CIVAC Compliance: Platform, Officer-as-a-Service and the operational structure behind it
CIVAC is a German compliance platform and officer-as-a-service. The article explains how the platform brings together the mandatory representatives from DSB to fire protection in one place, which documents are kept and how CIVAC differs from classic consulting firms.
CIVAC addresses a structural gap in the German compliance structure: The obligation to appoint a data protection officer according to § 38 BDSG, an information security officer according to the NIS 2 Implementation Act, an occupational safety specialist according to § 5 ASiG, a fire protection officer according to the state building regulations, a money laundering officer according to § 7 GwG and at least fifteen other roles are created in parallel, but are currently in separate folders, tools and contracts. An auditor who requests the appointment certificates receives fragmented answers from personnel files, IT wikis and a non-versioned sharepoint. In the experience of regulators, this fragmentation is the most common cause of fines, not the material violation itself.
The article describes how CIVAC, as a compliance platform and officer-as-a-service, consolidates the setup. The underlying architecture, the list of roles with their respective legal bases, the dual reference model consisting of a workspace licence and assigned representatives, the documentation standards, the reporting line to management, the EU data residency, the SLAs for ordering and response as well as the interfaces to existing systems such as ISMS, GRC tools and HR platforms are explained. The addressees are managing directors, legal advisors, compliance officers and IT managers who use a supervisory letter, a contract review by a major customer or a board resolution as an opportunity to cleanly reorganize the representative landscape. The article avoids marketing terms and focuses on what a supervisory authority actually checks in an audit.
Key Takeaways
- CIVAC bundles 25 mandatory representative roles in one workspace with appointment certificate, reporting line and audit templates.
- The dual model allows either licensing of the workspace for internal representatives or ordering by CIVAC representatives under identical documentation standards.
- The order is placed with an SLA of two working days instead of the industry standard two to six weeks, with a signed appointment certificate, reporting line and EU data residency.
What CIVAC is and how the platform differs from consulting firms
CIVAC is a compliance platform and officer-as-a-service based in Germany. The platform bundles 25 mandatory representative roles, provides 490 ready-to-use audit templates, documents 93 controls according to ISO/IEC 27001:2022 and operates the underlying infrastructure exclusively within the European Union. The difference to traditional consulting firms lies not in the legal expertise, but in the form in which this expertise is delivered. Others run compliance like a filing cabinet. We run it like software. Every appointment certificate is versioned, every reporting line is linked, every measure has a person responsible, a due date and proof in the same system.
Operationally this means: If the appointment certificate of the external data protection officer has to be presented to the supervisory authority, it is not in an email inbox, but in the workspace, with the signature date, scope and last update. If the Federal Office for Information Security requires a 24-hour early warning under NIS-2, the reporting path is preconfigured and the initial report can be created and sent within minutes. When the ISO auditor checks the Statement of Applicability, it is linked to the 93 controls according to Appendix A of ISO/IEC 27001:2022 and each control has a responsible person. The difference to classic mandate management lies not in the advice itself, but in the reproducibility of the evidence at the push of a button. The auditor calls, the evidence is ready. This feature is not a cosmetic improvement, but rather the crucial difference in an audit situation between a documented setup and a reconstructed file. The pricing model also follows from this architecture: The platform licence summarizes the tools that are needed for each role anyway, and the officer-as-a-service refers to a named representative who also works within the workspace and does not require separate file management.
The role list: 25 mandatory representatives under one roof
The German compliance landscape has more than twenty mandatory officer roles, which are triggered independently by various laws and regulations. CIVAC manages them centrally in a single workspace. In the area of data protection and privacy, the data protection officer is responsible for Section 38 BDSG and Art. 37 GDPR. In the area of governance and compliance, the general compliance officer with reference to Section 130 OWiG and Section 91 Paragraph 2 AktG. In the area of IT security and NIS-2, the information security officer as well as the ISO/IEC 27001 ISMS function. In the area of occupational safety, the occupational safety specialist in accordance with Section 5 ASiG and the fire protection officer in accordance with the requirements of the building regulations of the states and DGUV Information 205-003. In the area of environmental protection, dangerous goods, hazardous substances, waste, water protection, pollution control and radiation protection officers with their own ordering obligations from GGBefG, GefStoffV, KrWG, WHG, BImSchG and StrlSchG.
