Buyer request workspace

Turn every buyer questionnaire into reusable answers.

Create or upload CAIQ-Lite, SIG Lite, GDPR Article 28, AI, security, or custom buyer requests. Complair drafts answers from your approved evidence library, flags gaps, assigns owners, and exports review-ready response packets.

Draft answers from approved evidence, not scattered Slack threads.
Flag missing proof, missing owners, and risky answers before sharing.
Reuse approved responses across future buyers, audits, and trust-center pages.

Try the demo workspace Start a buyer request

EU-hosted workspace for B2B SaaS teams handling AI, security, GDPR, and CRA evidence.

Preparing for CRA? Explore CRA readiness →

Northwind Bank

AI and Security Due Diligence

Needs review

43

answers drafted from existing evidence

12

require review

7

missing evidence

3

need CTO input

Do you use AI to make hiring decisions?

Needs review Medium confidence 2 sources CTO

Do you disclose chatbot use to users?

Approved High confidence 3 sources CS Lead

Do you maintain a vulnerability disclosure process?

Missing proof Low confidence 0 sources Security

Estimated completion: 45 minutes

The blocked-deal problem

Buyer questionnaires should not restart from zero every time.

Enterprise buyers ask for the same proof in different formats: AI usage, subprocessors, GDPR Article 28 answers, security controls, model governance, incident handling, and product documentation. Most SaaS teams answer from old spreadsheets, Slack messages, policies, and half-remembered vendor docs.

Answers are scattered

Security, AI, privacy, and product answers live across spreadsheets, docs, emails, and individual teammates.
Evidence is hard to prove

Polished answers aren't enough. Buyers increasingly ask for policies, screenshots, reviews, subprocessors, and source evidence.
Every deal creates rework

Teams repeat the same questionnaire work instead of maintaining a reusable, approved answer library.
Risky answers slip through

Without owners, review dates, and missing-proof flags, teams send answers that may be outdated or unsupported.

Before and after

Before Complair, every questionnaire starts from scratch.

Before

×Old spreadsheets
×Repeated answers
×No source evidence
×Unclear owner
×Risky stale claims
×Slow procurement response

After

+Reusable answer library
+Source-linked evidence
+Owner approval
+Confidence and missing-proof flags
+Review dates
+Exportable response packet

Product flow

From buyer request to approved response packet.

Seven steps from "a buyer just sent us a questionnaire" to "approved response packet exported."

1 Start a buyer request

2 Map questions to canonical answers

3 Identify gaps and missing proof

4 Assign owners

5 Attach evidence

6 Approve answers

7 Export and reuse

1. Start a buyer request: Create a request manually or upload a source file.
2. Map questions to canonical answers: Match buyer questions to your reusable evidence library.
3. Identify gaps and missing proof: Missing answers become tasks. Unsupported claims get flagged.
4. Assign owners: Route AI, security, privacy, legal, and product questions.
5. Attach evidence: Link answers to policies, vendor docs, controls, system records.
6. Approve answers: Track confidence, owner approval, last reviewed date.
7. Export and reuse: Export review-ready response packets and reuse across future buyers.

Canonical evidence library

One evidence library. Many buyer requests.

Complair's core object is not a questionnaire. It is reusable evidence: approved answers, policies, system records, controls, subprocessors, vendor documents, and review notes mapped to every place they are used.

Built for review, not blind automation.

When evidence changes or expires, Complair shows every answer, document, system, and trust-center claim that needs review.

Reusable source

OpenAI Vendor Review

Approved · Last reviewed 2 May 2026 · Review due 2 Aug 2026

5 buyer answers

1 AI system

2 controls

1 DPIA draft

1 trust claim

Impact map

Buyer request inbox

Know exactly what is ready, risky, and missing.

43

answers drafted from existing evidence

12

require review

7

missing evidence

3

need CTO input

45 min

estimated completion

Question	Status	Evidence	Owner
Do you use AI to make hiring decisions?	Needs review	2 sources	CTO
Do you disclose chatbot use to users?	Approved	3 sources	CS Lead
Do you maintain a vulnerability disclosure process?	Missing proof	0 sources	Security
Do you use subprocessors for AI features?	Drafted	1 source	Legal

Outputs

Produce the proof buyers ask for.

Generate review-ready outputs from your approved evidence library: buyer questionnaire exports, AI inventory reports, risk classification memos, DPIA drafts, Annex IV technical documentation, CRA vulnerability reports, and trust center pages. Every draft stays source-linked, owner-tracked, and approval-aware.

Buyer questionnaire export

Approved buyer answers with evidence links, owners, confidence, and missing-proof flags.

Download sample XLSX Download response packet PDF

View sample

AI inventory export

Systems, owners, roles, risk levels, evidence count, and review status.

