The compliance platform for mid-sized businesses

AI ActGDPRHinSchGGoBDBFSGWebsite

AI Act, GDPR, HinSchG, GoBD, BFSG, and website compliance in one platform. With guided workflows and a ready-made audit trail.

We'll reach out once a demo slot is free.

app.clairo.de

Compliance Overview6 ACTIVE MODULES

AI Act (EU)Art. 4, 50

82 %

GDPRArt. 30

65 %

HinSchG§ 12

91 %

GoBDRz. 151

74 %

BFSG§ 3

58 %

WebsiteTTDSG

88 %

Overall Score

74 %

3 deadlines soon

Feb 2025

AI prohibitions and training obligations in effect since February 2025

Aug 2026

High-risk obligations take effect. 4 months remaining.

EUR 35M

Maximum fine under EU AI Act, or 7% of annual turnover

The problem

Compliance has become complex. Mid-sized businesses are left without tools.

Mid-sized businesses face a patchwork of regulations, expensive consultants, and tools built exclusively for large corporations.

Regulation wave

EU AI Act, GDPR, HinSchG, GoBD, BFSG, TDDDG. Each with its own deadlines, obligations, and fines. No SMB can keep track alone.

I don't even know which laws apply to us.

No SMB tooling

Enterprise compliance software costs EUR 50,000/year and requires a dedicated legal department. Spreadsheets and PDF checklists don't scale.

The tools are all built for corporations, not for us.

Consultant costs are exploding

External DPOs, lawyers, AI Act consultants. Each a silo, each expensive. Without an internal tool, there's no foundation for any advisory conversation.

We're paying hourly rates for things software could do.

The modules

Six modules. One compliance system.

Six specialised modules with a shared audit trail, automatic propagation between modules, and unified incident reporting.

EU AI Act · KI-MIG

AI Act Compliance

Available

Complete EU AI Act compliance in one workflow: AI inventory, automatic risk classification via a 6-step pipeline, FRIA lifecycles, transparency obligations, and AI literacy tracking for all employees.

AI system inventory with CSV import and lifecycle tracking

Deterministic 6-step risk classification workflow (prohibition screening > high-risk > GPAI)

FRIA impact assessment with questionnaire, versioning, and PDF export

Transparency obligations under Art. 50: automatically assigned from classification

AI literacy (Art. 4): employee tracking, certificates, learning paths

Unified incident reporting with provider and authority notification

Works council notification: templates and acknowledgment tracking

Compliance tasks: automatically generated from classification

Provider compliance checklist (CE marking, conformity declaration)

Full deployer obligations for high-risk AI (Art. 26)

Legal bases

Art. 5Prohibited AI practices (8 categories)

Art. 4AI literacy obligation

Annex IIIHigh-risk AI systems (list)

Art. 50Transparency obligations

Sec. 15 KI-MIGPenalty provisions

Enforcement deadlines

Prohibitions & literacyFeb 2025 ✓

High-risk obligations (Annex III)Aug 2026

GPAI model requirementsAug 2025

The network effect

Modules that share context.

A compliance event in one module automatically triggers the obligations it creates in another. Your team does not have to stitch the pieces together by hand.

Key concept

One incident, multiple reporting obligations

A single AI data breach today triggers simultaneous reporting obligations under the EU AI Act, GDPR, and potentially HinSchG, with different deadlines and recipients. Clairo manages all threads in a single incident workflow.

1
Trigger
Data breach in AI system detected
2
Automatically opened
Data breach notification (Art. 33 GDPR): 72h deadline starts immediately
3
Opened in parallel
AI Act incident report (Art. 73): market surveillance
4
Shared audit trail
All measures, deadlines, and evidence in one audit trail, GoBD-compliant

AI system registered > ROPA draft automatically created

When a new AI system that processes personal data is added to the inventory, Clairo automatically creates a records of processing draft (Art. 30 GDPR) with known fields pre-filled.

AI inventoryROPADPIA check

Hours of manual work eliminated, no forgotten entries

One audit trail for all regulations

The shared, immutable audit trail applies to all modules. Tax auditors, data protection authorities, and AI market surveillance receive the relevant extract at the click of a button, in the right format, archived GoBD-compliantly.

GDPRAI ActGoBD

One export, every authority served

Scan detects tracker > ROPA and privacy notice updated immediately

The website scanner finds a new analytics tracker. Clairo flags the missing ROPA entry and suggests updating the privacy notice, pre-filled with the discovered data.

Website scannerROPAPrivacy notice

No privacy violation from outdated notices

AI compliance violation reported > AI Act incident opened

A whistleblower reports a suspected AI violation through the anonymous reporting system. Clairo automatically creates an AI Act incident draft and links the case (without revealing identity) to the AI inventory.