There are also other roles with their own legal bases: the money laundering officer according to Section 7 GwG, the quality management officer according to ISO 9001:2015, the LkSG officer in accordance with the Supply Chain Due Diligence Act, the AGG complaint office in accordance with Section 13 AGG, the company doctor in accordance with Section 2 ASiG, the hygiene officer in accordance with state hospital laws, the ESG or sustainability officer with reference to the Corporate Sustainability Reporting Directive (Directive EU 2022/2464), the internal reporting office in accordance with HinSchG, the inclusion officer in accordance with Section 181 SGB IX, the emergency officer, the incident officer according to the Major Incident Ordinance (12th BImSchV), the construction manager or SiGeKo according to BaustellV and the supplier auditor. In CIVAC, each role has its own module with an order template, reporting line template, audit templates and a documented task catalogue that transfers the legal obligations into operational workflows. The Role overview shows the complete set with legal basis for each role. A supervisory authority, a certification body or a customer in the supplier questionnaire each requests different excerpts from this list, depending on the industry and the reason. The uniform file management in CIVAC ensures that every excerpt is drawn from the same source and does not have to be reconstructed from three different share points.
The dual model: licence the workspace or have representatives appointed
CIVAC works with two clean reference models that are not mutually exclusive, but build on each other and can be seamlessly combined over the lifespan of a company. In the first model, the company licences the workspace for its own internally appointed representatives. The data protection officer from the legal department, the information security officer from IT, and the occupational safety specialist from the factory office continue to work as internal functions, but use the platform for their appointment certificates, their audit templates, their reporting lines to management and their evidence to authorities, customers and certification bodies. The advantage lies in consolidating documentation, not replacing people. The internal officers gain time because they do not have to maintain their templates themselves.
In the second model, CIVAC appoints the officers themselves. External data protection officer, external information security officer, external money laundering officer, external whistleblower reporting centre and other roles are carried out by named CIVAC officers who work in the same workspace and use the same documentation standard. Licence the workspace for your internal representatives, or have our representatives order it. In practice, the mixed forms are often: data protection internally, information security externally, fire protection internally, money laundering externally. It is crucial that all representatives are documented in one system and the auditor does not have to jump between different files. The model is also scalable with the company: What starts as an external client can move inward as it grows without having to rebuild the documentation. The setup can also be continued in the event of takeovers or carve-outs because appointment certificates, reporting lines and templates are versioned independently of the sponsoring company. In practice, both models are priced transparently, so that management knows in advance which services they are purchasing and which tasks remain internal.
Documentation standards: appointment certificate, reporting line, audit templates
Each order in CIVAC produces a uniform package of documents. The appointment certificate states the legal basis, order date, scope, tasks, reporting line to the highest management level and independence clause. It is signed electronically, time-stamped and stored in the workspace. The reporting line template defines quarterly and event reports to management, with defined content, a distribution list and a confirmation of receipt. The task list takes over the legal obligations of the respective role (Art. 39 GDPR for the DPO, § 6 ASiG for the SiFa, § 7 GwG for the money laundering officer, § 8 LkSG for the human rights officer) and transfers them into operational workflows with due dates, reminders and escalation levels.
There are also 490 ready-to-use audit templates: list of processing activities according to Art. 30 GDPR, data protection impact assessment according to Art. 35 GDPR, technical and organisational measures according to Art. 32 GDPR, data breach reporting template according to Art. 33 GDPR, NIS-2 early warning 24h and follow-up report 72h, statement of applicability according to ISO/IEC 27001:2022 Annex A, risk treatment plan, internal audit program, management review, Risk assessment according to § 5 ArbSchG, list of hazardous substances according to GefStoffV, fire protection regulations according to DIN 14096, money laundering risk analysis according to § 5 GwG, suspicious activity reporting template according to § 43 GwG, whistleblower protection reporting process according to HinSchG, LkSG risk analysis, AGG complaint procedure, ESG materiality analysis according to CSRD, emergency plan, incident report according to 12. BImSchV and others. Each template is linked to the associated role, so that the tasks are not in a generic pool, but are assigned to the responsible person. Audit-proof, documented, §-proof. Anyone who opens a template will see the legal reason, the last editor, the last review date and the next due date on one page. This interlinking of submission, law and responsibility is the prerequisite for a supervisory authority to not only determine the existence of a document in an audit, but also its operational use in day-to-day business.
EU data residency, access rights, audit trail
The platform infrastructure is located entirely within the European Union. Hosting, backups, logging and support run in EU data centres, without data transfers to third countries without an adequacy decision. This architectural decision follows not only from Art. 44 GDPR, but also from Recommendations 01/2020 of the European Data Protection Board on supplementary measures after the Schrems II judgment (case C-311/18). For companies that fall under NIS-2 themselves or work with public clients, EU data residency is not optional, but rather a prerequisite for their own order processing in accordance with Art. 28 GDPR and for fulfilling sector-specific requirements such as BaFin's BAIT and VAIT or the BSI's C5 requirements.