Download AI inventory CSV

View sample

Risk classification memo

Risk tier, rationale, obligations, reviewer, confidence, and source evidence.

View sample

DPIA draft

Privacy risk assessment draft with source-linked inputs and human review flags.

View sample

Annex IV draft

Technical documentation draft generated from inventory, controls, and evidence.

View sample

CRA vulnerability report draft

Incident clock, affected product, vulnerability status, evidence, and notification readiness.

Download CRA report PDF

View sample

CRA Evidence Pack

Buyer-facing PDF + XLSX + README per product: SBOM coverage, KEV posture, evidence, honest gaps.

View sample

Trust center page

Publish approved answers, policies, controls, and evidence summaries for buyers.

View sample

Evidence map

See which answers, documents, systems, controls, and CRA records rely on each source.

Download evidence map PDF

View sample

Readiness dashboard

Daily mint / lemon / coral scores across AI Act, GDPR, NIS2, CRA, and vendors with top-3 gaps.

View sample

Cross-module visibility

One readiness view. One buyer-ready evidence pack.

Beyond per-questionnaire exports, Complair surfaces a daily readiness score across AI Act, GDPR, NIS2, CRA, and vendors — and bundles a buyer-facing CRA Evidence Pack (PDF + XLSX + README) on demand.

Buyer-facing

CRA Evidence Pack

Generate a customer-ready bundle for a product: cover PDF, SBOM table, evidence map, vulnerability posture (incl. KEV), and XLSX data — plus a README explaining gaps. Honest gap detection on stale SBOMs (≥90 days), under-investigation vulnerabilities, and missing classifications.

PDF cover SBOM + evidence KEV posture Honest gaps

Daily snapshot

Cross-module Readiness Dashboard

One tile per active module (AI Act, GDPR, NIS2, CRA, Vendors) with mint / lemon / coral bands and the top three gaps. Universal signals (answered, approved, evidence-mapped, non-stale) plus per-module signals (vendor requirements resolved, SBOM coverage, AI Act training, ROPA + DSR).

≥80 mint ≥50 lemon <50 coral Top 3 gaps

Cyber Resilience Act

Also preparing for the Cyber Resilience Act?

For software teams shipping products with digital elements into the EU. Product records, SBOM intake, vulnerability evidence, incident clocks, technical documentation, ENISA-style reporting drafts, and a buyer-facing CRA Evidence Pack.

Explore CRA readiness

Regulatory timeline

Compliance timelines are moving. Your evidence should not be.

Complair helps your team keep answers, owners, evidence, and review status ready as AI Act, GDPR, and CRA obligations evolve.

AI Act prohibited practices

in force

In force since February 2025

Certain prohibited AI practices and AI literacy obligations started applying.

GPAI obligations

in force

In force since August 2025

General-purpose AI model obligations started phasing in.

AI transparency obligations

monitor

Expected around August/December 2026

Transparency duties continue phasing in, subject to final implementation details.

CRA incident and vulnerability reporting

upcoming

11 September 2026

Reporting obligations for actively exploited vulnerabilities and severe incidents begin.

AI Act stand-alone high-risk systems

monitor

2 December 2027

Target date under the AI omnibus political agreement; final adoption/status should be monitored.

CRA full applicability

upcoming

11 December 2027

Main Cyber Resilience Act obligations apply.

AI Act embedded high-risk systems

monitor

2 August 2028

Target date for high-risk AI systems embedded in regulated products.

Got a buyer questionnaire sitting in your inbox? Start there.

Create the request, map reusable answers, flag missing proof, and send a review-ready response packet.

Try the demo workspace Start a buyer request

Turn every buyer questionnaire into reusable answers.

AI and Security Due Diligence

Buyer questionnaires should not restart from zero every time.

Answers are scattered

Evidence is hard to prove

Every deal creates rework

Risky answers slip through

Before Complair, every questionnaire starts from scratch.

Before

After

From buyer request to approved response packet.

One evidence library. Many buyer requests.

OpenAI Vendor Review

Know exactly what is ready, risky, and missing.

Produce the proof buyers ask for.

Buyer questionnaire export

AI inventory export

Risk classification memo

DPIA draft

Annex IV draft

CRA vulnerability report draft

CRA Evidence Pack

Trust center page

Evidence map

Readiness dashboard

One readiness view. One buyer-ready evidence pack.

CRA Evidence Pack

Cross-module Readiness Dashboard

Also preparing for the Cyber Resilience Act?

Compliance timelines are moving. Your evidence should not be.

AI Act prohibited practices

GPAI obligations

AI transparency obligations

CRA incident and vulnerability reporting

AI Act stand-alone high-risk systems

CRA full applicability

AI Act embedded high-risk systems

Got a buyer questionnaire sitting in your inbox? Start there.