Register of Processing Activities (RoPA) — ISMS Copilot

Overview

This Register of Processing Activities (RoPA) documents all personal data processing activities carried out by the ISMS Copilot platform in compliance with Article 30 of the General Data Protection Regulation (GDPR). It serves as a comprehensive record of how personal data is collected, processed, stored, and protected within the platform.

This RoPA is maintained by ISMS Copilot and updated regularly to reflect changes in data processing activities. Effective Date: 2026-04-27 (aligned with the OpenRouter sub-processor change effective 2026-05-27 and the corresponding Privacy Policy / DPA / Terms of Service revisions).

Who This Is For

This document is intended for:

Data Protection Officers (DPOs) evaluating ISMS Copilot
Compliance teams conducting vendor risk assessments
Organizations requiring sub-processor documentation
Legal and security teams performing due diligence
Auditors assessing GDPR compliance

This is the audit-grade companion to the Data Processing Agreement (DPA). The DPA states the contractual obligations; this RoPA documents the per-activity processing inventory.

ISMS Copilot is a B2B SaaS tool for compliance professionals. We process data primarily in the EU using Supabase (EU region) for storage and authentication. We minimize data collection, ensure user control, and contractually prohibit any AI provider from training on user data. As a small company, we focus on pragmatic, high-impact controls while pursuing formal certifications (ISO 27001 in progress) and implementing AI security controls including layered account-level enforcement at our routing aggregator.

Data Controller Information

Name: ISMS Copilot (operated by Better ISMS EURL)
Jurisdiction: France (European Union)
Primary Data Location: Frankfurt, Germany (AWS EU-Central-1)
Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL)
Privacy Contact: privacy@ismscopilot.com

Primary data processing occurs within the European Union (Frankfurt, Germany). Some limited transfers to the United States occur for AI processing (configurable via Advanced Data Protection Mode) and email communications (SendGrid, Kit), with appropriate safeguards including Standard Contractual Clauses, EU-US Data Privacy Framework certification (where applicable), and account-level enforcement controls at the OpenRouter routing aggregator.

AI Routing — Foundational Concepts

Before reading the per-activity sections below, the following routing decision is invoked at the start of every chat request. It is implemented in selectChatModel(adpEnabled, userPlan) and determines which AI sub-processor handles the request:

Routing path	Trigger	AI provider	Location	Retention	Training
ADP path	Advanced Data Protection enabled (any plan)	Mistral AI	EU (Frankfurt)	Zero retention	No training (per Mistral's commercial API terms)
Default path (paid)	Paid plan + ADP off	Anthropic Claude	United States	Up to 30 days (abuse monitoring only — not training). Customers needing zero retention can enable ADP.	No training (per Anthropic's commercial API terms)
Default path (free)	Free or null plan + ADP off	OpenRouter aggregator → one of four allowlisted underlying providers (Inceptron, DeepInfra, Cerebras, Google Vertex)	United States	Zero retention (mandatory at OpenRouter account level)	No training (set at OpenRouter account level)

Failover. If Anthropic is unavailable on the paid path, requests automatically fail over to Mistral AI in Frankfurt via a circuit-breaker controller. On the free path, OpenRouter's aggregator-level fallback walks the four allowlisted providers automatically; OpenRouter itself is the single point of dependency.

OpenRouter account-level controls (enforced by Better ISMS as the OpenRouter account holder, applied to every request, applicable to all four allowlisted underlying providers):

Zero Data Retention is mandatory — per OpenRouter's published policy, ZDR-mandatory accounts can only route to endpoints with a Zero Data Retention policy.
Free Training Disallowed and Paid Training Disallowed are both set.
Free Publication Disallowed is set; the model-publication channel is closed.
Closed 4-provider allowlist — only Inceptron, DeepInfra, Cerebras, and Google Vertex may serve our requests.
PRC-jurisdiction blocklist — Alibaba Cloud International, Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, and Z.AI are all blocked. This is a Schrems II–style supplementary measure aligned with EDPB Recommendations 01/2020.

Configuration-integrity caveat. OpenRouter account-level controls are configured per the policies above. Better ISMS does not currently rely on an OpenRouter API or signed attestation for real-time integrity. Evidence of the configuration is two-fold: (a) this RoPA is itself a contemporaneous record of the configured controls as of its effective date, and (b) Better ISMS will demonstrate the live OpenRouter account configuration via a guided dashboard walkthrough on customer request (typically a recorded screen-share session). Ad-hoc screenshots may be captured on specific customer request or when controls materially change.

Processing Activity #1: User Authentication & Account Management

Purpose of Processing

To provide secure user authentication, session management, and account access control for the ISMS Copilot platform.

