CIVAC vs. Kertos: Comparing Data Protection Automation for German Companies

Since the GDPR came into force on 25 May 2018, companies with 20 or more people engaged in regular automated data processing have been obliged under § 38 BDSG to appoint a data protection officer. The obligation is static, but the market for data protection software is dynamic. Two providers are frequently mentioned in the same breath in the German-speaking mid-market: CIVAC and Kertos. Both address operational data protection work, both use automation, both want to accelerate audits.

This article contrasts the models without staging a competition. The focus is on three questions: which model bears responsibility when the supervisory authority calls? How are the 72 hours from Art. 33 GDPR operationalised? And what does the transition from data protection to information security under ISO/IEC 27001:2022 look like? The answers decide which platform suits which organisation.

The GDPR is eight years old, the NIS-2 Directive has been implemented, the EU AI Act has applied to high-risk systems since August 2026. Data protection is therefore no longer isolated, but interlinked with information security, the supply chain and AI governance. Platforms that only maintain records of processing do not cover today's needs. What is in demand are end-to-end compliance workspaces in which records, processing on behalf, risk analyses, employee training and notification processes come together.

CIVAC positions itself as a compliance platform and officer-as-a-service with 25 officer roles, 93 controls under ISO/IEC 27001:2022, and 37 ready-to-use audit templates. Kertos positions itself as data protection automation with a focus on GDPR workflows and privacy operations. Both providers process data in the EU. The first visible difference lies in the breadth: CIVAC addresses all officer functions, Kertos concentrates on the data protection mandate.

For companies with 250 or more employees and distributed sites, this raises an architecture question. A pure data protection solution needs a connection to the information security management system. A cross-platform solution such as the workspace of the external data protection officer saves this bridge, because the ISMS and the DPMS lie in the same tenant space. Others run compliance like a filing cabinet. We run it like software.

The central difference lies in the appointment model. Kertos delivers software that an internal or external data protection officer uses. The appointment of the person is made separately via law firms or freelance consultants. CIVAC offers both paths in parallel: license the workspace for your internal officers, or have our officers appointed. This dual structure shifts the question of responsibility. Whoever appoints is liable under § 6 BDSG and § 38 BDSG. Whoever only delivers software is not liable for the conduct of the mandate.

For mid-sized companies without a dedicated DPO, the officer-as-a-service model is relevant, because the appointment is documented, the reporting line to management is defined, and availability is governed verifiably. The CIVAC appointment certificate is signed, filed and verifiable. With pure software models, the appointment and the workflow have to be brought together externally.

For larger organisations with their own data protection team, the workspace license alone may be sufficient. Here the question is whether the tool covers further roles, for example information security, whistleblower protection or anti-money laundering, without a license change. CIVAC bundles 25 roles in one tenant structure, Kertos remains in the data protection focus. Both paths are legitimate. The decision depends on the internal setup, not on the feature catalogue.

The record of processing activities under Art. 30 GDPR is mandatory from the first processing operation with a special risk and from companies with 250 people. Both providers map the record as a structured database. Differences show up in the pre-filling and in the audit templates.

CIVAC provides 37 ready-to-use audit templates that cross-link the record, processing on behalf under Art. 28 GDPR, the transfer impact assessment under Schrems II, the data protection impact assessment under Art. 35 GDPR, and ISMS controls. The templates are version-controlled and auditable. Kertos also works template-based, with the focus on privacy workflows such as data subject rights, access requests and cookie management.

For companies with third-country transfers to the USA, the TIA depth is relevant. Since the EU-US Data Privacy Framework of 10 July 2023, certified US recipients can be used more easily, but the risk analysis remains required. Both platforms map this. CIVAC links the TIA with the ISMS risk register and the supplier assessment, so that a third-country transfer simultaneously appears as an ISO 27001 risk. The auditor calls, the evidence is ready. With isolated data protection tools, the bridge has to be built manually.

Art. 33 GDPR requires the notification of a data breach to the supervisory authority within 72 hours of becoming aware. § 32 NIS2UmsuCG adds, for KRITIS and essential entities, a 24-hour early warning and a 72-hour follow-up report to the BSI. These deadlines run in parallel, but reach different addressees.

A data protection platform without a NIS-2 module covers only one of the two paths. CIVAC integrates both notification paths into one incident workflow. A detected vulnerability is simultaneously classified as a GDPR incident and as a NIS-2 security incident. The 24-hour early warning to the BSI and the 72-hour report to the data protection supervisory authority run from the same source, with the same description of the facts and the same versioning.

The clock starts on awareness. The platform stamps the moment as soon as a controller has taken note of the facts. This is relevant because supervisory authorities reconstruct the start of the deadline in the case of late notifications. Fines under Art. 83 GDPR reach up to EUR 20 million or 4 percent of global annual turnover. Under NIS-2, up to EUR 10 million or 2 percent of group turnover is provided for essential entities. Anyone who runs both paths separately doubles the sources of error. More background is provided by the NIS-2 implementation guide for Germany.

