-routed traffic.
- The transfer mechanism for the free-tier path is the underlying-provider DPA/SCC/DPF stack. OpenRouter account-level controls (mandatory ZDR, training-disallowed, publication-disallowed, closed 7-provider allowlist, PRC-blocklist) act as the enforcement layer ensuring Customer Personal Data only ever lands at endpoints with these mechanisms in place. OpenRouter's aggregator API does not currently expose per-provider region pinning to its account holders; for the three providers added on 2026-05-25 (Together AI, Fireworks AI, Nebius), regional routing follows each provider's default deployment posture. Based on each provider's published deployment documentation reviewed on 2026-05-25, none of those defaults places Customer Personal Data in PRC or Hong Kong infrastructure. Non-PRC default posture is not equivalent to contractual EU-only data residency; customers requiring the latter should enable Advanced Data Protection Mode, which routes every request to Mistral AI in Frankfurt and bypasses the OpenRouter aggregator entirely.
Email Communications (US-Based).
- Email addresses transferred to SendGrid and Kit (United States)
- Protected by Standard Contractual Clauses approved by the European Commission
- Customers can minimize transfers by unsubscribing from non-essential emails
Slack Integration (US-Based, paid Customers who install heygrc only).
- Workspace metadata, OAuth bot token, message events addressed to the bot, and AI response posts transferred to/from Slack Technologies, Inc. (United States)
- Protected by Standard Contractual Clauses
- Customer controls activation: the integration only exists if a paid-organization owner installs the bot, and can be removed at any time by uninstalling from Slack or via the Connectors page in the ISMS Copilot app (uninstall hard-deletes all Slack-side records held by ISMS Copilot per §2.8)
3.2 Standard Contractual Clauses (SCCs)
For transfers to the United States, ISMS Copilot relies on Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914):
- Customer to ISMS Copilot: Module Two (Controller to Processor) applies where Customer acts as data controller
- ISMS Copilot to US sub-processors: Module Three (Processor to Processor) applies
- Governing law for SCCs: French law (Clause 17, Option 1)
- Competent supervisory authority: CNIL, France (Clause 13)
Copies of executed SCCs with sub-processors are available on request via privacy@ismscopilot.com.
3.3 Supplementary Measures
ISMS Copilot implements supplementary measures to protect data transferred outside the EU. These measures are layered and apply per routing path:
For all transfers outside the EU:
- End-to-end encryption (TLS 1.3) for all data in transit
- Customer ability to control transfer destination via Advanced Data Protection Mode (Mistral / Frankfurt)
- Continuous monitoring of legal developments regarding international transfers
For paid-tier (Anthropic) transfers:
- No training on Customer Content under Anthropic's commercial API terms
- 30-day abuse-monitoring retention only (not training); customers needing zero retention can enable Advanced Data Protection at any time to route through Mistral (EU, no retention)
For free-tier (OpenRouter) transfers:
- OpenRouter account-level controls applied to every request: mandatory Zero Data Retention; Free Training Disallowed + Paid Training Disallowed; Free Publication Disallowed
- Closed 7-provider allowlist (only Inceptron, DeepInfra, Cerebras, Google Vertex, Together AI, Fireworks AI, Nebius permitted; expanded from 4 to 7 on 2026-05-25)
- PRC-jurisdiction blocklist (Alibaba Cloud Int., Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, Z.AI all blocked) — a Schrems II–style jurisdiction-based supplementary measure aligned with EDPB Recommendations 01/2020
- Each underlying provider independently confirms zero retention or no-training-on-customer-data in their published policies
3.4 Transfer Impact Assessment
ISMS Copilot has conducted a Transfer Impact Assessment (TIA) for US-based sub-processors and determined that:
- Standard Contractual Clauses provide appropriate safeguards under GDPR Chapter V
- Supplementary technical and contractual measures (encryption, no-training, zero retention, OpenRouter account-level controls including the PRC blocklist) enhance protection
- Customers have the option to avoid US AI processing transfers entirely by enabling Advanced Data Protection Mode (EU-only processing with zero retention)
- Email transfers to US providers (SendGrid, Kit) remain regardless of Advanced Data Protection Mode but are protected by SCCs and encryption
The complete Transfer Impact Assessment, including risk assessment methodology and US surveillance law analysis, is available on request via privacy@ismscopilot.com.
Organizations with strict EU data residency requirements should enable Advanced Data Protection Mode to eliminate AI processing transfers and simplify Transfer Impact Assessment obligations.