Legal Basis

Primary: Contract Performance (Article 6(1)(b) GDPR) — necessary to provide the service
Secondary: Legitimate Interest (Article 6(1)(f) GDPR) — security and fraud prevention

Categories of Data Subjects

Platform users (compliance professionals, consultants, security teams)
Trial users and prospective customers
Workspace members and collaborators

Categories of Personal Data

Email addresses
Password hashes (encrypted, not reversible)
Authentication tokens and session identifiers
User unique identifiers (UUIDs)
Password reset tokens (temporary)
Account creation timestamps
Last login timestamps

Data Processors

Processor	Role	Location	Mechanism
Supabase Auth	PostgreSQL-based authentication, session management	EU (Frankfurt)	GDPR-compliant DPA

Retention Period

Active accounts: Retained while account is active
After account deletion: Permanently deleted within 30 days
Session tokens: Expire automatically after inactivity period
Password reset tokens: Expire after 24 hours or first use

Security Measures

Password hashing using industry-standard algorithms
Encrypted data transmission (TLS 1.3)
Row-level security in database
Multi-factor authentication (MFA) available
Session timeout controls

Processing Activity #2: AI Chat Processing & Conversation Management

Purpose of Processing

To provide AI-powered compliance assistance, generate responses to user queries, and maintain conversation context for improved user experience.

Legal Basis

Primary: Contract Performance (Article 6(1)(b) GDPR) — core service functionality

Categories of Data Subjects

Authenticated platform users
Individuals mentioned in user queries (indirect data subjects)

Categories of Personal Data

User messages and queries
AI-generated responses
Conversation thread metadata (titles, timestamps, status)
User workspace configurations
Custom instructions and personas
Potentially sensitive compliance data (policies, procedures, audit information)

Users may input special category data (Article 9 GDPR) such as information about security incidents or compliance violations. Users are responsible for ensuring they have legal basis to process such data before inputting it into the platform.

Data Processors

Database Storage (always active):

Processor	Role	Location	Mechanism
Supabase PostgreSQL	Message storage, retrieval, conversation management	EU (Frankfurt)	GDPR-compliant DPA

AI Processing (routed automatically per selectChatModel(adpEnabled, userPlan) — see "AI Routing — Foundational Concepts" above):

Processor	When invoked	Location	Retention	Training	Mechanism
Mistral AI	ADP enabled (any plan); circuit-breaker failover destination for Anthropic; conversation compaction; conversation summaries	EU (Frankfurt)	Zero	No training (per Mistral's commercial API terms)	EU residency — no transfer
Anthropic Claude	Paid plan + ADP off	United States	Up to 30 days (abuse monitoring only — not training); customers needing zero retention can enable ADP	No training (per Anthropic's commercial API terms)	SCCs
OpenRouter aggregator	Free / null plan + ADP off — routes only to the four allowlisted underlying providers	United States	Zero (mandatory at account level)	No training (account-level)	OpenRouter's role is account-level enforcement; legal transfer mechanism for data leaving the EU is anchored at the underlying-provider rows below
↳ Inceptron	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	No training (enforced via OR account config)	SCCs
↳ DeepInfra	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	No training (enforced via OR account config)	SCCs
↳ Cerebras	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	No training (enforced via OR account config)	SCCs
↳ Google Vertex	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	No training (enforced via OR account config)	SCCs + EU-US Data Privacy Framework

Backend Infrastructure (always active):

Processor	Role	Location	Mechanism
Fly.io	Chat orchestration, streaming responses, message routing	EU deployment	GDPR-compliant hosting agreement

Reserved AI Processors (code paths exist; not invoked in current production)

OpenAI, X.AI (Grok), and Google Gemini have direct-API integration code paths in the platform, but no current user-facing flow invokes them. They are not active sub-processors. Activation of any Reserved processor for live processing of user data requires a 30-day customer notice under the change-of-sub-processor procedure.

Retention Period

User-configurable retention: 1 day to 7 years (this is what "Keep Forever" means)
Default retention: As configured by user in account settings
Automated deletion: Daily automated process deletes messages older than user-specified retention period
Temporary chats: Automatically deleted after 30 days
After account deletion: All conversations permanently deleted within 30 days

Users control their data retention period through Settings. Configure retention to match your organization's data protection policies and legal requirements.

Security Measures

TLS encryption for data in transit
Row-level security ensures users can only access their own conversations
Workspace isolation prevents cross-contamination of client data
User authentication required for persistent conversations
Automated deletion of expired data
Multi-provider AI failover (Anthropic → Mistral via circuit breaker for paid users; OpenRouter aggregator-level failover across the four allowlisted underlying providers for free users) for service availability without compromising the privacy bar

Processing Activity #3: Content Moderation & Safety

Purpose of Processing

To automatically detect potentially harmful, illegal, or policy-violating content in user chat messages, ensuring platform safety and compliance with legal obligations.

