Transfer Impact Assessment - Add Anthropic throughout
ISMS Copilot has conducted a Transfer Impact Assessment (TIA) for international data transfers to the United States under GDPR Chapter V requirements. This article explains the assessment findings, supplementary measures implemented, and how Advanced Data Protection Mode affects your transfer obligations.
What Is a Transfer Impact Assessment
Under GDPR and the Schrems II ruling, organizations transferring personal data to countries outside the EU/EEA must assess whether the destination country's laws provide adequate protection. Standard Contractual Clauses (SCCs) alone may not be sufficient—you must evaluate whether additional safeguards are needed.
A TIA evaluates:
Laws in the destination country that might allow government access to data
Whether your data importer (sub-processor) could be subject to those laws
Technical and organizational measures that mitigate identified risks
Whether the combination of SCCs + supplementary measures provides adequate protection
This assessment applies when Advanced Data Protection Mode is OFF (default). When ON, AI processing remains in the EU, significantly simplifying transfer obligations.
ISMS Copilot's TIA: AI Provider Transfers
ISMS Copilot maintains a Transfer Impact Assessment for international data transfers. The current AI provider routing is documented in the canonical legal documents on our Trust Center:
Current routing (Trust Center authoritative):
• Advanced Data Protection ON: Mistral AI (EU, zero retention) — no international transfer for AI processing
• Paid + ADP OFF: Anthropic Claude (US, up to 30-day abuse-monitoring retention)
• Free/null-plan + ADP OFF: OpenRouter aggregator routes to vetted providers (Inceptron, DeepInfra, Cerebras, Google Vertex)
• Email providers: SendGrid, Kit (US, SCCs)
For the complete sub-processor list with locations and retention details, see:
These canonical documents are updated whenever AI provider arrangements change.
How Advanced Data Protection Mode Changes TIA Obligations
Default Mode (Advanced Data Protection OFF)
When Advanced Data Protection is disabled:
AI processing location: United States (xAI, OpenAI, Anthropic)
Transfer mechanism: Standard Contractual Clauses + supplementary measures
TIA requirement: Organizations subject to GDPR should conduct or rely on ISMS Copilot's TIA
Retention by AI providers: 30 days (temporary cache for abuse monitoring)
Email transfers: Still occur to US providers (SendGrid/Kit) regardless of AI setting
If you use default mode for processing personal data of EU residents, document this transfer in your Register of Processing Activities and rely on ISMS Copilot's TIA or conduct your own assessment.
Advanced Data Protection ON (EU-Only Mode)
When Advanced Data Protection is enabled:
AI processing location: European Union (Mistral AI, Frankfurt)
Transfer mechanism: No international transfer for AI processing (EU-to-EU)
TIA requirement: Not required for AI processing (no transfer outside EU/EEA)
Retention by AI provider: Zero retention—data processed in real-time and discarded
Email transfers: Still occur to US providers (SendGrid/Kit); TIA still required for emails
Advanced Data Protection Mode eliminates the need for TIA on AI processing, significantly simplifying GDPR compliance. However, email transfers to US providers remain and still require assessment.
Email Transfers Remain Regardless of Mode
Even with Advanced Data Protection enabled, email communications involve US transfers:
SendGrid (Twilio): Transactional emails (account verification, password resets, security alerts)
Kit (ConvertKit): Onboarding sequences and product updates (optional, user can unsubscribe)
Data transferred: Email addresses, engagement data (opens, clicks), message metadata
Safeguards: Standard Contractual Clauses, encryption in transit, GDPR-compliant DPAs
To minimize email transfers, users can unsubscribe from non-essential communications.
Conducting Your Own TIA
When You Need Your Own Assessment
Organizations should conduct their own TIA if:
You process special category data (Article 9 GDPR) through ISMS Copilot
Your risk tolerance differs from ISMS Copilot's assessment
Your data protection authority requires organization-specific TIAs
Client contracts mandate independent transfer assessments
You process large volumes of personal data of EU residents
Key Questions for Your TIA
When conducting your own assessment, consider:
Data Sensitivity
What types of personal data are you uploading?
Does it include special category data (health, biometric, political opinions)?
How would unauthorized government access harm data subjects?
Likelihood of Access
Could your compliance data meet the "foreign intelligence" threshold under FISA 702?
Are you or your clients potential targets of government surveillance?
Do you handle data related to national security, terrorism, or organized crime?
Supplementary Measures
Are ISMS Copilot's technical measures (encryption, limited retention) sufficient for your use case?
Should you enable Advanced Data Protection Mode for EU-only processing?
Should you enable PII Reduction Mode to redact personal data before AI processing?
Do you need additional anonymization before uploading documents?
Alternative Solutions
If risks cannot be mitigated, can you avoid the transfer by enabling Advanced Data Protection Mode?
Can you anonymize data before using ISMS Copilot?
Should you restrict ISMS Copilot use to non-personal data only?
