CIVAC Compliance Platform: German Cloud, All 25 Officer Roles, One Workspace
CIVAC is a German compliance platform with EU data residency, ISO/IEC 27001:2022-compliant ISMS and 25 officer roles available live. The article explains architecture, delivery models and the difference from generic GRC suites.
The CIVAC compliance platform has been operational since 2026 and covers all 25 legally relevant officer roles for German companies – from the Occupational Safety Specialist under § 5 ArbSchG to the Information Security Officer under §§ 30 and 38 BSIG. The infrastructure runs exclusively on EU servers with AES-256 encryption at rest and TLS 1.3 in transit; the internal ISMS is structured in accordance with ISO/IEC 27001:2022 and is tested annually by external penetration tests.
This article describes the technical architecture of the platform, the six functional surfaces of the workspace, the two commercial delivery models, and the compliance posture that CIVAC makes demonstrable for companies with enhanced regulatory requirements – operators of critical infrastructure, NIS-2-obligated entities, ISO 27001 certification-required organisations.
Key Takeaways
- The CIVAC platform hosts all compliance data exclusively in the EU, thereby fulfilling the data residency requirements of Art. 44–49 GDPR without additional protective measures.
- All 25 officer roles are available live on one platform; workspace licence and Officer-as-a-Service can be combined without requiring separate tools.
- The SLA of two working days for contract, person and appointment certificate structurally distinguishes CIVAC from classic consultant retainers that require 2 to 6 weeks of lead time.
Platform Architecture: EU Data Residency and Security Standards
CIVAC operates its infrastructure exclusively on European servers. All compliance data – appointment certificates, audit reports, training records, incident notifications, records of processing activities – is stored and processed within the EU. Transfer to third countries does not occur; Standard Contractual Clauses under Art. 46 GDPR are therefore not required for the platform use itself.
The technical security architecture comprises:
- AES-256 encryption at rest for all stored data
- TLS 1.3 for all data transfers in transit
- ISO/IEC 27001:2022-compliant ISMS with 93 controls
- Annual external penetration test by an accredited auditor
- BSI C5 (Type 1, declarable) – attestation basis for operators of critical infrastructure
- TISAX readiness for automotive customers
The data processing agreement under Art. 28 GDPR is standardised and concluded with every customer. The audit-proof audit log records all user actions with timestamps and immutably.
For companies under NIS-2 obligations, the integrated notification path is relevant: the 24-hour early warning and 72-hour follow-up notification under §§ 30, 38 BSIG are implemented as platform functions – not as an optional module but as a standard workflow in the Information Security Officer area.
The Six Workspace Surfaces: Structure and Function
The CIVAC workspace is divided into six functional surfaces that map the complete work cycle of an officer:
- Tasks: Template-driven daily and weekly operations. Incoming emails are converted directly into tasks; hundreds of pre-configured prompt templates reduce routine work. Recurring cadences (monthly reviews, annual briefings) are generated automatically.
- Training: Mandatory course modules with integrated knowledge test, certificate issuance and completion tracking. Training records are documented in compliance with DGUV Regulation 2 and are exportable.
- Projects: Structured five-step process – scope, uploads, queries, risks, report – for audits, assessments and reports. The 490 ready-to-use audit templates cover all 25 officer roles.
- Documentation: Monthly consolidation workflow that combines completed tasks, training sessions and audit findings into export-ready compliance evidence. Auditors and authorities can access structured reports directly.
- Questions: AI assistant with confidence score and cited sources. Uncertain answers are escalated with one click to external specialists without leaving the workspace.
- Templates: Catalogue with customisable prompt templates in four categories: Audit, Assessment, Training, Operational. Templates are updated with legislative changes.
All six surfaces are usable across roles: a Data Protection Officer, an Information Security Officer and a Compliance Officer work in the same environment with separate data spaces and shared reporting.
