Why EU compliance teams cannot run client data through US AI
Schrems II, the US Cloud Act, and sectoral rules like HDS, SecNumCloud and KRITIS make American AI a real audit risk for compliance work. ISMS Copilot's 100% EU mode removes the question β Mistral on EU infrastructure, AWS Frankfurt and Amsterdam, no US data path.
Sending client compliance data through OpenAI or Anthropic is an audit finding waiting to happen.
Schrems II struck down the EU-US Privacy Shield. The replacement Data Privacy Framework is already being challenged in court. The US Cloud Act gives American authorities reach into any US-headquartered cloud or AI provider's data, regardless of where it is physically stored. ISO 27001 control A.5.14 expects you to evaluate that exposure before you transfer. ISMS Copilot's 100% EU mode removes the question entirely.
What's the legal risk, exactly?
GDPR Chapter V (Articles 44β50) governs international data transfers. The Schrems II ruling (CJEU, July 2020) struck down the EU-US Privacy Shield. The current EU-US Data Privacy Framework is the third attempt at a US adequacy decision, and is already under legal challenge. Until that's resolved, every transfer of personal data β including the personal data of staff, contractors and clients buried inside compliance evidence β to a US-headquartered AI provider sits on contested legal ground. The harder problem is the US Cloud Act (2018): even when a US-headquartered provider hosts data in Frankfurt or Dublin, US federal authorities can compel disclosure. Storage location is not the same as legal jurisdiction. For compliance professionals handling client data, that's not a hypothetical β it's the exact thing your clients hire you to know about.
Why your auditor cares about your AI tooling
- ISO 27001 Annex A.5.14 (information transfer) β you must evaluate the protection of information transferred outside the organisation, including to AI processors.
- ISO 27001 Annex A.5.23 (information security for use of cloud services) β controls and supplier management apply to cloud-based AI.
- GDPR Article 28 β you remain responsible for the data processors you choose, including AI vendors.
- GDPR Chapter V β any personal data leaving the EEA needs a valid transfer mechanism, and the current ones are contested.
- DORA Article 28 (in-scope financial entities) β ICT third-party risk obligations extend to AI suppliers.
- NIS 2 Article 21 β supply chain security covers AI vendors as part of your supply chain.
- Sectoral rules β HDS (French health data), SecNumCloud (sovereign cloud), KRITIS (German critical infrastructure), and parts of TISAX effectively rule out US-headquartered providers regardless of any GDPR mechanism.
What ISMS Copilot does differently
ISMS Copilot's 100% EU mode routes every prompt and every uploaded document through European AI infrastructure. AI inference runs on Mistral, the French AI company headquartered in Paris with infrastructure in Sweden. Data storage is on AWS in EU regions only β Frankfurt and Amsterdam. No US-headquartered model provider, no US data centres, no Cloud Act exposure, no Schrems II grey zone. EU mode is the default for users signing up from Germany, France, and the Netherlands. For everyone else, it's a one-click toggle inside workspace settings. There is no upgrade gate, no enterprise contract, no minimum seat count β EU mode is available on every plan, including the free trial.
What's covered by 100% EU mode
AI inference: Mistral models on EU infrastructure (Sweden)
Data storage: AWS Frankfurt and Amsterdam, EU regions only
Backups, replication, and logs: EU regions only
Default-on for users signing up from Germany, France, and the Netherlands
One-click toggle on every plan for users in any other country
No training on customer data, regardless of mode
30-day default retention, configurable down to 0 days
Documented in our DPA, with a data flow diagram you can hand to an auditor
ISMS Copilot in EU mode vs. using ChatGPT or Claude on client data
| Feature | ISMS Copilot | Other |
|---|---|---|
| AI processor | Mistral (France) on EU infrastructure (Sweden) | OpenAI / Anthropic on US infrastructure |
| Data storage | AWS Frankfurt and Amsterdam, EU only | US data centres by default; EU regions only on enterprise tiers |
| Cloud Act exposure | None β EU-headquartered providers | Yes β both vendors are US-headquartered |
| Schrems II risk | None β no EU-to-US transfer occurs | Relies on the contested EU-US Data Privacy Framework |
| ISO 27001 A.5.14 audit defence | Documented EU-only flow | Requires DPIA, SCCs, and case-by-case justification |
| GDPR Chapter V transfer mechanism | Not required β no transfer occurs | Required (DPF / SCCs / BCRs) |
| Sectoral fit (HDS, SecNumCloud, KRITIS) | EU-headquartered providers only | Effectively excluded by these regimes |
| Cost | Included on every plan, including free trial | Enterprise contract typically needed for EU residency |
What about other GRC platforms?
Most US-headquartered GRC platforms β Vanta, Drata, Secureframe β host customer data in US AWS regions and use OpenAI as the AI backbone. Some now offer EU regions for enterprise customers, but the AI layer often remains US-based regardless of the storage region. The result: the policy text, control descriptions, and risk register entries you generate inside those platforms are processed by an OpenAI endpoint that's both Cloud Act-exposed and contested under Schrems II. ISMS Copilot is built EU-first β EU-headquartered infrastructure for both storage and inference, available by default, not as an enterprise upsell.
See the ISMS Copilot vs ChatGPT comparison βFounded in France, built EU-first
ISMS Copilot was founded in France by an ISO 27001 consultant who got tired of explaining to clients why their compliance evidence shouldn't run through an American chatbot. EU mode isn't a feature flag bolted on for the European market β it's how the product was designed from day one. The founder works inside the audit reality every week, and EU sovereignty is part of the product brief, not an afterthought.
Frequently Asked Questions
Is EU mode an extra cost?
No. EU mode is available on every plan, including the free trial. There is no upgrade gate, no enterprise contract, and no minimum seat count.
Is EU mode the default for me?
Yes if you sign up from Germany, France, or the Netherlands. For users in other countries it's a one-click toggle inside workspace settings β also available on every plan.
Doesn't the EU-US Data Privacy Framework solve this?
The DPF is the third attempt at a US adequacy decision (after Safe Harbor and Privacy Shield, both struck down). It is already under legal challenge in the CJEU. ISMS Copilot's EU mode does not rely on it β there is no EU-to-US transfer happening, so no transfer mechanism is required.
Why Mistral specifically?
Mistral is a French AI company headquartered in Paris with infrastructure in Sweden β fully within the EU/EEA, with no US parent and no Cloud Act exposure. It's also competitive with US frontier models for compliance work, so EU mode does not cost you output quality.
Can I prove EU mode is on for an audit?
Yes. Workspace settings show EU mode status, and our DPA includes the data flow diagram showing Mistral on Swedish infrastructure and AWS storage in Frankfurt and Amsterdam. Both are auditor-friendly artefacts.
Is ISMS Copilot a US-headquartered company?
No. ISMS Copilot is a French company with EU operations only. It is not subject to the US Cloud Act, FISA 702, or any US extraterritorial demand.
What if I'm a US-based consultant with EU clients?
Toggle EU mode on for those workspaces. Many US-based consultants run a mix: standard mode for internal work, EU mode for any engagement involving EU client data. The toggle is per-workspace, so you don't have to commit one way or the other.
What about TISAX, HDS, SecNumCloud, KRITIS?
These sectoral regimes go further than GDPR and effectively rule out US-headquartered providers β even those offering EU regions, because the parent entity is still subject to US law. EU mode is the only configuration of ISMS Copilot that's compatible with that level of scrutiny, and it's the default in those markets.
Stop transferring client data to US AI.
Spin up a workspace with EU mode on. No credit card. No US data path. Free to try on every plan.