Legal Basis

Primary: Legitimate Interest (Article 6(1)(f) GDPR) — platform safety, fraud prevention, legal compliance, and protection of users
Secondary: Legal Obligation (Article 6(1)(c) GDPR) — compliance with laws requiring prevention of illegal content distribution

Categories of Data Subjects

All platform users sending chat messages
Individuals mentioned in flagged messages (indirect data subjects)

Categories of Personal Data

User chat message content (analyzed for safety violations in real time; not stored by the moderation pipeline)
For flagged messages only: a moderation_events row containing the message identifier, the thread identifier, the abuse categories matched, and a timestamp. The full message content is not stored in the moderation record.

Data Processors

Moderation always runs on Mistral, regardless of Advanced Data Protection setting. This is a single-provider design choice for consistency and EU-residency safety review.

Processor	Role	Location	Retention	Training	Mechanism
Mistral AI Moderation API (`mistral-moderation-latest`)	Two-stage pipeline: fast classifier followed by a judge model that reviews borderline cases	EU (Frankfurt)	Zero	No training (contractual)	EU residency — no transfer
Supabase PostgreSQL	Storage of `moderation_events` rows for flagged messages (metadata only — no message content)	EU (Frankfurt)	12 months, then automatically purged	n/a	GDPR-compliant DPA

How Moderation Works

Real-time analysis. Every user message is sent synchronously to the Mistral moderation API. The judge model reviews borderline cases.
Event storage (flagged only). When a message is flagged, a moderation_events row is written containing only the message identifier, thread identifier, abuse categories matched, and timestamp. No message content is stored in the moderation record.
Thread deletion lock (Article 17 limitation). When a thread contains a flagged message, the thread is locked from user-initiated deletion via the prevent_flagged_thread_deletion() database trigger. This is a security measure to prevent destruction of abuse evidence. Customer Content within a flagged thread is still subject to deletion on a verified Article 17 erasure request submitted to privacy@ismscopilot.com; we evaluate each such request against the legitimate-interest balancing test (Article 17(3)(e) and recital 47) and respond within 30 days.
No record for non-flagged messages. No moderation row is written for messages that pass moderation; no metadata, no scores, no record.

Retention Period

Non-flagged messages: No moderation record stored.
Flagged messages: moderation_events metadata (message ID, thread ID, abuse categories, timestamp — no message content) retained for 12 months, then automatically purged.
After account deletion: All moderation_events rows associated with the user are deleted within 30 days, except where retention is required by law.

Security Measures

Synchronous moderation with two-stage classifier + judge pipeline (Mistral)
EU residency, zero retention by Mistral
Row-level security ensures moderation_events are isolated per user
Encrypted data transmission (TLS 1.3)
Database-level thread-deletion lock to prevent abuse-evidence destruction
Automated purge of moderation_events after 12 months

Processing Activity #4: File Upload & Document Processing

Purpose of Processing

To enable users to upload compliance documents for AI analysis, gap assessment, and document generation; and to maintain workspace files for reuse across conversations.

Legal Basis

Primary: Contract Performance (Article 6(1)(b) GDPR) — service feature

Categories of Data Subjects

Platform users uploading documents
Individuals mentioned in uploaded documents (employees, customers, third parties)

Categories of Personal Data

Uploaded files (PDF, DOCX, XLSX)
Extracted document content and metadata
File names, sizes, upload timestamps
Document processing status
Workspace assignment (for files attached to a workspace)
File summaries (eager Mistral summarization for workspace files)
Potentially sensitive organizational data (policies, audit reports, risk assessments)

Uploaded documents may contain special category data or confidential business information. Users must ensure they have appropriate legal authority to upload and process such documents.

Data Processors

Processor	Role	Location	Mechanism
Supabase Storage	Secure file storage (`uploads` bucket)	EU (Frankfurt)	GDPR-compliant DPA
ConvertAPI	Document format conversion (PDF/DOCX/XLSX ↔ HTML)	EU endpoint	ISO/IEC 27001:2022 (Cert No. 1512122216, valid to 2028-08-18); signed DPA with Better ISMS
Mistral AI	Workspace file summarization (eager, on upload)	EU (Frankfurt)	EU residency — no transfer; no training under Mistral's commercial API terms; zero retention
Fly.io	Document conversion orchestration	EU deployment	GDPR-compliant hosting agreement

Retention Period

Active files: Retained according to user's data retention settings (linked to conversation retention)
Workspace files: Retained while the workspace exists; deleted when the workspace is deleted
Orphaned files: Automatically deleted via background cleanup process (excluding workspace-attached files)
After account deletion: All uploaded files permanently deleted within 30 days
ConvertAPI processing: Files processed in memory, not stored permanently by the processor

Security Measures

User-scoped file access (files linked to user ID via row-level security)
Encrypted storage at rest
Secure file upload over HTTPS
Authentication required for file upload and deletion
Automated orphaned-file cleanup (with workspace-aware exclusions)

Processing Activity #5: Payment & Subscription Management

Purpose of Processing

To process subscription payments, manage billing, and provide access to premium features.