The 25 Officer Roles: Coverage and Legal Bases
CIVAC covers all 25 legally relevant officer roles that a German company must appoint depending on sector, size and field of activity. The eleven typically mandatory roles include:
- Data Protection Officer – Art. 37 GDPR · § 38 BDSG
- Compliance Officer – IDW PS 980 · § 130 OWiG
- Information Security Officer – ISO/IEC 27001:2022 · §§ 30, 38 BSIG · NIS-2
- Occupational Safety Specialist – § 5 ArbSchG · DGUV Regulation 2
- Fire Safety Officer – DGUV I 205-023 · DIN 14095
- Hazardous Substances Officer – § 6 GefStoffV · TRGS 400
- Environmental Officer – BImSchG · WHG · ISO 14001
- Anti-Money Laundering Officer – § 7 GwG
- Quality Management Officer – DIN EN ISO 9001:2015
- Supply Chain Due Diligence Officer – § 4 LkSG
- Equal Opportunities Officer – § 13 AGG
The fourteen sector-specific roles – including Occupational Physician (§ 3 ArbSchG), Dangerous Goods Officer (§ 3 GbV), ESG Officer (CSRD), Major Hazards Officer (12th BImSchV) and others – are also fully mapped in the workspace. A company selects the relevant roles; areas not required remain inactive.
Two Delivery Models: Workspace Licence and Officer-as-a-Service
CIVAC structures its offering in two commercial models that can be used individually or in combination:
Model 1 – Tool Licence (Self-Service): The customer acquires a workspace licence for their internal officers. The appointment relationship remains with the customer; CIVAC provides the platform, the templates, the AI assistant and the documentation structure. This model is suitable for companies that have qualified personnel internally and are seeking a better working framework.
Model 2 – Officer-as-a-Service: CIVAC formally appoints the officer for the customer – written certificate, defined reporting line to management, fixed reporting interval. The external officer works in the same workspace as the internal team. The SLA is: contract, person and certificate in two working days. Licence the workspace for your internal officers or appoint our officers.
Model 3 – Mixed Model: Internal DPO function on the licence, external ISB and external Occupational Physician via Officer-as-a-Service. All three work in the same workspace, share the same audit trail and the same reporting. This is the most economically sensible configuration for many mid-sized companies.
The data processing agreement under Art. 28 GDPR as well as the appointment contracts for Officer-as-a-Service roles are standardised and provided upon contract conclusion – no separate contract negotiation procedure required.
NIS-2 and Critical Infrastructure: What the Platform Delivers for Regulated Operators
For operators of essential and important entities under NIS-2 (Directive 2022/2555/EU, transposed into German law by the NIS2UmsuCG), CIVAC provides specific functions. The maximum fines – €10 million or 2% of global annual turnover for essential entities, €7 million or 1.4% for important entities – make evidence of a functioning ISMS non-optional.
CIVAC maps the NIS-2 notification path as a standard workflow:
- Early warning within 24 hours of becoming aware of a significant security incident
- Follow-up notification within 72 hours with initial assessments
- Final report after complete processing
The Information Security Officer works in a pre-structured ISMS module with 93 controls under ISO/IEC 27001:2022. Risk assessments, Statement of Applicability and risk treatment plans follow the Annex A framework; all documents are stored audit-proof in the audit trail.
For operators of critical infrastructure that must demonstrate BSI C5 attestation, the declarable C5 compliance of CIVAC's infrastructure is an immediately usable basis. The annual penetration test reports can be viewed on request in the customer portal. Also see the requirements for an external Information Security Officer.
Data Protection Compliance: GDPR, Art. 28 and the 72-Hour Deadline
The GDPR places specific requirements on the platform itself and on its use by Data Protection Officers. Art. 33 GDPR prescribes notification of data breaches to the competent supervisory authority within 72 hours of becoming aware. The deadline runs from awareness – not from the decision, not from internal escalation.
CIVAC maps this workflow in the DPO area of the workspace: a reported data protection incident is immediately created as a task with a running deadline timer. The notification obligation under Art. 33 GDPR, the information to data subjects under Art. 34 GDPR and the internal documentation under Art. 5 para. 2 GDPR (accountability) are structured as separate, auditable steps in the workflow.
The record of processing activities (Art. 30 GDPR) is maintained in the documentation module and can be prepared at any time as a structured export for supervisory authorities. Data protection impact assessments (Art. 35 GDPR) are mapped as a project type in the project module – including the five-step structure: scope, uploads, queries, risks, report.
The data processing agreement under Art. 28 GDPR between CIVAC and the customer governs instruction authority, sub-processor list, deletion concept and technical and organisational measures (TOM). The TOM are structured in accordance with ISO/IEC 27001:2022 and documented in the customer contract as an annex.
