Booking a CIVAC Compliance Platform Demo: Process, Preparation, and Next Steps

The GDPR, the Federal Data Protection Act (BDSG), the BSI Act (BSIG) in conjunction with NIS-2, the Money Laundering Act (GwG), the Supply Chain Due Diligence Act (LkSG): German companies with 50 or more employees are often subject to five or more officer obligations simultaneously. Each role carries its own appointment obligation, its own documentation requirements, and its own deadlines. The CIVAC compliance platform consolidates all 25 officer roles into a shared workspace with a unified audit trail, training management, and reporting line to senior management.

A platform demo lasts 60 minutes and covers full operational use: tasks with due dates, projects with five fixed process steps, the documentation pipeline, and the AI assistant with confidence score. This article explains the demo flow, useful preparation steps, and the options available after the session.

The CIVAC workspace organises each officer role into six operational areas that are structurally identical but populated with role-specific content. This uniform architecture enables organisations to manage all officers on a single platform without introducing and maintaining a separate tool for each role.

Tasks: Template-based task list with due dates, e-mail intake, and recurring cadences. For the Data Protection Officer under Art. 37 GDPR, this area includes the monthly review of the records of processing activities and monitoring of the 72-hour notification deadline under Art. 33 GDPR. Every task is logged in the audit trail.

Training: Mandatory training modules with integrated assessment, certificate, and completion rate per employee group. Training records are directly accessible in the audit trail, filterable by personnel group, and exportable on request.

Projects: Structured audit workflow with five fixed steps: scope, uploads, queries, risks, report. 37 ready-to-use templates are available for ISO/IEC 27001:2022 audits; analogous template sets exist for other role areas.

Documentation: Monthly consolidation of completed tasks, training records, and audit results into an exportable compliance report. GDPR-compliant export with data residency exclusively in the EU. Questions: AI assistant with confidence score and regulatory citations. Templates: Cross-role template catalogue for audits, assessments, training, and operations.

The six workspace areas are structured identically across all 25 officer roles, meaning that switching between roles within the workspace requires no additional familiarisation. Anyone familiar with the Data Protection Officer workspace will immediately find their way around the Information Security Officer workspace. This reduces the onboarding effort when introducing additional roles to a minimum.

CIVAC covers all 25 officer roles that can be appointed under German law. Eleven roles are mandatory for most companies above a certain size or operating in a particular sector; a further fourteen roles are sector-specific. The demo can be focused on the roles relevant to the respective organisation — or can show all of them if a comprehensive role overview is the primary objective.

The eleven commonly mandatory roles include: Data Protection Officer (§ 38 Federal Data Protection Act (BDSG) · Art. 37 GDPR), Compliance Officer (IDW PS 980 · § 130 OWiG), Information Security Officer (ISO/IEC 27001:2022 · §§ 30, 38 BSI Act (BSIG)), Occupational Safety Specialist (§ 5 ASiG · DGUV V2), Fire Safety Officer (DGUV I 205-023 · DIN 14095), Hazardous Substances Officer (§ 6 GefStoffV), Environmental Officer (BImSchG · WHG), Anti-Money Laundering Officer (§ 7 Money Laundering Act (GwG)), Quality Management Officer (DIN EN ISO 9001:2015), Supply Chain Officer (§ 4 Supply Chain Due Diligence Act (LkSG)), and Equal Opportunities Officer (§ 13 AGG).

Sector-specific roles include, among others, the Occupational Health Physician under § 3 ASiG, the Hygiene Officer under § 36 IfSG, the ESG Officer under CSRD and ESRS, and the Internal Reporting Channel Officer under HinSchG. The complete list with legal bases and thresholds is available at civac.de/de/roles.

Many mid-sized companies underestimate the number of their officer obligations. A manufacturing company with 200 employees in the chemicals sector may simultaneously be subject to nine or more appointment obligations. The demo makes these overlaps visible.

The appointment obligation overview is also a strategic planning tool: companies that intend to expand their officer structures over the next twelve months — for example, due to planned growth beyond NIS-2 thresholds or a CSRD reporting obligation from 2025 onwards — can develop a roadmap for officer appointments during the demo.

Structured preparation makes the demo considerably more productive and reduces the time required for follow-up. Three steps are recommended.

Step 1 – Complete the appointment obligation checklist: Which officer roles are currently appointed? Which are missing? Is there an ongoing audit or review by a regulatory authority or auditor? The answers allow the CIVAC account manager to align the demo with the specific gaps identified. Anyone without time to complete the checklist beforehand can do so as the first step of the demo itself — this incurs no additional time.