Resources for Your TIA
EDPB Recommendations 01/2020 on supplementary measures
ISMS Copilot Data Processing Agreement (Section 3: International Data Transfers)
Register of Processing Activities for detailed sub-processor information
Decision Guide: Which Mode Should You Use
Use Advanced Data Protection Mode (EU-Only) When:
Your organization has mandatory EU data residency requirements
You handle personal data of EU residents and want to simplify TIA compliance
Client contracts prohibit US-based data processing
You process special category data (Article 9 GDPR)
Your data protection authority requires EU-only processing
Your risk assessment concludes US transfers pose unacceptable risks
You want zero AI provider retention for maximum privacy
Compliance consultants working with European clients should default to Advanced Data Protection Mode to meet strict data sovereignty requirements and simplify GDPR compliance.
Default Mode May Be Acceptable When:
You process only compliance documentation without personal data
Your TIA concludes supplementary measures provide adequate protection
You're not subject to GDPR (non-EU organization, no EU data subjects)
You handle only non-sensitive compliance content (generic policies, frameworks)
30-day AI provider retention is acceptable under your policies
Documenting Transfers in Your ROPA
If you use ISMS Copilot to process personal data, document it in your Register of Processing Activities:
Default Mode (Advanced Data Protection OFF)
Sub-processors: ISMS Copilot (EU), xAI (US), OpenAI (US), SendGrid (US), Kit (US)
Transfer destinations: United States
Transfer mechanisms: Standard Contractual Clauses, encryption, limited retention
TIA reference: "Relying on ISMS Copilot's Transfer Impact Assessment dated [date]" or "Conducted internal TIA on [date]"
Advanced Data Protection Mode (ON)
Sub-processors: ISMS Copilot (EU), Mistral AI (EU), SendGrid (US), Kit (US)
Transfer destinations: United States (email only)
Transfer mechanisms: Standard Contractual Clauses for email providers
TIA reference: "AI processing occurs in EU (no transfer); email transfers covered by SCCs"
See ISMS Copilot's Register of Processing Activities for a template you can reference.
Best Practices
For EU Organizations
Enable Advanced Data Protection Mode by default to avoid TIA complexity
Document ISMS Copilot in your ROPA with appropriate sub-processor details
Inform data subjects that you use AI tools for compliance processing (privacy notice)
Anonymize personal data before uploading when possible
Conduct a DPIA if processing special category data or large-scale personal data
For Compliance Consultants
Assess each client's data residency requirements before choosing a mode
Create separate workspaces per client to isolate data
Include ISMS Copilot as a sub-processor in your client DPAs
Inform clients about the mode you're using and why
Enable PII Reduction Mode for extra protection when handling audit reports with employee names
Minimizing Transfer Risks
Enable Advanced Data Protection Mode: Eliminates AI processing transfers entirely
Enable PII Reduction Mode: Redacts personal data before it reaches AI providers
Unsubscribe from non-essential emails: Reduces email provider transfers
Set short retention periods: Limits how long data is stored
Anonymize before upload: Remove or pseudonymize personal identifiers
Frequently Asked Questions
Do I need to conduct my own TIA if I use ISMS Copilot?
It depends. If you use default mode and process personal data of EU residents, you should either conduct your own TIA or document your reliance on ISMS Copilot's assessment. If you enable Advanced Data Protection Mode, AI processing remains in the EU and does not require a TIA (though email transfers still do).
Does Advanced Data Protection Mode completely eliminate transfer obligations?
No. It eliminates transfers for AI processing, but email communications still involve US-based providers (SendGrid, Kit). These email transfers remain subject to GDPR Chapter V requirements and should be documented in your ROPA.
What if my data protection authority rejects ISMS Copilot's TIA?
If your DPA concludes that US transfers pose unacceptable risks, enable Advanced Data Protection Mode to process AI workloads exclusively in the EU. This removes the need for TIA on AI processing.
Can I use ISMS Copilot for special category data?
Yes, but with precautions. Enable Advanced Data Protection Mode for EU-only processing, enable PII Reduction Mode, set short retention periods, and conduct a Data Protection Impact Assessment (DPIA) as required by Article 35 GDPR. Ensure you have a lawful basis under Article 9.
How often should I review my TIA?
Review your TIA whenever:
ISMS Copilot changes sub-processors or data flows
US surveillance laws change
Your data protection authority issues new guidance
The nature or volume of data you process changes significantly
Where can I find ISMS Copilot's Standard Contractual Clauses?
SCCs are incorporated into sub-processor agreements. Contact support through the Help Center to request copies of SCCs for your vendor assessment or audit purposes.
Related Resources
Data Processing Agreement (DPA) — Full legal framework for ISMS Copilot data processing
Advanced Data Protection Mode — How to enable EU-only processing
Data Controls Overview — Retention, PII reduction, and privacy settings
Data Privacy & GDPR Compliance — Your rights and GDPR implementation
Register of Processing Activities (ROPA) — Sub-processor list and processing details
Getting Help
For questions about transfer impact assessments or international data transfers:
Review the Data Processing Agreement for legal transfer mechanisms
Contact support through the Help Center for TIA documentation or SCC copies
Include "TIA Request" or "Transfer Impact Assessment" in your subject line
Visit the Security Collection for comprehensive compliance documentation