Frequently asked questions.

Two closely linked offerings. A compliance platform delivered as a software licence for your internal officers, and an Officer-as-a-Service model in which CIVAC supplies formally appointed officers (data protection, IT security, occupational safety and more). Companies pick one of the two or combine both, depending on which roles they want to keep in-house and which they prefer to outsource.

All twenty-five roles a German business is most likely to appoint, covering statutorily required mandates (data protection, compliance, occupational safety, fire safety, anti-money-laundering and more) and sector-specific roles (hygiene, radiation protection, water protection, emergency response, dangerous goods, inclusion and others). Every role is live today, nothing is on a waiting list. Additional roles are added as regulation evolves.

Exclusively on servers inside the EU, with Germany as the primary location. The infrastructure is aligned with ISO/IEC 27001, data is encrypted at rest using AES-256 and in transit using TLS 1.3. No data is transferred to a third country without a GDPR-compliant transfer mechanism in place.

Yes. Every role is filled by a person who holds the qualification legally required for the respective appointment: certified data protection officers, safety specialists under ASiG, fire safety officers per DGUV I 205-023 and so on. Evidence of qualification is shared as part of onboarding, before any formal appointment to the authority takes effect.

The demo workspace is accessible in seconds. A productive external appointment typically takes one to three weeks, including contract review and, where required, notification to the supervisory authority. A pure platform licence, without an external appointment, can be set up within a few working days.

The platform is billed as a subscription, monthly or annually. The Officer-as-a-Service engagement is priced individually, based on the role, the scope of activity and the size of your organisation. All commercial details are clarified in a no-obligation first call before any commitment is made.

For 30 days after the end of the contract you keep full export access in common structured formats. After that window your data is deleted, except where statutory retention obligations require otherwise. A deletion confirmation is issued on request.

The platform is GDPR-native by design, aligned with ISO/IEC 27001:2022 and supports NIS-2 incident reporting directly inside the workflow. Audit logs, access management, encryption and tamper-evident records are core to the product, not an add-on or a paid tier.

Yes. Many customers keep data protection in-house, for example, and appoint occupational safety or fire safety externally through CIVAC. The platform keeps responsibilities clearly separated at the role level while preserving a single overview for the management board.

Statutory external liability always remains with the customer's management, German law leaves no room for anything else. The CIVAC officer advises, documents and evidences compliance, and in doing so materially reduces the management board's liability exposure. Contractual liability between customer and CIVAC is governed by the Terms & Conditions.