Frequently Asked Questions

Readmodel® is a data risk management tool that helps organisations understand where their data lives, who can access it, and what risks exist. It maps data services, users, data items, and transfers — and produces compliance documentation including ROPA exports, risk registers, and AI-powered reports.

Readmodel® is designed for organisations of any size that need to manage data risks and document their data processing activities. It is used by data protection officers, IT managers, compliance teams, and consultants.

No. Readmodel® covers three EU regulations: GDPR (data mapping, ROPA, DPIA, breach notification, DSAR management), NIS2 (business criticality classification, security posture tracking, RTO/RPO documentation, incident reporting), and the EU AI Act (AI system classification, risk assessment, human oversight tracking, AI System Register). Beyond regulation-specific features, Readmodel® helps you understand your data landscape — where data is stored, who accesses it, and what the risks are.

Readmodel® supports three EU regulations:

• GDPR — Data mapping, ROPA exports, legal basis tracking, DPIA documentation, breach notification register, DSAR management, retention periods, and data transfer assessments.
• NIS2 — Business criticality classification, security posture tracking (MFA, encryption, patching), RTO/RPO documentation, backup compliance, NIS2 incident reporting with 24h/72h/1-month deadlines, and supply chain security assessment.
• EU AI Act — AI system classification by usage type, EU AI Act risk level assignment (minimal to unacceptable), human oversight documentation, and an AI System Register integrated into your ROPA.

All three regulations are covered in a single workspace — no separate tools needed.

Yes. You can create a free account with one project and up to five data services. No credit card is required. When you need more projects or features, you can upgrade to a paid plan at any time.

Your data is stored on servers within the European Union, with encryption at rest. We do not transfer your data outside the EU. See our Privacy Policy for full details.

When you generate an AI-powered report, your project data is sent to the AI provider (Mistral AI). Project names and user names are anonymised before transmission and de-anonymised in the response. The AI provider does not store your data for training purposes. See our Sub-processor Notice for details.

Yes. You can export all your project data in CSV or JSON format at any time. This includes data items, services, users, transfers, risk registers, ROPA records, and more. A full project export (JSON) is also available for backup or migration purposes.

Yes. You can delete individual projects, data items, services, and other records at any time. Deleting a project permanently removes all associated data. You can also request deletion of your entire account by contacting us.

No. RAID (Redundant Array of Independent Disks) protects against disk failure — if one drive dies, data is preserved. However, RAID does not protect against:

• Ransomware or malware (encrypts all copies simultaneously)
• Accidental deletion (deleted from all copies)
• Fire, flood, or theft (all disks are in the same location)
• Controller failure (can corrupt the entire array)

Always configure proper backup transfers (to a different device, different media type, and offsite location) in addition to RAID. The 3-2-1 backup strategy is a good starting point.

Risk scores are calculated automatically based on data classification, legal basis, retention period, authentication method, and data transfers. Each data item receives a score from 0 to 10, and each service receives a score from 0 to 20. The scores are categorised as None, Low, Medium, High, or Critical. See the help section on risk scoring for the full algorithm.

A ROPA (Record of Processing Activities) is a document required by GDPR Article 30 for most organisations. It describes what personal data you process, why, how long you keep it, and who has access. Readmodel® generates a ROPA automatically from the data you have mapped, so you do not have to maintain a separate spreadsheet.

The AI report analyses your entire project — data services, data items, access patterns, transfers, risk scores, backup strategies, and device security — and produces a structured compliance assessment with findings, recommendations, and action items. It is generated in your selected language.

Yes. On the Team and Enterprise plans, you can share projects with team members in your organisation. Shared users can view and edit all project content. The project owner retains control over sharing, renaming, and deleting the project.

Each data user gets a compliance score (0–100) based on five categories: access documentation, device security, authentication strength, access review participation, and data sensitivity handling. The score measures how well the user's access is documented and controlled — not personal behaviour.

Scores appear on the Data Users page, dashboard, and risk register. Suggestions show exactly what to improve. Available on all plans.

