Operational DPO software · Automated DPO desk

DPO Assist: the DPO's operational desk, AI-assisted.

A DPO spends on average 70% of their time on repetitive tasks: sorting incoming GDPR emails, updating the records of processing, tracking 72h deadlines on breaches, responding to data subject requests within the month, summarising meetings, keeping the client action plan up to date. DPO Assist is the platform Luxgap uses daily to manage its 200+ external DPO mandates. AI does the repetitive work, the DPO validates and advises. Dedicated mailboxes ingested and classified in 5 minutes, automatically fed registers, breaches notified on time, meetings turned into action plans, read-only client portal for your clients. Used today by our team and available for your internal teams.

Build my quote → Contact us
Main features

What the software actually does.

GDPR/CISO/Whistleblowing mailboxes ingested and classified in 5 minutes

Today a DPO spends 1-2 hours daily sorting emails arriving at dpo@, ciso@, whistleblowing@. DPO Assist ingests these mailboxes automatically every 5 minutes via Microsoft Graph, and AI classifies each message: spam, info, client ticket, data breach, GDPR rights request, regulator inquiry. The client mentioned in the email is identified and the ticket auto-assigned to the client's lead consultant. If the email says "Hi Hugo", Hugo receives the ticket. No more manual sorting, no more forgotten email.

AI pre-drafted replies, ready to validate and send

For each incoming ticket, DPO Assist automatically generates a draft reply in 4-5 short airy paragraphs, with the right tone (formal or informal based on client history), exact legal references, and the documentation to attach. You review in 30 seconds, adjust if needed, send from the integrated editor. Attachments up to 50 MB, automatic AI analysis of attachment content. A professional client response is now 2 minutes of work instead of 30.

72h breaches: guided workflow with automatic reminders

When an email arrives flagged "data breach" by AI, a 72h countdown starts. DPO Assist guides breach qualification per the ENISA/CNIL severity grid, proposes the decision (notify regulator yes/no, notify data subjects yes/no), pre-fills the regulator form, and sends you automatic reminders every 4 hours during the critical phase. No more forgotten breach. No more late notification.

Data subject requests: 1-month deadline calculated, dossier ready

When an email is classified as "GDPR rights request" by AI (access, rectification, erasure, portability, objection), a request dossier opens automatically with the 1-month deadline calculated. The client employee portal can be queried to produce the data. The response is pre-drafted by request type. If the request requires action on a database or file, an action is created in the client action plan.

Live GDPR registers, fed from OneDrive and Excel/PDF

Article 30 records of processing, Article 28 processor register, Articles 15-22 rights requests register, Article 33 breach register: all maintained in DPO Assist with full fields (purpose, legal basis, categories of persons/data, recipients, non-EU transfers, retention, security measures). 📁 button on each register to import from the client's OneDrive folder: AI reads Excel, PDF, DOCX and extracts information. The processor register is automatically generated from recipients mentioned in the processing register. No more spreadsheets updated once a year, living registers.

Centralised client action plan, Asana-style, with AI per action

For each client, a centralised action plan: title, description, priority, deadline, assignee, client contact. Templates to bulk insert classic CISO or DPO actions. Statuses: todo, in progress, awaiting client, awaiting internal, in review, done, blocked, rejected. AI chat per action to help the consultant structure work. Marking done simultaneously records time tracking. Direct link to OneDrive action files. "Meetings to finalise" banner at top of page to never forget post-meeting drafts.

Leexi meetings turned into automatic action plan

DPO Assist syncs with Leexi 4 times a day to retrieve transcripts, markdown summaries, structured tasks and timestamped chapters from all meetings. For each meeting, an automatic draft is created containing actions to insert in the client action plan (from Leexi tasks) and time tracking (from meeting duration). A "My meetings to finalise" page lets you validate/adjust in 2 minutes before real creation. Privacy: if you were the only Luxgap consultant present, the meeting note stays private until explicit team or client sharing.

GDPR compliance and risk scoring, automatically recalculated

For each client, DPO Assist calculates a GDPR compliance score (out of 100) based on the real state of registers, DPIAs, requests handled on time, breaches notified on time. Client risk scoring recalculates daily. Claude AI analyses your client dossier and produces argued recommendations. Automatic diagnosis of the client OneDrive folder to identify what is missing. Free notes on the client record feed AI for its next recommendations.

Read-only client portal, email MFA authentication

Your client can access their compliance dashboard from any browser (email auth + MFA, no password to remember). They view: their compliance score with chapters and recommendations, their GDPR registers (processing, third parties, rights requests, policies, breaches), meeting notes explicitly shared with them. No input possible client-side: it's read-only for transparency. Admin preview available to check what they see before inviting them.

Whistleblowing compliant with Luxembourg law of 16 May 2023

Separate module accessible to clients required to set up an internal whistleblowing channel (companies 50+ staff, Directive 2019/1937 transposed by Luxembourg law of 16 May 2023). Public reporting page, admin restricted to whistleblowing_access role only, encrypted attachments, legal deadlines automatically tracked (acknowledgement within 7 days, feedback within 3 months). Admin notes with AI translation to French for English/German reports.

