Conflicting OpenAI retention answer
Old answer says OpenAI retention is 30 days. Latest vendor review (uploaded 2 May) has no approved retention statement and disagrees with the cached answer.
Fictional demo data
See how AcmeHR SaaS turns buyer questionnaires into reusable answers.
A fictional B2B SaaS team answers a Northwind Bank AI and Security questionnaire from a canonical evidence library — with missing-proof flags, owner routing, and reusable approved answers.
Buyer request inbox
Northwind Bank — AI and Security Due Diligence
The buyer sent a mixed AI, security, privacy, and compliance request. Complair turns it into rows with owner, confidence, evidence, missing proof, and review status.
43
answers drafted from existing evidence
12
require review
7
missing evidence
3
need CTO input
45 min
estimated completion
How Complair calculates this
Drafted answers are matched from approved reusable answers. Review counts come from stale, low-confidence, or unapproved answers. Missing evidence means no approved evidence item is mapped. Owner input is based on question category and assigned control owner.
| Question | Status | Confidence | Evidence | Owner | Last reviewed |
|---|---|---|---|---|---|
| Do you use AI to process candidate data? | Drafted | Medium confidence | 2 sources | CTO | 8 May 2026 |
| Do you use automated decision-making in hiring workflows? | Needs review | Medium confidence | 2 sources | Legal | 8 May 2026 |
| Do you disclose AI chatbot usage to customers? | Approved | High confidence | 3 sources | CS Lead | 4 May 2026 |
| Do you maintain a list of AI subprocessors? | Drafted | Medium confidence | 1 source | Legal | 2 May 2026 |
| Do you have a vulnerability disclosure process? | Missing proof | Low confidence | Missing proof | Security | Not reviewed |
| Can you provide a DPIA for AI-assisted CV processing? | Needs review | Medium confidence | 2 sources | Head of Product | 10 May 2026 |
| Do you have human oversight for high-impact AI outputs? | Drafted | Medium confidence | 2 sources | CTO | 28 Apr 2026 |
| Can you provide evidence of model evaluation? | Needs review | Medium confidence | 1 source | CTO | 28 Apr 2026 |
Pre-send checks
What Complair catches before you send
The point is not to draft answers blindly. Complair helps surface stale evidence, unsupported claims, missing owners, and risky answers before they reach the buyer.
DPIA draft missing legal approval
DPIA for CV summarization exists, but Legal has not signed off. Export to Northwind Bank is blocked until approved.
Human-oversight answer has no procedure
Drafted answer claims human oversight on high-impact AI outputs, but no procedure document or training record is mapped.
Vulnerability disclosure policy has no public URL
Answer references a vulnerability disclosure policy, but the linked policy has no public URL. Buyers will check this.
Duplicate question detected
Northwind Bank asks about data location in three different forms across sections 3, 7, and 11. Complair merged them into one canonical answer.
Subprocessor list 6 months stale
Approved subprocessor list was last reviewed 12 Nov 2025. Review date overdue by 4 months. 3 answers depend on it.
Answer reused in 11 places
Edit to the GDPR Article 28 subprocessor answer will propagate to 11 buyer responses, 1 trust-center claim, and 2 DPIA drafts. Review before saving.
Legal owner blocking export — DPA outdated
Customer DPA template was last updated 18 months ago. Legal owner has flagged export until template is refreshed.
Last approved 'incident handling' answer is 8 months old
Answer to 'How do you handle security incidents?' was last approved 14 Sep 2025. Confidence dropped from High to Medium. Owner needs to confirm or refresh.