4. Customer Obligations as Data Controller
4.1 Lawfulness of Processing Instructions
Customer warrants that:
- All processing instructions comply with GDPR and applicable data protection laws
- Customer has a lawful basis for processing all personal data uploaded to the platform
- Customer has informed data subjects about the processing and their rights
- Customer maintains appropriate records of processing activities (Article 30 GDPR)
4.2 Special Category Data
If Customer uploads special category data (Article 9 GDPR), Customer confirms that:
- Appropriate Article 9 conditions are met (e.g., explicit consent, legal claims, substantial public interest)
- Additional safeguards are in place as required by law
- Customer has conducted a Data Protection Impact Assessment if required
4.3 Data Subject Rights Management
Customer is responsible for:
- Receiving and responding to data subject rights requests
- Verifying data subject identity before requesting data from ISMS Copilot
- Determining whether to notify supervisory authorities and data subjects in case of breaches
- Ensuring data subjects are informed about ISMS Copilot's role as processor
4.4 Data Retention Configuration
Customer must:
- Configure appropriate data retention periods matching their data protection policies
- Review retention settings periodically to ensure compliance
- Request deletion when data is no longer necessary for the original purpose
4.5 Workspace Isolation
Customer should:
- Create separate workspaces for different clients or data categories
- Avoid mixing personal data from different data subjects in single workspaces
- Delete workspaces when projects are completed and data is no longer needed
5. Liability and Indemnification
5.1 Allocation of Liability
Under Article 82 GDPR:
- Customer and ISMS Copilot are each liable for damages caused by their own GDPR violations
- ISMS Copilot is exempt from liability if it proves it was not responsible for the event giving rise to the damage
- ISMS Copilot is not liable for damages resulting from Customer's unlawful processing instructions
5.2 Indemnification
Customer will indemnify ISMS Copilot against any claims, fines, or damages arising from:
- Customer's violation of GDPR or other data protection laws
- Customer's unlawful processing instructions
- Customer's failure to obtain necessary consents or legal basis for processing
- Customer's upload of special category data without appropriate safeguards
6. Term and Termination
6.1 Term
This DPA takes effect on the date Customer first uses ISMS Copilot services and continues for as long as ISMS Copilot processes Customer Personal Data.
6.2 Termination
This DPA terminates automatically upon:
- Termination of the Terms of Service
- Completion of all processing activities and deletion of Customer Personal Data
6.3 Effect of Termination
Upon termination:
- ISMS Copilot will delete or return all Customer Personal Data as described in §2.8 (subject to the moderation retention exception)
- Obligations regarding confidentiality, data security, and legal retention survive termination
- Customer's right to audit survives for 12 months after termination
7. Amendments and Updates
7.1 DPA Updates
ISMS Copilot may update this DPA to reflect:
- Changes in data protection laws or regulatory guidance
- Changes to processing operations or sub-processors
- Improvements to security measures or data protection practices
7.2 Notification of Changes
- Materially adverse changes to this DPA (changes that materially weaken Customer's data-protection rights, reduce retention or training protections, introduce a materially different jurisdiction or transfer-risk posture, or otherwise impose materially new obligations on Customer) will be notified at least 30 days in advance by in-app announcement and email, including through ISMS Copilot's regular customer product-update or changelog email.
- Non-materially-adverse changes to this DPA (clarifications, additions to existing closed sub-processor allowlists that do not weaken the applicable controls, alignment with regulatory guidance, etc.) will be notified through the Trust Center, the in-app changelog, and the customer-facing change log at
https://trust.ismscopilot.com/changelog. - The updated DPA will be posted at
https://trust.ismscopilot.com/dpawith a new "Effective Date" and "Last Updated" date. - Continued use of services after the effective date constitutes acceptance of the updated DPA.
- Customer may object during the stated notice period by contacting privacy@ismscopilot.com (see §7.3).
7.3 Objection Rights
- Customer may object to material changes within 30 days of notification
- The simplest in-product alternative is to enable Advanced Data Protection Mode, which keeps all AI processing in the EU at Mistral regardless of plan
- For customers under contracts with formal sub-processor objection rights, formal objection may be sent to privacy@ismscopilot.com; if the objection cannot be resolved, Customer may terminate the service without penalty
8. Governing Law and Jurisdiction
8.1 Governing Law
This DPA is governed by:
- The General Data Protection Regulation (EU) 2016/679
- French data protection law (Data Protection Act 78-17 of 6 January 1978)
- The laws of France for contractual interpretation
8.2 Jurisdiction
Any disputes arising from this DPA will be subject to the jurisdiction of French courts, with the supervisory authority being the Commission Nationale de l'Informatique et des Libertés (CNIL).
9. Contact Information
9.1 Data Protection Contacts
For DPA-related questions or requests:
- Email privacy@ismscopilot.com from your registered account email address
- Include "DPA Request" or "Data Processing Agreement" in the subject line
9.2 Data Protection Officer
ISMS Copilot has not designated a Data Protection Officer as we do not meet the mandatory designation criteria under GDPR Article 37. For data protection inquiries related to this DPA, contact privacy@ismscopilot.com.
