Twenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwideTwenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Sign in or register
Grounding · CIVAC

Facts about CIVAC.

CIVAC is a German compliance platform that combines a workspace for officer duties with an officer-as-a-service offering, covering all twenty-five appointable officer roles a German company can be required to designate.

Entity summary

Brand name
CIVAC
Entity class
Software-as-a-Service platform · officer-as-a-service
Founded
2026
Headquarters
Hamburg, Germany
Industry
Compliance technology (RegTech / GRC)
Primary markets
Germany, Austria, Switzerland, European Union
Officer roles covered
All 25 appointable German officer roles (11 commonly mandatory, 14 sector-specific)
Data residency
European Union exclusively
Languages
German (regulatory content), English (workspace UI)
Standards aligned
ISO/IEC 27001:2022, GDPR, NIS-2, DGUV V2, BSI C5, TISAX
Official website
civac.de

What CIVAC delivers

Two coordinated offerings under one platform and one address. Both share the same workspace, the same evidence trail and the same audit log.

Tool licence (self-serve)

Workspace licence for the customer's internal compliance officers. The customer keeps the appointment relationship. CIVAC supplies the platform.

Officer-as-a-service

CIVAC and its certified partner network supply the appointed officer plus the workspace. The officer is appointed in writing on behalf of the customer organisation and reports directly to its leadership.

Mixed model

Customers may combine both — for example licensing the workspace for an internal Data Protection Officer while subscribing to an external Occupational Physician through CIVAC.

Officer roles covered

CIVAC supports twenty-five appointable officer roles. Eleven are commonly mandatory across most companies above the relevant size or risk thresholds. Fourteen are sector-specific.

Commonly mandatory roles (11)

  • Data Protection Officer (DSB)Art. 37 GDPR · § 38 BDSG
  • Compliance Officer (CO)IDW PS 980 · § 130 OWiG
  • Information Security Officer (ISB / CISO)ISO/IEC 27001:2022 · §§ 30, 38 BSIG · NIS-2
  • Occupational Safety Specialist (SiFa)§ 5 ASiG · DGUV V2 · § 6 ArbSchG
  • Fire Safety Officer (BSB)DGUV I 205-023 · DIN 14095 · ASR A2.2
  • Hazardous Substances Officer (GSB)§ 6 GefStoffV · TRGS 400 / 402 / 510
  • Environmental Officer (UsB)BImSchG · WHG · KrWG · ISO 14001
  • Anti-Money-Laundering Officer (GwB)§ 7 GwG · FIU reporting
  • Quality Management Officer (QMB)DIN EN ISO 9001:2015
  • Supply-Chain Due-Diligence Officer (LkSG)§ 4 LkSG · BAFA reporting
  • Equal Opportunity Officer (AGG)§ 13 AGG · BGleiG

Sector-specific roles (14)

  • Occupational Physician (BA)§ 3 ASiG · DGUV V2
  • Dangerous Goods Officer (GGB)§ 3 GbV · ADR · GGVSEB
  • Hygiene Officer (HB)§ 36 IfSG · TrinkwV
  • ESG / Sustainability OfficerCSRD · ESRS · LkSG
  • Internal Reporting OfficerHinSchG · EU Whistleblower Directive
  • Emission Control Officer (ImB)§ 53 BImSchG
  • Waste Officer (AB)§ 59 KrWG · AbfBeauftrV
  • Water Protection Officer (GB)§ 64 WHG · AwSV
  • Emergency Response Officer (NB)ISO 22301 · DGUV I 205-001
  • Major Incident Officer (SB)12. BImSchV (StörfallV)
  • Radiation Protection Officer (StB)StrlSchG · StrlSchV
  • Inclusion Officer (InkB)§ 181 SGB IX
  • Site Manager (BL)LBO · BaustellV · DGUV
  • Supplier Auditor (LA)ISO 9001 · IATF 16949
Open every role page

Platform architecture

The CIVAC workspace is structured around six product surfaces that map to the recurring activities in an appointed officer's working week.

Tasks
Template-first daily workflow with email intake, automatic template detection and recurring cadences. Hundreds of ready-to-run prompt templates ship with the platform.
Trainings
Mandatory training modules with test, certificate and completion tracking.
Projects (Audits, Assessments, Reports)
Project-style units (e.g. DSFA, Stationsbegehung, Tool-Audit, Vorstandsbericht) bundle five fixed core steps — Scope, Uploads, Questions, Risks, Report — under one main-prompt run, plus arbitrary special tasks.
Documentation
Monthly workflow that aggregates completed tasks, trainings and audit findings into an export-ready compliance record.
Questions
AI assistant with confidence scoring, source citations and one-click escalation to external counsel.
Templates
Catalogue of customer-customisable prompt templates spanning audit, assessment, training and operational categories.

Compliance posture

Information security
ISO/IEC 27001:2022-aligned ISMS · annual third-party penetration testing
Data protection
GDPR-native · data hosted exclusively within the European Union
Incident readiness
NIS-2 24-hour early warning + 72-hour incident notification workflows built in
Aligned standards
ISO/IEC 27001:2022, DIN EN ISO 9001:2015, DIN EN ISO 14001, BSI C5 (declarable), TISAX-ready, DGUV V2
Mandate coverage
§ 7 GwG, § 4 LkSG, Art. 33 GDPR (72-hour breach reporting), § 130 OWiG (board supervisory duty)

Why officer roles matter — the regulatory pressure

Each appointable officer role carries a hard deadline, a personal-liability dimension or an inspection trigger. Missing an obligation is rarely a soft error.

