Status: Optional add-on · In internal testing · Beta shortly

DPMS is not part of the standard feature scope. The module is currently in internal testing and will join beta access shortly. It is an optional add-on and bookable only together with an active LEGALinhouse subscription — it cannot be used standalone. If you'd like to use DPMS functions early, let us know — we'll add you to the beta and get back to you once the module is enabled for you.

Automatic pseudonymization on every AI call

DPMS is AI-assisted throughout — and protects exactly the data that data protection is about. Before every AI call, personal data is automatically masked and reinserted into the response. Personal identifiers don't leave the tenant in clear text, while the AI can still work with the case. Pseudonymization is switchable per tenant and on by default.

AI as assistant — results are drafts

All AI components in DPMS are assistants: they produce drafts, not finished legal results. Expert review and final responsibility always remain with the qualified user. CEAVEO LEGALinhouse is a workflow and productivity tool, not a legal service provider (RDG).

Record of processing (Art. 30 GDPR)

Every controller must maintain a record of its processing activities. The DPMS module provides the structure for this: per processing activity — purpose, legal basis, categories of data subjects, categories of personal data (incl. special categories under Art. 9), recipients, third-country transfers, retention periods and linked technical and organizational measures (TOMs). With tenant-wide RoPA defaults, filtering, versioning and export as an authority-style Art. 30 template PDF, as a full report and as a CSV/PDF register.

An AI assistant drafts RoPA entries from a free-text description and suggests legal basis and data categories (draft for review). Templates for typical processing activities (HR, accounting, CRM, applicant management, video surveillance) are included and customizable per tenant.

Technical and organizational measures (Art. 32 GDPR)

The module maintains a TOM catalog across the eight BDSG control categories — each measure with implementation status, review interval and evidence. A library of 35 standard measures allows one-click adoption; every measure can be mapped to individual processing activities and assets. So it's demonstrable at the press of a button which safeguards apply to which processing.

Data protection impact assessment (Art. 35)

Where processing is likely to result in a high risk to the rights and freedoms of data subjects, a DPIA is mandatory. The module guides through the DPIA process: risk assessment, description of processing, assessment of necessity and proportionality, safeguards, consultation with the data protection officer. The result is a structured document, exported and anchored in the audit log.

Threshold assessment

The module helps with the preliminary check: based on the processing activity and the risk indicators stored there (special categories of data, profiling, surveillance, etc.), the system gives a suggestion whether a DPIA is likely required. The legal assessment is made by the data protection officer or responsible person — the suggestion is not a substitute.

DPA review (Art. 28 GDPR)

SMEs are often simultaneously DPA principals (toward service providers) and DPA processors (toward business customers). The module manages both sides — and reviews along the way:

  • AI import of the DPA PDF: processor master data and guarantees are extracted and the form pre-filled — no manual retyping.
  • 28-point AI review: clause extraction and risk flags against the mandatory elements of Art. 28 — as a draft alongside the assessment by the responsible person.
  • Incoming DPAs (you as processor): DPAs linked to clients, TOMs, sub-processor lists, conditions.
  • Outgoing DPAs (you as controller): DPAs with service providers, TOMs review, sub-processor approvals.
  • Link to contract management — every DPA is also a contract with term and termination.
  • Sub-processor tracking — changes are reflected with notification obligation and right to object.

Data subject rights (Art. 12–22 GDPR)

Access, rectification, erasure and objection requests are not rare — and must be answered within one month. An AI assistant captures the request from text or document, classifies the request type and identifies the requesting person. An identity-verification gate secures the response. Grounded in the record of processing, an AI response draft is produced that can be materialized as a ready-to-send letter (DIN 5008). The module sets the 30-day deadline automatically and documents the handling; anonymized statistics show management the count and processing time.

Incident response (Art. 33, 34 GDPR)

A data protection incident must be reported to the supervisory authority within 72 hours unless it is unlikely to result in a risk. An AI quick-triage supports the intake: classification, risk assessment, notification-obligation recommendation and a measures guide — all as drafts. A 72-hour clock runs automatically. The notification to the supervisory authority (Art. 33) and the notification of affected persons (Art. 34) are produced as ready-to-send letters. Every step is traceable in the audit log.

Master data, import & export

To get productive fast, the system ships with editable catalogs: data subject and data categories, 131 German retention periods under HGB/AO, purposes, legal bases and TOMs. Plus registers for processors, software, IT assets and locations. An Excel import template and pre-filled industry templates speed up initial capture; a staging check validates the data before adoption, an AI completeness assessment flags gaps per record, and a duplicate-free round-trip export hands the entire inventory back out.

Audit trail across the entire DPMS

Data protection compliance is not about creating a record once — it is about evidence that the record lives. The module logs every change to the record, every DPIA revision, every DPA renewal, every data subject request, every incident. On a supervisory authority inspection, the system delivers full evidence at the press of a button — no last-minute Excel reconstruction.

Availability & pricing model

DPMS is an optional module of LEGALinhouse and bookable only together with an active LEGALinhouse subscription — not standalone. It is billed like an additional inhouse product: a surcharge on your monthly fee, with a shared AI-credit pool across all booked products. AI actions run model-neutral and under the bill-on-success guarantee (charged only on a successful result). Beta customers receive the specific conditions before launch.

Want DPMS in the beta? If you depend on any of the modules described above, let us know. We'll add you to the beta and get back to you once the module is enabled for you.