Integrated PECB training, 1-click registration

Internal PECB catalogue: ISO 27001 Lead Implementer / Lead Auditor, GDPR, DORA, ISO 42001 (AI management), CAIP (Certified AI Practitioner) — 10 certifying trainings. 1-click registration with motivation. Possibility for the employee to declare an already-obtained certification with proof upload (10 MB max). 3-year career gauge (1 certification per year mandatory). Admin workflow to approve, schedule, mark completed. Verification of uploaded proofs.

Microsoft, OneDrive, Leexi, Claude integrations ready to use

Microsoft Graph: multi-mailbox reading, OneDrive access with automatic per-company mapping, email sending from the platform. OneDrive: client mapping by heuristic + AI, file scanning, folder analysis. Leexi API: full historical sync + incremental cron, deduplication by UUID. Anthropic Claude: Opus models for complex drafts and heavy analyses, Haiku for fast classification and extraction. Real-time token consumption counter for budget tracking. Odoo Enterprise 19 HR employee sync (ongoing).

Use cases

Who it is for, and in what context.

External DPO firms managing dozens of clients in parallel wanting to industrialise their operations (our case at Luxgap).

Internal DPOs at companies with 250+ staff handling daily tickets, requests, breaches who want to automate repetitive tasks to focus on strategic advisory.

Legal departments combining DPO, CISO and regulatory monitoring roles wanting a unified tool rather than 5 separate applications.

Compliance officers in the financial sector who must manage GDPR, CSSF, DORA, NIS 2 simultaneously and have an audit-ready dossier at all times.

CSR and transverse functions hosting the whistleblowing channel compliant with Directive 2019/1937 transposed in Luxembourg on 16 May 2023.

Regulatory compliance

Regulatory coverage and internal security.

  • GDPR: Article 30 and 28 registers, Articles 15-22 data subject requests, Article 33 breaches, Article 35 DPIA, all in the platform with auditable traceability.
  • Luxembourg 1 August 2018 data protection law: CNPD organisation, retention durations, notifications.
  • Directive 2019/1937 and Luxembourg law of 16 May 2023: internal whistleblowing channel with automatically tracked legal deadlines.
  • Internal security: Microsoft SSO + MFA authentication, attachment storage outside webroot, AES-256-GCM encryption of API keys, employee access logging, MIME whitelist, anti path-traversal, full GDPR audit.
  • Luxembourg hosting, daily encrypted backups to OneDrive, configurable retention policy.
  • AI Act 2024/1689: classified AI components (limited risk for most), systematic human oversight before any email send or client decision.
Architecture · Hosting

Technical stack and data sovereignty.

Stack: PHP 8.3 + Slim 4 + Twig, SQLite (1 file on persistent volume), Docker with automatic GHA build/push image, Traefik reverse proxy with Let's Encrypt TLS, Supercronic for in-container cron, Bootstrap 5.3 + Quill editor on the front. Daily SQLite + file backup to OneDrive at 02h. Automated CRONs every 5 minutes for email/OneDrive/notification sync, hourly for SLAs, 4 times daily for Leexi, daily for delivery metrics and risk scoring.

Luxembourg hosting. No critical dependency on non-European hyperscaler. Compatible with full on-premise installation for Article 41 LSF actors.

FAQ

Frequently asked questions

Difference with the DPO Assistant — GDPR Erasure module?
DPO Assist is the DPO's daily operational desk: tickets, live registers, 72h breaches, data subject requests, meetings, action plan, client portal. The DPO Assistant — Erasure module is specialised: it observes your infrastructure, identifies obsolete data, and executes 2-phase GDPR erasures with cryptographic proofs. The two are complementary: DPO Assist handles daily work, Erasure handles obsolete data purges.
Is it the same platform Luxgap uses for its 200+ mandates?
Yes. We eat our own dog food. It is the tool our team has been using daily since 2023 to manage all external DPO and CISO mandates we operate. Every improvement is first tested at our office before being offered to clients who want to operate it internally. We know what works.
Can we install DPO Assist internally?
Yes. Three models available: (1) Luxgap SaaS hosted at our Luxembourg facility, fast start; (2) Dedicated SaaS with isolated instance and encryption keys specific to your organisation; (3) On-premise on your infrastructure for actors under Article 41 LSF secrecy or strict DORA requirements. Same features in all 3 modes.
Can the AI send an email to my client without validation?
No, never. Every AI pre-drafted reply must go through your human validation before sending. You review, adjust, click Send. This is AI Act compliance Articles 14 (human oversight) and 26 (deployer obligations). Same for any high-stake decision: breach qualification, regulator notification, ticket classification as rights request. The human remains responsible, AI accelerates the work.
Deployment timeline?
In Luxgap SaaS: operational in 1 to 2 weeks (account creation, mailbox configuration, initial OneDrive sync, team training). In dedicated SaaS: 3 to 4 weeks with isolated instance. In on-premise: 6 to 10 weeks depending on infrastructure complexity. Realistic demo on a fictitious client available before any commitment.
How much does it cost?
Pricing by active DPO/CISO user and number of managed clients. For an external DPO firm managing 20 clients with 3 consultants: roughly 1,500 to 3,500 EUR/month on Luxgap SaaS. For an internal corporate DPO (50-500 staff) with 1-2 users: 600 to 1,200 EUR/month. Quote within 24h after scoping.
Combine with

Our complementary services.

Try this software on your real data.

POC with no long-term commitment. Tailored quote within one business day.

Build my quote →