Legal Basis

Primary: Contract Performance (Article 6(1)(b) GDPR) — billing and payment processing
Secondary: Legal Obligation (Article 6(1)(c) GDPR) — tax and accounting compliance

Categories of Data Subjects

Premium subscribers
Trial users converting to paid plans
Billing contacts for organizational accounts

Categories of Personal Data

Stripe customer IDs (Paddle for UK customers)
Subscription IDs and status
Payment metadata (no full credit card numbers stored)
Billing events and timestamps
Invoice information

Data Processors

Processor	Role	Location	Mechanism
Stripe	Payment processing, subscription management, customer portal (non-UK)	Global (EU DPA); PCI DSS Level 1	GDPR-compliant DPA
Paddle	Merchant of Record for UK customers (HMRC VAT compliance)	Global (EU DPA)	GDPR-compliant DPA
Supabase	Stores subscription status and customer IDs (not payment card data)	EU (Frankfurt)	GDPR-compliant DPA

Retention Period

Active subscriptions: Retained while subscription is active
After cancellation: Anonymized billing records retained for 7 years (tax and accounting compliance)
Payment card data: NEVER stored by ISMS Copilot (handled exclusively by Stripe / Paddle)

Security Measures

PCI DSS Level 1 compliant payment processing (via Stripe)
No credit card data stored in ISMS Copilot systems
Webhook signature verification
Encrypted transmission of payment data
Duplicate payment prevention

Processing Activity #6: Analytics & Product Improvement

Purpose of Processing

To analyze platform usage, improve user experience, identify bugs, and monitor system performance.

Legal Basis

Primary: Legitimate Interest (Article 6(1)(f) GDPR) — product improvement and service reliability

Categories of Data Subjects

All platform users
Website visitors

Categories of Personal Data

User behavior events (page views, button clicks, feature usage)
Session data and session duration
Browser and device information
Error logs and exception data (with user UUID only — no email or content)
Performance metrics (page load times, interaction metrics)
IP addresses (anonymized)

Analytics systems are configured with sendDefaultPii: false to prevent automatic collection of personally identifiable information. No conversation content or uploaded documents are shared with analytics providers.

Data Processors

Processor	Role	Location	Mechanism
PostHog	Product analytics (cookieless mode, in-memory persistence)	EU (Frankfurt)	GDPR-compliant; PII protection via `sendDefaultPii: false`
Sentry	Error tracking and performance monitoring	Germany	GDPR-compliant; PII protection via `sendDefaultPii: false`
Vercel Web Analytics	Web vitals, performance metrics	Global CDN	GDPR-compliant

Retention Period

PostHog analytics: According to PostHog retention policy (typically up to 7 years, anonymized)
Sentry error logs: 90 days
Vercel analytics: According to Vercel retention policy

Security Measures

Anonymized IP addresses
No PII sent by default
No conversation content shared
EU-based analytics infrastructure
Production-only tracking (no development environment data)

Processing Activity #7: Infrastructure & Deployment

Purpose of Processing

To host and deliver the ISMS Copilot application securely to users.

Legal Basis

Primary: Contract Performance (Article 6(1)(b) GDPR) — service delivery

Categories of Data Subjects

All platform users and visitors

Categories of Personal Data

HTTP request logs
IP addresses (temporary, for routing)
Connection metadata
Session cookies

Data Processors

Processor	Role	Location	Mechanism
Vercel	Frontend hosting and content delivery	Global CDN	GDPR-compliant
Fly.io	Backend API hosting	EU deployment	GDPR-compliant
AWS (via Supabase)	Database and storage infrastructure	Frankfurt (EU-Central-1)	GDPR-compliant

Retention Period

Access logs: 30-90 days per infrastructure provider policies
Session data: Expires after user session ends

Security Measures

TLS 1.3 encryption for all connections
Content Security Policy headers
DDoS protection
Regular security updates and patches

Processing Activity #8: Email Communications & Updates

Purpose of Processing

To send legal updates, product updates, onboarding guidance, and service-related communications.

Legal Basis

Primary: Legitimate Interest (Article 6(1)(f) GDPR) — product improvement, user education, and service communications related to platform usage

Categories of Data Subjects

All platform users (new signups and existing users)
Trial users receiving onboarding sequences
Premium subscribers receiving product updates

Categories of Personal Data

Email addresses
Subscription preferences (legal updates, product updates)
Email engagement data (opens, clicks)
Unsubscribe status
Send timestamps

Data Processors

Processor	Role	Location	Mechanism
SendGrid (Twilio)	Transactional and legal-update email delivery	United States	SCCs
Kit (ConvertKit)	Onboarding email sequences and product update emails	United States	SCCs

Users can unsubscribe from product updates and onboarding emails at any time via the unsubscribe link in each email. Essential service notifications (e.g., security alerts, account changes) may still be sent as required by law or contract.