Step 2 – Review existing documentation: Are existing certificates of appointment available? In what format is documentation currently maintained — Excel, e-mail folders, a separate tool? This information determines whether the demo prioritises the initial appointment workflow or the migration workflow. In practice, migrating existing documentation into the CIVAC workspace is simpler than often expected, as existing certificates can be imported directly.

Step 3 – Identify participants: The most effective setup includes one person from senior management to represent the liability perspective and one person who works operationally with compliance documentation. If an internal officer has already been appointed, their attendance is strongly recommended. Three to four participants is the typical size for a productive demo session.

For organisations that need to fill multiple roles simultaneously, selecting parallel roles during the demo is advisable. CIVAC coordinates parallel appointments within the same two-day window.

CIVAC distinguishes between two demo types that set different focal points but showcase the same platform. The choice depends on whether the organisation has internal officers, is planning external officer appointments, or wishes to combine both approaches.

The Platform Demo is aimed at organisations evaluating the CIVAC workspace as a tool licence for their internal officers. The focus is on the six workspace areas, the audit trail, the template library, and the AI assistant. Typical questions in this demo: How do I import existing documentation? How does the workspace automatically carry a task forward to its next due date? How do I export the annual report for the supervisory board? How are training records filtered by personnel group?

The Officer-as-a-Service Demo is aimed at organisations wishing to fill one or more officer roles externally. The focus is on the certificate of appointment workflow, the partner network logic, the SLA, and the reporting line to senior management. Typical questions: Who is the specific officer? How is the reporting line structured? What happens if the appointed officer is unavailable?

Many organisations book a combined demo covering both types. The hybrid model is the most common outcome at CIVAC: internal officers — such as the Compliance Officer — on the licence; external specialist roles — such as the Data Protection Officer or the Occupational Health Physician — via Officer-as-a-Service.

The combined demo is particularly well suited to organisations currently weighing the decision between internal and external appointment for a given role. During the demo, both options can be shown side by side: What does the workspace look like for an internal officer? How does the Officer-as-a-Service process differ? This direct comparison significantly shortens the evaluation process.

The demo showcases three areas of the platform that are consistently rated as decisive in compliance evaluations: audit trail, deadline management, and AI assistant. These three areas form the core of day-to-day compliance operations.

Audit Trail: Every task, every training certificate, every project outcome, and every certificate of appointment is immutably logged in the audit trail with a timestamp. In the demo workspace, an audit trail spanning a twelve-month sample period is shown: complete traceability from initial appointment through ongoing tasks to the annual report. When an auditor calls, the evidence is ready — exportable at the click of a button.

Deadline Management: The demo shows how deadlines are automatically derived from the applicable regulatory provisions. The 72-hour notification deadline under Art. 33 GDPR is counted down from the moment the incident is recorded; the Data Protection Officer receives a reminder at 48 hours and again at 24 hours. The 24-hour early warning and the 72-hour follow-up notification under NIS-2 (§§ 30, 38 BSI Act (BSIG)) are mapped analogously.

AI Assistant: The questions area contains an AI assistant with a confidence score and regulatory citations. The demo includes a live query; the assistant responds with a source reference and, where ambiguity exists, outputs a confidence score below 70%, which automatically triggers a recommendation to escalate to external legal counsel. This mechanism protects against self-interpretation on complex regulatory questions.

For entities within scope of NIS-2, deadline management is of particular relevance: the 24-hour early warning under § 30 BSI Act (BSIG) requires an automated trigger mechanism that is virtually impossible to meet reliably through manual processes. The CIVAC workspace addresses this requirement through the role-specific notification pathway of the Information Security Officer.

Compliance platforms process sensitive internal company data: appointment certificates, audit reports, data breach notifications, training records, records of processing activities. The requirements for data security are correspondingly high, and prospective clients rightly ask these questions before the demo. CIVAC answers them with verifiable standards.

CIVAC operates an ISMS per ISO/IEC 27001:2022 with 93 implemented controls. Data is stored exclusively in the EU; there is no routing through third countries and no sub-processing outside the EEA. Communication to the platform is via TLS 1.3; data at rest is encrypted with AES-256. Penetration tests are conducted annually by independent external auditors.

For KRITIS operators and NIS-2-affected entities, EU data residency is a formal requirement. Section 30 BSIG requires processing in secure environments for critical facilities. CIVAC fulfils this requirement and can provide a BSI C5 self-declaration and a TISAX readiness certificate upon request.