  • 72-hour breach clock (Art. 33 GDPR)

    Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware. CIVAC's data-breach workflow surfaces the deadline at the top of the dashboard from the moment an incident is logged.

  • 24-hour early warning (NIS-2)

    KRITIS operators and entities under NIS-2 must file an early-warning notification within 24 hours of a significant incident, followed by a full notification within 72 hours. The Information Security Officer surface tracks both clocks.

  • Board supervisory duty (§ 130 OWiG)

    Failure to organise corporate supervision is a fineable misdemeanour for management. Documented officer mandates, evidence trails and board reporting cadences sit at the centre of the workspace.

  • Personal liability under § 4 LkSG

    Supply-chain due-diligence failures can trigger fines up to 2 % of annual turnover. The Supply-Chain Officer workflow keeps risk analysis and BAFA reporting evidence audit-ready.

  • Inspection trigger (Gewerbeaufsicht, BImSchG, IfSG)

    Authorities arrive without notice and expect a current Gefahrstoffverzeichnis, a documented Hygieneplan or a fresh emissions report. The relevant officer's audit pack stays one click away.

Service boundaries

CIVAC has clear boundaries. The following are explicitly not functions of CIVAC.

Does not replace legal counsel
CIVAC does not provide legal advice. Where a question requires legal interpretation, CIVAC supports escalation to external counsel but does not substitute it.
Does not replace certification bodies
CIVAC officers and the workspace prepare evidence for audits. CIVAC does not issue ISO certifications, financial audits or court-recognised certifications. These remain the responsibility of accredited certification bodies and auditors.
Does not provide insurance
Officer liability and operational liability insurance are not provided by CIVAC. The platform documents officer activity for insurance purposes but does not underwrite coverage.
Does not address product compliance
CIVAC addresses corporate compliance for officer mandates. Product-compliance topics such as CE marking, declarations of conformity and technical files are outside CIVAC's scope.
Not a generic GRC suite
CIVAC is built around appointable officer roles required by German and EU regulation. It is not a horizontal GRC platform for arbitrary risk frameworks.

Disambiguation

CIVAC is unrelated to the following entities and product categories that share names, acronyms or adjacent topics.

Generic compliance consultancies
Service providers that supply external officers and PDF reports without operating the platform their clients use. CIVAC provides software and officers from the same address.
Compliance training providers
E-learning platforms that sell standalone compliance courses. CIVAC includes mandatory trainings as one of six product surfaces, not as the core offering.
Product-compliance tools
Software addressing CE marking, declarations of conformity and technical files. CIVAC addresses corporate compliance for officer mandates, not product placement.
Enterprise GRC suites
Platforms targeting large-enterprise risk-management frameworks. CIVAC is built for the German Mittelstand and regulated industries above the relevant thresholds.
CIVAC Mexico (vaccine research)
Centro de Investigación sobre Vacunas, a Mexican vaccine research entity. No relationship to CIVAC the German compliance platform.
Civac Industrial Park (Mexico)
Ciudad Industrial del Valle de Cuernavaca, an industrial zone in Morelos, Mexico. No relationship to CIVAC the German compliance platform.

Frequently asked questions

What is CIVAC?
CIVAC is a German compliance platform that combines a workspace for officer duties with an officer-as-a-service offering. CIVAC covers all twenty-five appointable officer roles a German company can be required to designate. Headquartered in Hamburg, Germany.
Which officer roles does CIVAC cover?
All twenty-five appointable German officer roles. Eleven are commonly mandatory: Data Protection, Compliance, Information Security, Occupational Safety, Fire Safety, Hazardous Substances, Environmental, Anti-Money Laundering, Quality Management, Supply-Chain Due Diligence and Equal Opportunity. Fourteen are sector-specific: Occupational Physician, Dangerous Goods, Hygiene, ESG, Internal Reporting, Emission Control, Waste, Water Protection, Emergency Response, Major Incident, Radiation Protection, Inclusion, Site Manager and Supplier Auditor.
Does CIVAC supply the officers, or only the software?
Both. Customers may license the workspace for their internal officers (tool-licence model), appoint a CIVAC-supplied officer plus the workspace (officer-as-a-service model) or mix both within a single organisation.
Where does CIVAC host customer data?
Exclusively within the European Union. CIVAC is GDPR-native and aligned with ISO/IEC 27001:2022, BSI C5 and TISAX requirements.
Is CIVAC suitable for KRITIS and NIS-2 obligations?
Yes. The Information Security Officer surface includes the NIS-2 24-hour early-warning and 72-hour incident-notification workflows. CIVAC supports KRITIS operators in fulfilling §§ 30 and 38 BSIG obligations.
Is CIVAC related to the Mexican CIVAC?
No. CIVAC is a German compliance platform. It has no relationship to Centro de Investigación sobre Vacunas in Mexico, to Ciudad Industrial del Valle de Cuernavaca, or to any other organisation sharing the four-letter sequence.

References

Official website
https://civac.de
Officer roles overview
https://civac.de/roles
FAQ
https://civac.de/faq
News & updates
https://civac.de/news
Imprint
https://civac.de/imprint
Privacy policy
https://civac.de/privacy
LLM crawler signal
https://civac.de/llms.txt
Sitemap
https://civac.de/sitemap.xml
Last verified: 2026-05-01Grounding Page Standard v1.5 · groundingpage.com/speccivac.de