9.3 Supervisory Authority
Commission Nationale de l'Informatique et des Libertés (CNIL)
- Website: https://www.cnil.fr/en
- Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
- Phone: +33 1 53 73 22 22
Appendix A: Processing Details Summary
Subject Matter. Provision of AI-powered compliance assistance platform including conversation processing, document analysis, knowledge management, and automated content moderation.
Duration. For the term of the Customer's active subscription plus retention period configured by Customer (1 day to 7 years), followed by 30-day deletion window. Moderation metadata retained up to 12 months per §2.8.
Nature and Purpose.
- Nature: Automated AI processing, database storage, file conversion and analysis, content moderation
- Purpose: Enable compliance professionals to receive AI guidance, analyze documents, generate policies, and manage compliance knowledge
Categories of Data Subjects.
- Customer employees and authorized platform users
- Customer clients (when referenced in documents or queries)
- Individuals mentioned in compliance documentation
- Security incident subjects
- Slack workspace users interacting with the heygrc bot (paid Customers who install only) — see §1.5
Categories of Personal Data.
- Contact information (email addresses)
- Authentication credentials (hashed passwords)
- Conversation content and AI interactions
- Uploaded compliance documents
- Usage metadata and timestamps
- Potentially special category data (Article 9) if uploaded by Customer
- Moderation metadata (message ID, thread ID, abuse categories, timestamp — no message content) for flagged messages only
- Slack integration data (paid Customers who install heygrc only) — see §1.6
Appendix B: Sub-processor Change Log
This appendix tracks all sub-processor additions, removals, and changes since the DPA effective date. Customers are notified 30 days before changes take effect.
| Effective | Change | Notice issued |
|---|---|---|
| 2025-11 | Initial sub-processor list established (Anthropic, Mistral AI, Supabase, Stripe, ConvertAPI, PostHog, Sentry, Vercel, Fly.io, SendGrid, Kit) | Initial publication |
| 2026-04-16 | heygrc Slack integration made available to paid organizations as a Customer-Activated Integration (see §2.4 — Customer-Activated Integrations). Slack Technologies, Inc. only becomes a sub-processor for a Customer's data when that Customer's organization owner explicitly installs the bot from the Connectors page; uninstall hard-deletes all integration records. Activation gated on paid plan; free / null-plan organizations cannot install. Transfer mechanism: SCCs. | Documented in this DPA revision (2026-04-27); the integration's availability for installation went live 2026-04-16. The 30-day advance-notification rule does not apply to Customer-Activated Integrations because no Customer's data flows to Slack unless and until that Customer's organization owner takes an explicit installation step. |
| 2026-05-27 | OpenRouter added as routing aggregator for free-tier and null-plan users with ADP off. Routes initially to four allowlisted underlying providers: Inceptron, DeepInfra, Cerebras, Google Vertex. Account-level controls enforced: mandatory Zero Data Retention, Free/Paid Training Disallowed, Free Publication Disallowed, closed 4-provider allowlist, PRC-jurisdiction blocklist (Alibaba Cloud Int., Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, Z.AI). Free-tier users previously served by reserved direct-API paths are now served via OpenRouter. ADP path (Mistral) and paid path (Anthropic) unchanged. | 2026-04-27 (30-day customer email under prior §2.4 wording) |
| 2026-05-28 | Essential plan ($12/mo) routing. The new Essential plan, with ADP off, routes through OpenRouter restricted to a closed two-provider subset of the existing allowlist: Google Vertex and Cerebras. No new sub-processor is introduced: OpenRouter, Google Vertex, and Cerebras are already on the list above (added 2026-05-27), with the same account-level controls (mandatory ZDR, training-disallowed, publication-disallowed, PRC-blocklist) and transfer mechanisms (SCCs; EU-US DPF for Google Vertex). ADP-on (any plan, including Essential) continues to route to Mistral (EU). This is a routing-scope extension to a new paid plan using already-disclosed sub-processors. | No new sub-processor is added, so the 30-day advance-notice rule for sub-processor additions does not apply. Communicated via in-app changelog and the Trust Center on 2026-05-28. |
| 2026-06-25 | OpenRouter underlying-provider allowlist expanded from 4 to 7. Three additions: Together AI, Fireworks AI, Nebius. First control-neutral sub-processor change under the new §2.4 wording (also effective 2026-06-25). Account-level controls unchanged. Each addition evaluated against the same privacy-and-jurisdiction bar as the original four (zero-retention posture, no training on customer data, published DPA, non-PRC jurisdiction, public deployment-region disclosure). Novita AI evaluated under the same review and not added (public-disclosure opacity on infrastructure location prevents evidencing the §3.1.4 PRC-jurisdiction control). | 2026-05-26 (in-app changelog + Trust Center publication). Bundled labeled entry in the May 2026 monthly product-changelog email shipping in the first days of June. A more detailed internal change record is available on request. |
All future sub-processor changes will be documented here with effective date, sub-processor name and location, nature of change (addition, removal, replacement), processing purpose, and customer notification date.