Retention Period

Active subscriptions: Retained while user remains subscribed
After unsubscribe: Email removed from mailing lists immediately
Engagement data: Retained according to email service provider policies (typically up to 2 years)
After account deletion: All email preferences and data removed within 30 days

Security Measures

Encrypted email transmission (TLS)
Secure API connections to email providers
One-click unsubscribe functionality
Email authentication (SPF, DKIM, DMARC)
Bounce and complaint handling

Processing Activity #9: Token Consumption Tracking & Usage Monitoring

Purpose of Processing

To track AI token consumption for billing, quota management, and service optimization.

Legal Basis

Primary: Contract Performance (Article 6(1)(b) GDPR) — necessary to enforce usage quotas
Secondary: Legitimate Interest (Article 6(1)(f) GDPR) — service optimization and cost management

Categories of Data Subjects

All platform users with active subscriptions

Categories of Personal Data

User ID
Token consumption counts per conversation
AI provider used (anthropic, mistral, openrouter)
Timestamps of usage
Subscription plan tier

Data Processors

Processor	Role	Location	Mechanism
Supabase PostgreSQL	Storage of token usage metrics	EU (Frankfurt)	GDPR-compliant DPA
Fly.io	Token calculation and aggregation	EU deployment	GDPR-compliant

Retention Period

Active subscriptions: Retained for duration of subscription
After subscription cancellation: Retained for 90 days for billing dispute resolution
After account deletion: Anonymized within 30 days

Security Measures

Aggregated metrics only (no message content stored)
Row-level security in database
Encrypted data transmission and storage
Access limited to billing and support functions

Processing Activity #10: Slack Bot Integration (heygrc)

Purpose of Processing

To allow paid Customers to interact with the ISMS Copilot AI compliance assistant from inside their Slack workspace via the heygrc bot — direct messages to the bot or @heygrc channel mentions.

Legal Basis

Primary: Contract Performance (Article 6(1)(b) GDPR) — optional integration the Customer's organization owner explicitly installs to extend the contracted service into Slack
Secondary: Legitimate Interest (Article 6(1)(f) GDPR) — for the OAuth audit trail (recording which organization owner installed the integration)

Categories of Data Subjects

The organization owner who performs the install (their ISMS Copilot user ID is recorded for audit)
Members of the Customer's Slack workspace who interact with the bot. These users typically do not hold an ISMS Copilot account; their messages addressed to the bot are processed under the installing Customer's organization. The Customer is responsible for informing its Slack workspace users that messages addressed to the bot are processed by ISMS Copilot.

Categories of Personal Data

Slack workspace metadata captured during OAuth: workspace (team) ID, workspace name, bot user ID
OAuth bot token issued by Slack
ISMS Copilot user ID of the installer (audit trail)
Slack message content of messages addressed to the bot — DMs to heygrc or @heygrc channel mentions only. Other workspace messages are not read.
Slack user identifiers (slack_user_id) of users who interact with the bot, recorded in the slack_threads mapping table

Data Processors

Processor	Role	Location	Mechanism
Slack Technologies, Inc.	Originates OAuth handshake and message events; receives AI response posts back to the workspace	United States	SCCs
Supabase PostgreSQL	Stores `slack_integrations` (workspace metadata), `slack_integration_secrets` (bot token, service-role-only RLS), `slack_threads` (Slack-thread ↔ ISMS-thread mapping). Conversation content lands in the main `messages` and `threads` tables.	EU (Frankfurt)	GDPR-compliant DPA
Fly.io	Hosts the slack-bot service that handles inbound Slack events, signing-secret verification, retry deduplication, and outbound response posts	EU deployment	GDPR-compliant
Mistral AI	Content moderation of Slack-originated messages (same pipeline as web chat)	EU (Frankfurt)	EU residency — no transfer; no-training; zero retention
Anthropic Claude	AI processing for Slack-originated messages when ADP is off (paid users only — Slack is paid-tier-only, so the OpenRouter free-tier path never applies)	United States	SCCs; no training under Anthropic's commercial API terms; up to 30 days abuse-monitoring retention only (not training); customers needing zero retention can enable ADP at the org level
Mistral AI (also)	AI processing for Slack-originated messages when ADP is enabled at the org level	EU (Frankfurt)	EU residency — no transfer

How the Integration Works

Install (paid orgs only). An ISMS Copilot organization owner clicks "Add to Slack" on the Connectors page. The OAuth callback verifies the installer is (a) authenticated as an org owner, and (b) on a paid plan; free / null-plan organizations are rejected with a paid_plan_required error. The OAuth scope is bot-only — we do not request the workspace user directory, channel history, or file access.
Inbound message. Slack sends DMs to the bot or @heygrc mentions to a Fly.io endpoint. The signing secret is verified, retries are deduplicated, and the message is routed through the same chat API as web users (with X-Internal-Auth and X-Slack-User-Id headers in place of a JWT).
Routing. selectChatModel(adpEnabled, userPlan) runs against the organization owner's ADP setting and plan — Slack workspace users inherit the org's settings; a Slack user cannot select their own routing.
Moderation. Slack-originated messages run through the same Mistral moderation pipeline as web chat (always Mistral, regardless of ADP).
Response post-back. The AI response is read from the messages table and posted back to the originating Slack channel/DM via the Slack Web API.