Access rights are role-based. Management sees the reporting lines and the outstanding measures. The auditor sees the appointment certificates, the lists and the evidence on a key date. The representative sees his tasks, his audit templates and his escalation paths. Every write process creates an audit trail with a time stamp, user and version status, which cannot be edited later. The exports for supervisory authorities contain the complete change history, so that the auditor does not receive a snapshot, but rather a traceable history over the entire lifespan of a document. The appointment certificate, signed, filed, verifiable. Anyone who works with a classic filing cabinet cannot achieve this reproducibility of the evidence because neither the Sharepoint nor the mailbox meet the requirements of a revision-proof audit trail. The platform replaces manual maintenance with versioned, audit trail-capable documentation that meets every authority standard and, in case of doubt, can also be used as evidence in fine proceedings. For the management, this means security of evidence vis-à-vis supervisory authorities, auditors in the context of the annual audit and vis-à-vis major customers in supplier audits, without having to maintain separate files for each of these occasions.
Reporting line and escalation paths to management
A common finding in supervisory letters is: The representative exists, but the reporting line to management is not documented. The result is that the representative cannot pass on her observations or that the management receives the observations but does not act. Both are relevant to liability. Section 130 OWiG requires appropriate supervision by management; With a documented report from the representative without subsequent measures, the violation of the supervisory obligation is usually easier to prove than with a missing reporting line. From the management's perspective, the logic is reversed: a missing reporting line does not protect against liability, but is itself the finding that gives rise to liability.
CIVAC structures the reporting line in three levels. First level: a defined quarterly report for each role with standard points (open risks, status of measures, incidents, upcoming audits, regulatory changes, personnel capacity). Second stage: Reports on reportable events with defined thresholds, such as data breaches according to Art. 33 GDPR, IT security incidents under NIS-2, suspicious activity reports according to Section 43 GwG, information about the reporting office according to HinSchG or serious work accidents according to Section 193 SGB VII. Third stage: a documented escalation path to management and the supervisory board in the event of repeated unprocessed risks, with an escalation deadline and Confirmation of receipt. Deadline begins as soon as we become aware of it. Escalation is not a conflict instrument, but rather a liability anchor for the representative: she has fulfilled her duty when the report has been delivered and the management's subsequent action is documented. The platform records both sides, so that neither the representative nor the management is left without evidence in a later investigation. In practice, this also allows for better capacity planning: If the quarterly reports regularly show the same open risks, this is a signal to management that resources or authority are missing, and the escalation path becomes a control tool instead of a conflict tool.
SLAs: Two business days instead of two to six weeks
The classic appointment of an external representative in German medium-sized companies takes between two and six weeks. Bottlenecks include: scoping deadlines that move around the calendar, conflict checks without a clear procedure, purchase appointment certificates that are sent by post, NDA negotiations with three loops, a supplier onboarding from the purchasing department that itself takes two weeks, a data protection clearance from the legal department and a kick-off that slips into the next quarter. During this time, the regulatory duty is active, but the agent is not. It is precisely this gap that a supervisory authority asks about in an audit, and this gap is sanctioned with a fine according to Art. 83 Para. 4 GDPR or Section 30 OWiG.
CIVAC shortens the order to two working days. Day one: structured intake (entities, number of employees, processing categories, existing documentation, previous incidents, industry triggers), conflict check against the officer pool, draft contract from the template that has already been checked by a lawyer, NDA from the template that has been cross-checked, data access regulation for the workspace. Day two: signed appointment certificate, notification to the responsible supervisory authority where necessary (e.g. according to Section 38 Para. 2 BDSG to the data protection supervisory authority), publication of the contact details in the data protection information in accordance with Art. 13 GDPR, kick-off with the management to confirm the reporting line and the escalation paths. From this point on, the ongoing SLA of two working days applies to every contract review, every request for information according to Art. 15 GDPR, every impact assessment according to Art. 35 GDPR and every reportable threshold according to Section 7 GwG. The difference to classic models is not the quality of the representatives, but rather the reaction speed of the background process in which the representatives work. The appointment certificate, signed, filed, verifiable. The SLA is also fixed in the contract and not promised in a conversation, so that purchasing and legal departments can check in advance which service obligations the provider specifically assumes.
Interfaces: ISMS, GRC, HR, whistleblowers, suppliers
A realistic compliance structure does not happen in a vacuum. Companies usually already operate an information security management system according to ISO/IEC 27001:2022, a GRC tool for risks and audits, an HR platform for personnel files and mandatory training, a whistleblower solution for the internal reporting office according to HinSchG and supplier management for the LkSG and order processing contract landscape. CIVAC does not replace these systems, but rather integrates with them via defined interfaces. The ISMS provides the control maturity, the CIVAC workspace provides the order and the reporting line for the responsible ISB. The GRC tool carries out the risk inventory, CIVAC manages the person responsible for the measures, so that each risk is assigned to a named function and does not get stuck in an anonymous risk owner.
