Data Processing Agreement (DPA)
The Data Processing Agreement (DPA) governs how ISMS Copilot processes personal data on your behalf as a data processor under GDPR Article 28. It automatically applies to all customers — no separate signature required.
Key Points
EU-based storage: All database storage remains in Frankfurt, Germany — your primary data never leaves the EU.
AI provider routing by plan: Paid users with Advanced Data Protection off use Anthropic Claude (US, 30-day retention). Free users route through OpenRouter to vetted providers. Advanced Data Protection on uses Mistral AI (EU, zero retention).
No AI training: All AI providers are contractually prohibited from using your data to train models.
30-day advance notice: We notify you at least 30 days before adding or changing sub-processors.
48-hour breach notification: If a data breach affects your data, we notify you within 48 hours of confirmation.
Canonical Document
For the complete, legally binding Data Processing Agreement including sub-processor lists, SCCs, and audit rights, visit our Trust Center:
View the Data Processing Agreement on the Trust Center →
This is the authoritative source for all processor obligations, sub-processor arrangements, and legal terms.