Retention Period

Slack integration records (slack_integrations, slack_integration_secrets, slack_threads): retained while the integration is active; hard-deleted within seconds of uninstall (the app_uninstalled event handler cascades a DELETE FROM slack_integrations which removes the secret and thread mappings).
Conversation content (Slack-originated messages and AI responses, stored in the main messages and threads tables): retained per the Customer's account-level retention setting (1 day to 7 years, or "keep forever"). Uninstall does not delete conversation content because it belongs to the Customer's organization, but the link from a Slack thread back to a specific Slack workspace user is severed (the slack_threads row is deleted).
After account deletion: all Slack-related records are deleted within 30 days alongside the rest of the Customer's data.

Security Measures

Slack signing-secret verification on every inbound event
Retry deduplication via context.retryNum
Bot tokens stored in an isolated slack_integration_secrets table with service-role-only Row-Level Security; never exposed to authenticated org members via UI or API. Encryption at rest is provided by the database infrastructure layer; an application-level pgcrypto encryption layer is a tracked follow-up.
OAuth scope is bot-only; no workspace user-directory or file scope is requested
Install gated to paid org owners only (callback verifies plan + ownership before issuing bot token)
Hard-delete on uninstall via app_uninstalled event handler — no soft-delete or archive

Data Subject Rights Implementation

ISMS Copilot supports all GDPR data subject rights through both in-product self-service features (in Settings → Data Protection) and an email-mediated path for cases requiring evaluation.

Right to Access (Article 15)

Self-service: View all conversations and files through the platform interface; request a complete data export in JSON format via Settings → Data Protection (available to all plans)
Response time: Self-service is immediate; export typically delivered within 72 hours

Right to Rectification (Article 16)

Self-service: Update settings through the Settings dialog
Email-mediated: privacy@ismscopilot.com for email address changes
Response time: Immediate for self-service; within 30 days for email-mediated

Right to Erasure (Article 17)

Self-service: Account deletion via Settings → Data Protection (available to all plans)
Email-mediated: privacy@ismscopilot.com for deletion of specific Customer Content within a flagged thread (per Activity #3 — moderation thread-deletion lock); we evaluate each such request against the legitimate-interest balancing test (Article 17(3)(e), recital 47) and respond within 30 days
Scope: All personal data, conversations, files, and settings (subject to the moderation retention exception in Activity #3 and to anonymized billing records retained for 7 years per Activity #5)
Timeline: Permanent deletion within 30 days

Right to Data Portability (Article 20)

Format: JSON export including all user data
Self-service: Settings → Data Protection
Response time: Typically within 72 hours

Right to Restrict Processing (Article 18)

Email-mediated: privacy@ismscopilot.com with reason for restriction
Response time: Within 30 days

Right to Object (Article 21)

Email-mediated: privacy@ismscopilot.com to object to specific processing
Response time: Within 30 days

Right to Lodge a Complaint

You have the right to file a complaint with a supervisory authority:

Commission Nationale de l'Informatique et des Libertés (CNIL) — Website: https://www.cnil.fr/en — Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France — Phone: +33 1 53 73 22 22

Data Breach Notification Procedures

Detection & Assessment

Continuous monitoring via Sentry error tracking
Security incident review within 24 hours of detection
Risk assessment for potential data breach impact

Notification Timeline

To Supervisory Authority (CNIL): Within 72 hours of becoming aware (Article 33)
To Data Subjects: Without undue delay if high risk to rights and freedoms (Article 34)

Notification Contents

Nature of the breach
Categories and approximate number of data subjects affected
Likely consequences
Measures taken or proposed to address the breach

International Data Transfers

Whether data is transferred outside the EU depends on the Customer's Advanced Data Protection Mode setting and (for AI processing) on subscription plan.

When Advanced Data Protection is ON (any plan)

Core data processing occurs within the European Union.