Difference from Generic GRC Suites and Enterprise Platforms
Generic GRC suites (Governance, Risk, Compliance) – marketed by major software providers for large corporations – are not designed for the German officer market. They abstract compliance as a risk framework and policy management, but do not structurally map the formal appointment obligation under German law. An appointment certificate is not a risk control; it is a legal document with specific requirements under the GDPR, BDSG, BSIG, ArbSchG and GwG.
The structural difference between CIVAC and an enterprise GRC suite:
| Feature | Enterprise GRC | CIVAC |
|---|---|---|
| Target group | Corporate CRO, Group Compliance | SME management, legal counsel, CO |
| Appointment obligation mapping | Not available | Certificate, reporting line, SLA 2 working days |
| Officer-as-a-Service | Not available | 25 roles, certified partner network |
| German legal reference | Generic (SOX, COSO) | GDPR, BDSG, BSIG, ArbSchG, GwG, LkSG |
| Data residency | Often US cloud | Exclusively EU |
| Implementation effort | 6–18 months | Days to weeks |
Others manage compliance like a filing cabinet. We manage it like software. The difference shows not in the presentation but in the audit: the auditor calls and the evidence is ready.
Onboarding and Implementation: From Contract Conclusion to First Certificate
CIVAC is designed as a self-service platform; implementation consulting by external system integrators is not required. Onboarding follows a structured path:
- Create role profile (Day 1): The company states which officer roles are required. CIVAC checks the appointment obligation on the basis of the stated headcount, sector and regulatory requirements and recommends a role configuration.
- Configure workspace (Days 1–2): The relevant role modules are activated; pre-configured audit templates and training modules are immediately available. Company-specific templates can be customised on the basis of the 490 standard templates.
- Issue appointment certificates (Day 2): For Officer-as-a-Service roles, the external officer is named, the appointment certificate issued and the reporting line to management documented. SLA: two working days.
- Start training: Mandatory training for internal officers and employees is set up in the training module; certificates are automatically issued after passing the test.
- Open first audit cycle: The project module opens the first audit or assessment with the appropriate template; scope, risks and report follow the five-step standard process.
For SMEs without their own compliance function, the model is designed so that the first audit report can be available within four weeks of contract conclusion – without external consultants, using only the platform functions and the assigned officer.
View the Platform or Commission Directly
The CIVAC compliance platform is not a generic GRC suite and not an EHS tool. It is designed exclusively for the 25 officer roles under German and European law, operated entirely in the EU, and structured as a combination of workspace licence and Officer-as-a-Service.
Audit-ready, documented, GDPR-ready, NIS-2-ready. This applies to the platform itself – and to the compliance records that your officers produce within it.
If you wish to concretely examine which roles must be appointed for your company, which model – licence, Officer-as-a-Service or combined – is appropriate, and how the workspace is structured, speak with CIVAC. Turn reading into action: info@civac.de.
FAQ
Where is the data stored in the CIVAC platform?
All data is stored and processed exclusively on servers within the European Union. Transfer to third countries does not occur. The infrastructure is certified to ISO/IEC 27001:2022 and is tested annually by external penetration tests.
Is CIVAC an alternative to enterprise GRC suites such as RSA Archer or ServiceNow GRC?
CIVAC is positioned functionally differently from enterprise GRC suites: the focus is on the 25 German officer roles, the formal appointment obligation and the Officer-as-a-Service model. Enterprise GRC suites abstract at the risk framework level and do not structurally map the German appointment obligation.
Can CIVAC be used as a data processor under Art. 28 GDPR?
Yes. CIVAC concludes a standardised data processing agreement under Art. 28 GDPR with every customer. This contains instruction authority, sub-processor list, deletion concept and technical and organisational measures under ISO/IEC 27001:2022.
How quickly is an external officer formally appointed via CIVAC?
CIVAC's SLA is: contract, person and appointment certificate in two working days. This is considerably faster than classic external consultant retainers, where the contracting process typically takes 2 to 6 weeks.
Does CIVAC support the NIS-2 notification obligations under BSIG?
Yes. The 24-hour early warning workflow and the 72-hour follow-up notification under §§ 30, 38 BSIG are implemented as standard workflows in the Information Security Officer area of the platform. The notification paths are not optional but form part of the ISB role module.
How many audit templates are available in the CIVAC workspace?
490 ready-to-use audit templates cover all 25 officer roles. The templates follow the five-step CIVAC project process (scope, uploads, queries, risks, report) and are updated with legislative changes.
Sounds like a lot of work?
Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.
Turn this into a mandate.
Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.