Evidence library
Canonical evidence mapped across the workspace
| Evidence item | Type | Owner | Status | Mapped systems | Mapped answers | Last reviewed | Next review |
|---|---|---|---|---|---|---|---|
| Internal AI Usage Policy | Policy | Legal Reviewer | Approved | 4 systems | 9 answers | 8 May 2026 | 8 Aug 2026 |
| OpenAI Vendor Review | Vendor doc | Engineering Manager | Approved | 1 system | 5 answers | 2 May 2026 | 2 Aug 2026 |
| Intercom Fin Security Notes | Vendor doc | Customer Success Lead | Approved | 1 system | 4 answers | 4 May 2026 | 4 Aug 2026 |
| DPIA Draft for CV Summarization | Assessment | Head of Product | Needs review | 1 system | 3 answers | 10 May 2026 | 25 Jun 2026 |
| Human Oversight Procedure | Technical doc | CTO | Draft | 1 system | 4 answers | Not reviewed | 18 Jun 2026 |
| Vulnerability Disclosure Policy | Policy | Security | Approved | AcmeHR API | 2 answers | 20 Apr 2026 | 20 Jul 2026 |
| SBOM Upload for AcmeHR API | SBOM | Engineering Manager | Approved | AcmeHR API | 1 CRA record | 12 May 2026 | 12 Jun 2026 |
| Support Escalation Policy | Policy | Customer Success Lead | Approved | 1 system | 3 answers | 20 Apr 2026 | 20 Jul 2026 |
| Model Evaluation Notes | Report | CTO | Needs review | 1 system | 6 answers | 28 Apr 2026 | 18 Jun 2026 |
AI systems
All names and data are fictional.
Inventory with reviewable proof status
| System | Risk | Owner | Confidence | Evidence count | Missing proof | Review status |
|---|---|---|---|---|---|---|
|
Candidate Ranking Model
Ranks applicants for recruiter review
|
High-risk candidate | CTO | Medium confidence | 3 sources | 4 missing proof items | Needs legal review |
|
CV Summarization using OpenAI
Summarizes candidate CVs for recruiters
|
Limited / medium review | Head of Product | Medium confidence | 3 sources | 3 missing proof items | Draft |
|
Intercom Fin Support Chatbot
Answers customer support questions
|
Limited-risk chatbot | Customer Success Lead | High confidence | 3 sources | 1 missing proof item | Approved for buyer sharing |
|
GitHub Copilot Internal Use
Assists engineers with code suggestions
|
Minimal / internal productivity | Engineering Manager | High confidence | 3 sources | 1 missing proof item | Approved |
Generated outputs
Buyer questionnaire export
Medium confidence
Needs review
AI inventory export
Medium confidence
Needs review
Risk classification memo
Medium confidence
Needs review
DPIA draft
Medium confidence
Needs review
Annex IV draft
Medium confidence
Needs review
Trust center page
High confidence
Approved
Evidence map
Medium confidence
Needs review
CRA vulnerability report draft
Medium confidence
Needs review
Upcoming review dates
18 Jun 2026
25 Jun 2026
12 Jul 2026
03 Aug 2026
Candidate Ranking Model
Owner: CTO
CV Summarization using OpenAI
Owner: Head of Product
Intercom Fin Support Chatbot
Owner: Customer Success Lead
GitHub Copilot Internal Use
Owner: Engineering Manager
Cross-module readiness
One score per module. Daily snapshot.
AcmeHR's readiness across every active module — answered, approved, evidence-mapped, non-stale. Mint ≥80, lemon ≥50, coral <50. Top three gaps surface per tile.
Ready
May 21
AI Act
87/100
- ·1 system needs ROPA link
Needs review
May 21
GDPR
74/100
- ·2 DPIAs awaiting approval
- ·1 cross-border transfer unclassified
Needs review
May 21
NIS2 supplier
62/100
- ·8 of 30 questions unanswered
- ·5 answers awaiting approval
Ready
May 21
CRA
81/100
- ·1 product missing SBOM
Gaps
May 21
Vendor program
45/100
- ·3 high-criticality vendors unverified
- ·1 subprocessor missing DPA
CRA readiness
AcmeHR API software evidence
Buyer-facing
CRA Evidence Pack ready
PDF + XLSX + README — SBOM coverage, vulnerability posture (incl. KEV), evidence map, honest gap disclosure. Generated on demand from this product's records.
Product
AcmeHR API
Available
Component evidence
SBOM uploaded
Available
Vulnerability disclosure policy
Approved
Available
Incident clock
No active incident
Available
CRA technical documentation
Draft
Draft
Customer notification template
Needs review
Needs review
ENISA-style reporting draft
Structured export preview
Beta
Your turn
Answer your next buyer questionnaire from reusable evidence.
Create or upload a CAIQ-Lite, SIG Lite, GDPR Article 28, AI appendix, or custom buyer request. Complair drafts answers, flags missing proof, and assigns owners for review.
Starter is free forever. Upgrade only when you outgrow the caps.