Component	Location	Transfer?
Database storage	EU (Frankfurt, Germany)	None
AI processing	EU (Mistral AI, Frankfurt)	None
Content moderation	EU (Mistral AI)	None
File conversion	EU endpoint (ConvertAPI)	None
Workspace file summarization	EU (Mistral AI)	None
Analytics	EU endpoints (PostHog EU, Sentry Germany)	None
Email communications	United States (SendGrid, Kit)	SCCs

When Advanced Data Protection is OFF (default)

Component	Location	Mechanism
Database storage	EU (Frankfurt, Germany)	None — EU residency
AI processing — paid users	United States (Anthropic Claude)	SCCs; no training under Anthropic's commercial API terms; up to 30 days abuse-monitoring retention only (not training); enable ADP for zero retention
AI processing — free / null-plan users	United States — OpenRouter aggregator routing to one of four allowlisted underlying providers (Inceptron, DeepInfra, Cerebras, Google Vertex)	SCCs; EU-US Data Privacy Framework certification for Google Vertex; OpenRouter account-level controls (mandatory ZDR, training-disallowed, publication-disallowed, closed 4-provider allowlist, PRC-jurisdiction blocklist) act as the enforcement layer
Content moderation	EU (Mistral AI — always, regardless of ADP)	None
File conversion	EU endpoint (ConvertAPI)	None
Workspace file summarization	EU (Mistral AI)	None
Analytics	EU endpoints (PostHog EU, Sentry Germany)	None
Email communications	United States (SendGrid, Kit)	SCCs

Supplementary Measures (Schrems II compliance)

For all transfers outside the EU:

TLS 1.3 encryption for data in transit
Customer ability to control transfer destination via Advanced Data Protection Mode

For paid-tier (Anthropic) transfers: no training on Customer Content under Anthropic's commercial API terms; up to 30 days abuse-monitoring retention only (not training); customers needing zero retention can enable ADP for Mistral routing.

For free-tier (OpenRouter) transfers:

OpenRouter account-level controls applied to every request: mandatory Zero Data Retention; Free Training Disallowed + Paid Training Disallowed; Free Publication Disallowed
Closed 4-provider allowlist (only Inceptron, DeepInfra, Cerebras, Google Vertex permitted)
PRC-jurisdiction blocklist (Alibaba Cloud Int., Baidu Qianfan, DeepSeek, Moonshot AI, Xiaomi, Z.AI all blocked) — a Schrems II-style jurisdiction-based supplementary measure aligned with EDPB Recommendations 01/2020
Each underlying provider independently confirms zero retention or no-training-on-customer-data in their published policies

A complete Transfer Impact Assessment (TIA) covering US-based sub-processors is available on request via privacy@ismscopilot.com.

Organizations subject to strict EU data residency requirements should enable Advanced Data Protection Mode to eliminate AI processing transfers and simplify Transfer Impact Assessment obligations.

Sub-Processor List

Active Sub-Processors

Sub-processor	Purpose	Location	Retention	DPA / Transfer mechanism
Supabase (PostgreSQL + Storage)	Database and file storage	EU (Frankfurt)	User-controlled	GDPR-compliant DPA
AWS (via Supabase)	Underlying infrastructure	EU (Frankfurt, EU-Central-1)	n/a	GDPR-compliant
Anthropic Claude	AI processing for paid users with ADP off	United States	Up to 30 days (abuse monitoring only — not training); customers needing zero retention can enable ADP	SCCs; no training under Anthropic's commercial API terms
OpenRouter (routing aggregator)	AI processing for free / null-plan users with ADP off — routes only to the four allowlisted underlying providers below	United States	Zero (mandatory at account level)	OpenRouter's role is account-level enforcement (mandatory ZDR, training-disallowed, allowlist, PRC-blocklist); legal transfer mechanism for data leaving the EU is anchored at the underlying-provider rows below
↳ Inceptron	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	SCCs
↳ DeepInfra	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	SCCs
↳ Cerebras	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	SCCs
↳ Google Vertex	OpenRouter underlying provider (allowlisted)	United States	Zero (enforced via OR account config)	SCCs + EU-US Data Privacy Framework
Mistral AI	AI processing for ADP users (any plan); circuit-breaker failover destination for paid Anthropic; content moderation for all users (always); conversation compaction; workspace file summarization	EU (Frankfurt)	Zero	EU residency; no training under Mistral's commercial API terms
Stripe	Payment processing (non-UK)	Global (EU DPA)	7 years (anonymized)	GDPR-compliant DPA; PCI DSS Level 1
Paddle	Merchant of Record for UK customers	Global (EU DPA)	7 years (anonymized)	GDPR-compliant DPA
ConvertAPI	Document format conversion	EU endpoint	Temporary (in-memory)	ISO 27001:2022; signed DPA
PostHog	Product analytics	EU (Frankfurt)	Up to 7 years (anonymized)	GDPR-compliant
Sentry	Error monitoring	Germany	90 days	GDPR-compliant
Vercel	Frontend hosting	Global CDN	30-90 days	GDPR-compliant
Fly.io	Backend API hosting	EU deployment	30-90 days	GDPR-compliant
SendGrid (Twilio)	Transactional + legal-update emails	United States	Up to 2 years	SCCs
Kit (ConvertKit)	Onboarding + product update emails	United States	Up to 2 years	SCCs

Customer-Activated Integrations

The following sub-processors only become active for a Customer's data when that Customer's authorized administrator (e.g., an organization owner) explicitly enables an optional integration in-product. No Customer Personal Data flows to the sub-processor unless and until that step occurs. The 30-day advance-notification rule for Active Sub-Processors does not apply to Customer-Activated Integrations because activation requires explicit Customer-side action; see DPA §2.4.