HinSchG reportAI Act incidentAI inventory

Whistleblower protection and regulatory obligation in one workflow

Linked entities

AI systems, processing activities, privacy notices, and consent records are automatically cross-linked. Changes propagate instantly.

Automatic propagation

17 automatic schedulers generate compliance tasks from classifications, deadlines, and events. No manual configuration.

Unified incident reporting

One incident, all relevant reporting obligations in one workflow. Independent deadlines, shared evidence, one export for all authorities.

Regulatory roadmap

Obligations arrive in stages. So does Clairo.

Every regulatory milestone has its module. Clairo grows with the obligations.

May 2018Already in effect

GDPR: General Data Protection Regulation enters into force

The General Data Protection Regulation has applied since 25 May 2018. Records of processing, DPIAs, data subject rights, data breach notifications: the requirements are complex and supervisory authorities more active than ever.

GDPR moduleROPA (Art. 30)DSR workflowsDPIA / TOM

Dec 2023Already in effect

HinSchG: Whistleblower protection for companies with 50+ employees

The German Whistleblower Protection Act requires companies with 50 or more employees to set up an internal reporting channel. 7-day acknowledgment and 3-month feedback obligations apply.

HinSchG moduleAnonymous reportingCase management

Feb 2025Already in effect

EU AI Act: Prohibited practices & AI literacy (Art. 5 + 4)

Art. 5 prohibits manipulative and discriminatory AI systems. Art. 4 requires all providers and deployers to ensure AI literacy among their employees.

AI ActProhibition screening (Art. 5)AI literacy tracking

Jun 2025Already in effect

BFSG: Accessibility obligations for new products

The Accessibility Strengthening Act has been mandatory for new products and services since 28 June 2025. Websites, apps, and self-service kiosks must meet EN 301 549 requirements.

BFSG moduleWebsite scannerWCAG checklist

Aug 2025Already in effect

EU AI Act: GPAI model requirements apply

Since August 2025, obligations for providers of general-purpose AI (GPAI) models apply. Technical documentation, transparency obligations, and copyright compliance are mandatory.

AI ActGPAI obligationsTransparency

Dec 2025Already in effect

NIS2: Cybersecurity obligations for ~29,500 companies

The NIS-2 Implementation Act introduces enhanced cybersecurity obligations for critical-infrastructure-adjacent companies in 18 sectors. BSI registration, reporting obligations, and minimum security measures apply.

NIS2BSI registrationIncident reporting

Aug 2026Deadline in 4 months

EU AI Act: High-risk obligations (Annex III)

From August 2026, full obligations apply to high-risk AI systems under Annex III: technical documentation, conformity assessment, EU database registration, and ongoing monitoring obligations for deployers.

High-risk AIFRIA lifecycleProvider complianceAudit trail

Aug 2027Deadline in 16 months

EU AI Act: High-risk obligations expand to Annex I

From August 2027, high-risk obligations also apply to AI systems in products under Annex I (Machinery Regulation, toys, medical devices, etc.). Full product liability obligations enter into force.

High-risk AI Annex IProduct liabilityConformity assessment

Who Clairo is for

For the people who actually own compliance

Engineers, DPOs, executives, and consultants: Clairo addresses the specific problem each role actually faces.

CTO / IT Lead

Technical overview of all AI systems

I need a central overview of all AI systems in the company and their regulatory risk, without having to query each department individually.

AI inventoryRisk classifierBulk import

Compliance Officer / DPO

Multiple regulations, one platform

I manage AI Act, GDPR, HinSchG, and GoBD simultaneously. In separate spreadsheets I lose track. I need a system that recognises cross-connections automatically.

Cross-regulationROPAAudit trail

CEO / Managing Director

Confidence without deep knowledge

I want to know at all times that we're compliant, without having to read every regulation myself. And if there are problems, I want early warnings.

Compliance scoreExecutive viewEarly warnings

DPO firm / Consultant

Client management at a click

I manage eight clients simultaneously. I need a central platform to view their compliance status, export reports, and monitor deadlines.

Multi-tenantPDF exportComing soon

Why Clairo

The honest comparison

What other approaches cost: in euros, time, and risk.

The honest
Criterion	Clairo	Enterprise toolGRC software	Law firmconsultancy	DIYExcel, Word	Do nothing
Cost	SMB-friendly	Very high	High / hourly	Low but hidden	Fine risk
Setup time	Hours	Months	Weeks	Endless	No setup
Regulation coverage	6 modules	2–3 topics	Depends on firm	Manual, incomplete	None
Automation	High	Medium	None	None	None
Audit readiness	Audit trail, PDF export	Yes	Reports on request	Questionable	Non-existent
SMB suitability	Built for SMBs	Enterprise focus	Conditional	In theory	No tool
Cross-regulation	Automatically linked	Mostly siloed	Manual	Not possible	Non-existent

Enterprise tool data based on publicly available pricing structures and user reports. Law firm costs vary significantly by scope and region.

