Twenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwideTwenty-five officer roles, all live todayArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:202237 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
civac.
ENDE
Get started

Trust Center

Updated 08/05/2026

Overview

CIVAC is the German compliance workspace for every appointed officer role companies above the relevant thresholds must designate. Customers license the workspace for their internal officers, or appoint ours under Officer-as-a-Service. The same platform, the same audit trail, the same evidence inspectors recognise. EU-only data residency, append-only audit logs, AI outputs that are source-cited and confidence-scored.

Request

Compliance

Frameworks we operate to, in production or in active certification.

GDPR (DSGVO)
In place
BDSG
In place
TTDSG
In place
ISO/IEC 27001:2022
Stage-1 done, Stage-2 Q4 2026
SOC 2 Type II
Observation window opened May 2026
ISO/IEC 27701
Roadmap, post ISO 27001
TISAX
Roadmap H2 2026
EU AI Act
Mapping in progress for 02.08.2026
ISO/IEC 42001
AI management system, Roadmap

Security

EU Data Residency

All customer data is processed and stored exclusively in the EU (Frankfurt). No transfers outside the EEA without an Article 46 GDPR mechanism.

Encryption Everywhere

TLS 1.3 in transit, AES-256 at rest. Customer-specific KMS keys for documents on the appointed-officer plan.

Append-Only Audit Trail

Every action by every user creates an immutable evidence record. Exportable in formats inspectors recognise.

Least-Privilege Access

Role-based access by default, mandatory MFA for admins, SSO/SAML available, quarterly access reviews.

Resilient Infrastructure

Multi-AZ deployment, hourly backups with 30-day point-in-time recovery, disaster-recovery runbooks tested twice a year.

Responsible AI

No model training on customer data. AI outputs are source-cited and confidence-scored. Prompts and documents are never shared between tenants.

Resources

What we publish, what we share under NDA, what your officers can hand to auditors.

ISO/IEC 27001:2022
Stage-1 letter of attestation available now. Stage-2 certificate expected Q4 2026.
Pen-Test Letter
Independent third-party penetration test, executive summary downloadable on request.

Policies

+ 6 more on request
  • POL-01Information Security Policy
  • POL-04Acceptable Use Policy
  • POL-07Access Control Policy
  • POL-09Cryptography Policy
  • POL-12Data Protection Policy (GDPR)
  • POL-15Incident Response Policy
  • POL-18Business Continuity & DR Policy
  • POL-21Vendor & Sub-Processor Policy
  • POL-24AI Acceptable Use Policy
  • POL-27Records of Processing Activities

Reports & Templates

  • Data Processing Agreement (Art. 28 GDPR)
    Customer-ready DPA template including SCCs and the current sub-processor list.
    Request
  • Security Whitepaper
    Architecture, encryption, access management, incident response and BC in one document.
    Request
  • Penetration Test Summary
    Independent third-party assessment. Executive summary without NDA, full report under NDA.
    Request
  • Records of Processing Activities (Art. 30)
    Internal RoPA template that mirrors what your DPO will hand to the regulator.
    Request

Subprocessors

Companies we engage to deliver the service. Customers are notified at least 30 days before any change.

  • Google Cloud Platform
    Germany (Frankfurt region)
  • Cloudflare
    EU edge nodes
  • Anthropic
    EU regional endpoints
  • Stripe
    Ireland

Controls

We operate to ISO/IEC 27001:2022 Annex A. Excerpt of the controls in scope, grouped by clause.

Organisational

37 Controls
  • A.5.1
    Policies for information security
  • A.5.9
    Inventory of information and other associated assets
  • A.5.15
    Access control
  • A.5.16
    Identity management
  • A.5.22
    Monitoring, review and change management of supplier services
  • A.5.29
    Information security during disruption
  • A.5.31
    Legal, statutory, regulatory and contractual requirements
  • A.5.34
    Privacy and protection of personal data

Technological

34 Controls
  • A.8.5
    Secure authentication
  • A.8.8
    Management of technical vulnerabilities
  • A.8.18
    Use of privileged utility programs
  • A.8.24
    Use of cryptography
  • A.8.26
    Application security requirements
  • A.8.28
    Secure coding
  • A.8.29
    Security testing in development and acceptance
  • A.8.34
    Protection of information systems during audit testing

Physical

14 Controls
  • A.7.2
    Physical entry
  • A.7.4
    Physical security monitoring
  • A.7.5
    Protecting against physical and environmental threats
  • A.7.7
    Clear desk and clear screen
  • A.7.8
    Equipment siting and protection
  • A.7.12
    Cabling security

People

8 Controls
  • A.6.1
    Screening
  • A.6.3
    Information security awareness, education and training
  • A.6.4
    Disciplinary process
  • A.6.5
    Responsibilities after termination or change of employment
  • A.6.6
    Confidentiality or non-disclosure agreements
  • A.6.8
    Information security event reporting

FAQs