Operationally this means: The 93 controls according to Appendix A of ISO/IEC 27001:2022 are assigned to the information security officer in CIVAC. The list of processing activities in accordance with Art. 30 GDPR is assigned to the data protection officer. The money laundering risk analysis in accordance with Section 5 GwG is assigned to the money laundering officer. The LkSG risk analysis is assigned to the supply chain officer. The AGG Complaints Office according to Section 13 AGG receives its input from the HR platform. The whistleblower reports from the external reporting office flow into the workspace and are documented there. Who has which role in which system is defined once and reflected consistently across all audit templates, reporting lines and measures. When the ISO auditor checks the Statement of Applicability, he sees those responsible. When the supervisory authority checks the appointment certificate, it sees the same people responsible. This consistency is the value of the platform architecture and the reason why the CIVAC facts explicitly mention the integration with ISMS and GRC.
Turn reading into an assignment
The decision for a compliance platform is rarely a theoretical one. It is triggered when a supervisory letter is received, a major customer sends a supplier questionnaire with proof of representative, a board meeting takes up the risk from the ESG report, the NIS 2 Implementation Act comes into force or an incident requires a 72-hour report in accordance with Art. 33 GDPR. In each of these scenarios, time is of the essence, not budget. The question is not whether an agent will be appointed, but whether the appointment with the appointment document, reporting line and evidence is available on the day of the request or whether it first has to be reconstructed. The second variant is the more expensive because it not only increases the fine, but also ties up internal resources for weeks.
CIVAC is a compliance platform and officer-as-a-service. Licence the workspace for your internal representatives, or have our representatives order it. Both paths provide the same standard of documentation: appointment certificate with legal basis and reporting line, 490 audit templates, EU data residency, an SLA of two working days for the initial order and for the ongoing response, a named representative with an escalation path to management. To get started, send an email to info@civac.de or use the contact form on civac.de. The intake is available within the first working day, the signed appointment certificate is in the workspace on the second working day, the reporting line is active in the same week and the first audit templates are assigned to the person responsible. Turn reading into an assignment. The appointment certificate, signed, filed, verifiable. The auditor calls, the evidence is ready. These two sentences are not marketing statements, but operational descriptions of what the platform produces for its clients every day.
FAQ
What is CIVAC and how does the name relate to the Mexican research institution?
CIVAC is a German compliance platform and officer-as-a-service for 25 mandatory officer roles. The platform puts together appointment certificates, audit templates, reporting lines and EU data residency in one workspace. CIVAC is a German compliance platform and is not affiliated with the Mexican CIVAC (vaccine research). The two terms only share the acronym.
Which agent roles does CIVAC cover?
The platform covers 25 roles: data protection, information security, general compliance, money laundering, quality management, supply chain, fire protection, occupational safety, company doctor, hygiene, dangerous goods, hazardous substances, waste, water protection, pollution control, radiation protection, environmental protection, ESG, whistleblower protection, AGG, emergency, incident, inclusion, construction manager or SiGeKo as well as supplier auditor. Each role has its own module with order template and audit templates.
Does CIVAC appoint representatives itself or does the platform only provide tools?
Both are possible. In the first model, the company licences the workspace for its internal representatives. In the second model, CIVAC appoints external officers by name from its own officer pool. Both models use the same documentation standard, the same audit templates and the same workspace. Mixed forms are common, such as internal DSB and external ISB.
How fast is it to appoint an external representative via CIVAC?
The SLA for the first order is two business days instead of the industry standard two to six weeks. Day one includes intake, conflict review and draft contract, day two includes the signed appointment certificate, notification to the authorities where necessary and the kick-off with management. An SLA of two working days also applies to ongoing tasks (contract reviews, requests for information, DPIA).
Where is the data stored?
Hosting, backups, logging and support run exclusively in EU data centres. The EU data residency follows from Art. 44 GDPR and the recommendations 01/2020 of the European Data Protection Board on supplementary measures according to Schrems II. For companies under NIS-2 or with public clients, the EU data residency is a prerequisite for their own order processing according to Art. 28 GDPR.
How does CIVAC integrate into an existing ISMS or GRC tool?
CIVAC does not replace ISMS and GRC, but rather integrates them via defined interfaces. The 93 controls according to ISO/IEC 27001:2022 Appendix A are assigned to the information security officer. Risks from the GRC tool are linked to agent responsibilities. Who has which role in which system is defined once and consistently mirrored so that auditors see the same person responsible in every view.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.