Pricing

Fair pricing, modular setup.

Pay only for what you use. No hidden onboarding fees, no enterprise contracts.

Starter

49€/ month

For solo operators and startups

1 company / client
Up to 3 active modules
Records of processing (GDPR)
AI inventory (up to 10 systems)
PDF exports
Email support

GDPRAI Act+1 of your choice

Join the waitlist

Recommended

Professional

149€/ month

All modules included, no surcharge

1 company
All 6 modules active
Unlimited AI systems
Website compliance scanner
Cross-regulation linking
Tamper-evident audit trails
Priority support

GDPRAI ActHinSchGGoBDBFSGWebsite

Request demo access

Enterprise

On request

For larger organisations with multiple units

Multiple business units
SSO / SAML integration
Advanced user roles
SLA by arrangement
Dedicated point of contact
On-premise option on request

All modules

All prices excl. VAT. Annual billing saves 2 months.

Why we're different

Made for German and European regulation

Clairo treats German law as the baseline, not an afterthought. Modules, templates, and workflows are written against the text of the regulation, not translated from a US playbook.

German as the product language

Every interface, template, and legal text is written in German first, then translated. Regulatory wording stays unambiguous.

EU data, hosted in Frankfurt

Your compliance data never leaves the EU. Hosted on Neon (ISO-27001) in Frankfurt am Main.

Set up in hours

No three-month onboarding project. AI inventory via CSV import, GDPR records of processing from a template library.

SMB pricing, without cutting depth

No corporate budget required. The modules cover the same ground that enterprise tools do, priced for 50 to 500 employees.

Modules that share state

An AI system incident in the AI Act module is automatically assessed as a GDPR data breach. A data subject request triggers a TOM review. Compliance stays in sync.

Audit-safe exports

Immutable versioning, timestamps, and audit trails for all documents. PDF exports with metadata for authorities, auditors, and internal controls.

FAQ

What you should know

Not listed? Write to us. We reply within 24 hours.

Which regulations does Clairo cover?

At launch, Clairo covers six modules: EU AI Act / KI-MIG (with full risk classification, FRIA, and transparency obligations), GDPR / BDSG / TDDDG (ROPA, DSR, DPIA, DPA, TOM, and more), HinSchG (internal whistleblower system), GoBD (procedure documentation and digital archiving), BFSG (accessibility), and a website compliance scanner. Additional regulations (NIS2, CSRD) are planned.

Can I book individual modules separately?

Yes. In the Starter plan, you choose up to three modules. The Professional plan includes all six modules and also benefits from cross-regulation linking that connects modules automatically. You can add or deactivate modules at any time without losing data.

What does Clairo cost?

Prices will be announced shortly before the official launch. Those who join the waitlist now receive a permanent early-access discount and will be notified at launch. No credit card, no obligation.

How secure is my data?

All data is stored exclusively in the EU, hosted by Neon (ISO-27001-certified) in Frankfurt am Main. Clairo does not process data in third countries. We conclude a data processing agreement (DPA) under Art. 28 GDPR with every customer. A data protection impact assessment (DPIA) for Clairo itself is available on request.

Is Clairo available in German?

At launch, German is the primary platform language. An English interface is planned for Q3 2026. Since Clairo primarily targets companies in Germany, Austria, and Switzerland, the focus is deliberately on a first-class German user experience. No compromises from parallel localisation.

How quickly can I get started?

Most users are productive within 2–4 hours. The AI inventory can be populated via CSV import, the GDPR records of processing built via a guided template library. A dedicated onboarding guide walks through the first steps for each module. For the Professional plan, we offer an optional 60-minute onboarding call.

Is there an API?

At launch, Clairo offers CSV import/export for all modules plus standardised PDF exports for authorities and auditors. A REST API for system integrations (HR systems, ITSM tools, SIEM) is planned for the Enterprise plan. If you need a specific integration, reach out early. We prioritise based on demand.

What happens when I cancel?

After cancellation, you have 30 days of read-only access to export all data. On request, we export your entire compliance archive as a ZIP with PDF and CSV. Your data is securely deleted after statutory retention periods expire and is not shared with third parties.

Request a demo

Try the platform yourself.

Leave your email and we'll reach out as soon as a demo slot opens up. No subscription, no obligation.

This site is a student case study. All prices shown are illustrative.

AI Act (EU AI Act)GDPR / BDSGHinSchGGoBDBFSGWebsite scanner