Sub-processor	Purpose	Activated by	Location	Retention	DPA / Transfer mechanism
Slack Technologies, Inc.	Optional heygrc Slack bot integration: OAuth handshake, inbound message events to the bot, outbound AI response posts	Paid-organization owner installs from the Connectors page; OAuth callback rejects free / null-plan installs with a `paid_plan_required` error. Hard-deleted on uninstall.	United States	Active while integration is installed	SCCs

Reserved Sub-Processors (code paths exist; not invoked in current production)

Sub-processor	Code path purpose	Status
OpenAI	Direct OpenAI API path	Reserved — not invoked from any current user-facing flow
X.AI (Grok)	Direct X.AI API path	Reserved — not invoked from any current user-facing flow
Google Gemini	Direct Gemini API path	Reserved — not invoked from any current user-facing flow

Activation of any Reserved sub-processor for live processing of user data requires customer notice (30 days advance) under the change-of-sub-processor procedure before any user data is processed.

Sub-Processor Change Procedure

ISMS Copilot will notify users at least 30 days before adding new Active sub-processors, replacing existing ones, or activating a Reserved sub-processor for live processing. Notifications are sent via email and in-app announcement. Users may exercise the in-product alternative (enabling Advanced Data Protection Mode, which routes all AI processing to Mistral AI in Frankfurt regardless of plan) or, where a contract grants formal sub-processor objection rights, formally object via privacy@ismscopilot.com.

The 30-day advance-notification rule does not apply to Customer-Activated Integrations (see above) because no Customer Personal Data flows to those sub-processors unless and until the Customer's organization owner takes an explicit installation step. New Customer-Activated Integrations are documented in the table above and announced through normal product-update channels.

Technical & Organizational Measures (TOMs)

Access Control

Row-level security in database
User authentication required for all protected resources
Workspace isolation preventing cross-user data access
MFA available for enhanced account security
Session timeout controls

Encryption

TLS 1.3 for data in transit
Database encryption at rest
Password hashing (irreversible)
Encrypted file storage

Data Minimization

Only essential data collected (email, messages, files)
No unnecessary demographic or contact information
Analytics configured to exclude PII
User-controlled retention periods

Availability & Resilience

Automated database backups
Disaster recovery procedures
24/7 monitoring and alerting via Sentry
Real-time uptime monitoring via BetterStack with progressive incident escalation (Slack, email, SMS)
Public status page for transparency (status.ismscopilot.com)
Multi-provider AI failover (Anthropic → Mistral via circuit breaker for paid users; OpenRouter aggregator-level failover across the four allowlisted underlying providers for free users)

Testing & Evaluation

Regular security assessments
Continuous error monitoring and logging
Automated data deletion testing
Access control verification
OpenRouter account-config evidence: documented in this RoPA and demonstrable via live dashboard walkthrough on customer request; ad-hoc capture on material change (configuration-integrity caveat — see "AI Routing — Foundational Concepts")

User Responsibilities

While ISMS Copilot provides GDPR-compliant infrastructure, users (as data controllers) are responsible for ensuring their use of the platform complies with GDPR and other applicable regulations.

As a data controller, users must:

Ensure legal basis exists before uploading personal data
Configure appropriate data retention periods for their organization
Maintain separate workspaces for different clients or data categories
Inform individuals when their data is processed through ISMS Copilot
Include ISMS Copilot in their own data processing records
Conduct Data Protection Impact Assessments (DPIA) when processing high-risk data
Not upload special category data (Article 9 GDPR) without appropriate safeguards

Compliance Documentation

Available Compliance Resources

Privacy Policy
Data Processing Agreement (DPA)
Terms of Service
Status Page — Real-time system availability and incident notifications

Record Maintenance

Quarterly review — verify accuracy of processing activities; confirm OpenRouter account-config still matches the configuration described in this RoPA (live dashboard check; ad-hoc screenshot only on material change)
Change-driven updates — within 30 days of new sub-processor activation or processing activity (with customer notice 30 days in advance)
Annual audit — comprehensive review of all RoPA entries
Version control — dated revisions maintained for audit trail

Contact Information

Privacy & GDPR requests: privacy@ismscopilot.com (include "GDPR Request" in the subject line for priority handling)
Data Protection Officer: ISMS Copilot has not designated a DPO as we do not meet the mandatory designation criteria under GDPR Article 37. For data protection inquiries, contact privacy@ismscopilot.com.
Supervisory Authority: Commission Nationale de l'Informatique et des Libertés (CNIL) — https://www.cnil.fr/en