ISO/IEC 27001:2022 reduced the Annex A control set from 114 to 93 controls in four domains. The transition is binding by 31 October 2026. Data protection platforms that do not map an ISMS leave the mid-market alone at exactly this intersection. CIVAC delivers the complete control set with measures, evidence and responsible persons. Kertos leaves the ISMS to the customer or affiliated consultants.

The second infrastructure question is data residency. Data protection data is bound under Art. 5 GDPR to purpose limitation and security. A US-hosted compliance platform is potentially subject to the CLOUD Act. CIVAC processes exclusively in the EU, with documented processors and SCC-based subprocessors. This architecture is relevant for banks, insurers, energy suppliers and healthcare organisations that have their own KRITIS obligations.

Kertos also processes in the EU. The difference lies in the depth of the offering: CIVAC allows sub-tenants per subsidiary, separate tenant spaces for internal audits, and a reporting line to management via the platform. The combination of compliance platform and officer-as-a-service carries the organisational complexity, not just the technical one. For pure holding structures without data protection complexity, the simpler model is sufficient. Audit-proof, documented, Article 30-proof.

Audits rarely fail on content, often on version status. Supervisory authorities do not demand the current document, but the document that applied at the time of the incident. Platforms without hard versioning cannot deliver this. CIVAC versions every audit template, every change of mandate and every risk assessment. The 37 templates cover the Art. 30 record, processing agreements under Art. 28, DPIAs under Art. 35, TOMs under Art. 32, reporting-line appointments and training records.

Kertos also delivers templates, with a focus on data protection workflows. Anyone who needs an integrated ISMS or a whistleblower system under HinSchG supplements this with their own tools. That is legitimate, but it increases integration costs. In a coordinated audit that examines data protection, the ISMS and whistleblower protection at the same time, the tracks from three systems have to be brought together.

The appointment certificate, signed, filed, verifiable, is part of the standard path on the CIVAC platform. With an external appointment, the person appears as an officer in the tenant space, the reporting line to management is stored, and the BfDI notification form is generated pre-filled. Pure data protection tools hand this step over to the appointment paperwork, which is managed separately. In large audits, every second of search work counts.

Price comparisons between CIVAC and Kertos are only valid if the same service is compared. A workspace license for 10 to 50 data protection roles lies in the low four-figure range per year with both providers. Officer-as-a-service differs structurally, because here an appointable person including indemnity insurance and a reporting line is delivered. The market price for external data protection officers typically lies between EUR 800 and 4,000 per month, depending on employee numbers, processing complexity and third-country transfers.

CIVAC offers an SLA of 2 business days for the appointment of an officer. Classic consultancy firms lie between 2 and 6 weeks. The difference is operationally relevant, because the obligation to appoint does not pause once an officer has dropped out. A short SLA reduces the compliance vacuum.

With Kertos, the appointment time results from the external consulting network that is engaged in parallel. That is not a shortcoming, but a different model. Anyone who prefers software and handles the personnel question themselves comes out cheaper with the pure license. Anyone who wants to bundle the appointment certificate and software in one delivery note chooses the platform-and-officer model. The maths becomes simple as soon as the internal search hours are priced in.

A platform change is not a legal event, but an operational one. The GDPR requires continuity: the record of processing, processing agreements, DPIAs and notification paths must remain available without gaps. Both providers export data in structured formats. CIVAC supports CSV, JSON and XLSX export, plus a PDF audit trail.

The typical switch from a data protection point solution to a platform solution occurs when NIS-2 obligations are added, an ISMS certificate is sought, or a whistleblower system under HinSchG becomes mandatory. Mid-sized companies with 250 to 5,000 employees often consolidate onto a tenant platform in such phases, in order to reduce licenses, reporting lines and audit paths.

Conversely, consolidating onto a pure data protection tool can make sense when other officer obligations remain external and data protection is organisationally separated from the ISMS. This separation is common in regulated groups with their own security departments. The migration time depends on the volume: a mid-sized company with 60 processing activities and 40 processing agreements reaches a fully migrated state within 4 to 6 weeks. Anyone who also takes over the ISMS and the reporting office in the same time plans for 8 to 12 weeks.

The choice between CIVAC and Kertos is not a question of function, but a question of model. Anyone seeking a pure software solution and handling the officer appointment separately checks both providers for record depth, cookie management and data subject rights workflows. Anyone who wants to bundle the platform and the appointment in one hand checks CIVAC for officer-as-a-service with a documented appointment certificate, reporting line and 2-business-day SLA.

The compliance platform and officer-as-a-service architecture is particularly relevant for mid-sized companies that have to carry several officer roles without their own compliance department. License the workspace for your internal officers, or have our officers appointed. Both paths lie in the same tenant space, both use the same 93 controls under ISO 27001:2022, both run with EU data residency.

Turn reading into a mandate. Anyone wishing to make a concrete decision between a workspace license and an external appointment can send a short outline of their needs to info@civac.de or use the contact form. The initial review contains an assessment of the scope of obligations, employee numbers, third-country transfers and NIS-2 exposure. The answer comes within 2 business days, with concrete options, without sales pressure.