In the demo workspace, only synthetic test data is processed. Prospective client contact data is processed per Article 6(1)(b) GDPR for pre-contractual purposes and deleted immediately upon objection. The test session is completely and irreversibly deleted within 24 hours after the demo.

For companies in the financial sector, GDPR-compliant processing in the CIVAC workspace is also relevant with respect to BaFin requirements: BaFin circulars and MaRisk requirements demand verifiable data protection controls. EU data residency and the ISO 27001 standard fulfil these requirements and can be referenced in the demo conversation.

After the demo, prospective clients receive a written proposal with a transparent pricing structure. CIVAC works with monthly and annual pricing; there are no hidden setup fees or per-user costs for internal workspace members. This pricing transparency is intentional: those who have seen what the platform delivers in the demo should encounter no unpleasant surprises in the proposal. This creates a reliable basis for budget planning.

The pricing structure distinguishes two models. The workspace licence is a monthly or annual subscription for one or more officer roles. The licence includes full workspace access, all templates, the AI assistant with confidence score, and the complete audit trail. The Officer-as-a-Service rate is a monthly flat fee for the external officer appointment including workspace licence. The flat fee covers the officer's remuneration, workspace licence, and CIVAC coordination.

For companies appointing multiple roles simultaneously, cross-role package pricing is available. Prices are individually calculated in the proposal after the demo, depending on role mix, company size, and contract term. The calculation is transparent and fully itemised on request.

Traditional external officer appointments without a platform cost the mid-market typically between €150 and €400 per month for a single external DPO at market standard. CIVAC is positioned in the mid-price segment while offering a significantly higher documentation standard and full workspace operations.

Pricing transparency also has a practical aspect for budget planning: companies wishing to appoint multiple roles on an annual cycle can calculate the total budget directly from the demo proposal parameters. CIVAC provides a multi-year calculation on request after the demo, which can be used as a planning basis for internal budget approval.

Companies evaluating a compliance platform encounter two categories: specialised officer platforms such as CIVAC, and generic GRC suites (Governance, Risk, Compliance) originally developed for enterprise-wide risk management and now also offered in the mid-market.

The structural difference: generic GRC suites are designed for risk management, audit coordination, and enterprise-wide reporting. They require internal compliance teams to configure processes and develop role templates themselves. For a limited liability company (GmbH) with 200 employees needing five officer roles, this means in practice: six to twelve months of implementation, internal resources for configuration and ongoing maintenance, licence costs in the five-digit range per year, and external consulting support for the rollout.

CIVAC is built from the ground up for the German mid-market and the 25 appointable officer roles. No configuration is required; the roles are pre-structured with task lists based on legal standards. 37 audit templates are immediately ready to use. The workspace is active within two business days, without an implementation project.

A further structural difference lies in the staffing model: generic GRC suites presuppose internal officers. CIVAC offers the Officer-as-a-Service as an alternative — the external ISB or the external DPO is appointed via CIVAC and integrated directly into the workspace. This is the decisive advantage for companies without an internal specialist.

For companies evaluating multiple roles and wishing to conduct a competitive comparison, CIVAC recommends a structured scoring sheet that places the criteria of configuration effort, onboarding time, documentation depth, and pricing structure side by side. This sheet is available on request and facilitates committee decision-making.

Booking the demo is the first operational step towards structured compliance. After the session, two paths are open: workspace licence for internal officers or Officer-as-a-Service for external appointment. Many companies combine both models, depending on the availability and qualifications of their internal officers. This flexibility is not a compromise, but a structural advantage: both models share the same workspace and the same audit trail.

CIVAC is built as a compliance platform and Officer-as-a-Service to keep exactly this decision open. Licence the workspace for your internal officers or appoint our officers. Both models share the same workspace, the same audit trail, the same documentation structure. The decision can also be made role by role after the demo: DPO internally on the licence, occupational physician externally via Officer-as-a-Service — and adjusted at any time.

After contract placement, the CIVAC SLA applies without exception: contract, person, and appointment certificate within two business days. Workspace activation and officer appointment run in parallel. No lead time for configuration or setup is required. Others run compliance like a filing cabinet. We run it like software.

Turn reading into action: book the demo now at info@civac.de or via the contact form at civac.de. The CIVAC team will confirm the requested date within one business day.

The first step is the demo. The second step is the proposal. The third step is the order. From the third step, the CIVAC SLA applies: contract, person, and appointment certificate within two business days. These three steps together take less than a week in practice — compared to the industry-standard lead time of two to six weeks.