GDPR Art. 33 requires organisations to document all personal data breaches — even those that don't require notification to the supervisory authority. Readmodel® provides a built-in breach register where you can:

• Log breaches with discovery date, type, severity, and estimated impact
• Track the 72-hour notification deadline with a live countdown
• Document DPA notification, data subject notification, and DPO involvement
• Link affected services and data items from your data map
• Record root cause, consequences, and remediation measures

The dashboard shows overdue notifications in red. The risk register shows breach history per service. The AI report analyses breach patterns. The breach register is available on all plans because it's a legal obligation, not a premium feature.

GDPR Art. 15-22 gives data subjects the right to access, rectify, erase, restrict, port, and object to the processing of their data. You must respond within 30 days (extendable to 90 for complex requests). Readmodel® provides a DSAR register where you can:

• Log incoming requests with subject name, right type, and channel
• Track the 30-day response deadline with a countdown
• Document identity verification (Art. 12(6))
• Record your response or refusal with reasons
• Link affected services and data items

The dashboard shows pending and overdue requests. Available on all plans.

When you use Legitimate Interests (GDPR Art. 6(1)(f)) as the legal basis for processing a data item, you must document a balancing test that weighs your interest against the impact on the data subject. Readmodel® prompts you to complete a LIA for each data item that uses this legal basis. The assessment covers: the purpose pursued, why processing is necessary, the balancing test, the outcome, and any safeguards applied.

The risk register identifies gaps (e.g. "2 items missing legal basis", "no DPA on file"). Risk treatment plans let you turn those gaps into actionable tasks with an assigned person, target date, and completion status. This closes the loop between "identified" and "mitigated" — which auditors expect to see.

GDPR Art. 39(1)(b) requires the DPO to monitor staff awareness and training. Readmodel® provides a simple log where you can record who was trained, on what topic, when, and when refresher training is due. The dashboard shows overdue training. This is a training log, not a training platform — it tracks that training happened, not the content itself.

Readmodel® is not a full NIS2 tool, but it covers several NIS2 Art. 21 requirements through its existing features: asset management (service and device mapping), access control (user access matrix and reviews), incident handling (breach register with NIS2 24h/72h/1-month reporting fields), business continuity (backup compliance, RTO/RPO), supply chain security (vendor assessment, DPA tracking), and cryptography (encryption-at-rest/in-transit tracking per service). Services can be classified by business criticality, and the risk register flags gaps like missing MFA or patch policies.

Readmodel® offers four plans, available with monthly or annual billing (save 20% with annual):

• Explore (Free) — 1 project, 5 services, full data mapping & risk scoring, risk register & ROPA export, CSV & JSON export, interactive data flow graph. Watermark on printed reports.
• Grow (€99/month or €79/month yearly) — everything in Explore, plus 3 projects, 20 services, 10 AI reports/month, no watermark, email support.
• Team (€249/month or €199/month yearly) — everything in Grow, plus 10 projects, unlimited services, 5 team members with project sharing, 50 AI reports/month, audit log.
• Enterprise (€499/month or €399/month yearly) — everything in Team, plus 50 projects, 25 team members, 200 AI reports/month, API access, priority email support.

Yes. You can upgrade at any time — the price difference is prorated for the remainder of your billing period. Downgrades take effect at the end of your current billing period, so you keep your current plan features until then.

If you cancel, you keep access to your paid features until the end of your current billing period. After that, your account reverts to the Explore plan. Your data is not deleted — you can still access it within the Explore plan limits, and you can export everything at any time.

For Dutch customers, 21% BTW is applied. For EU business customers with a verified VAT number, reverse charge applies (0% VAT). Non-EU customers are outside the scope of EU VAT. Your VAT number is verified against the EU VIES system during registration.

Your data is never deleted when you downgrade. All existing projects, services, data items, reports, and exports remain fully accessible. You can still view, edit, export, and delete everything. The only restriction is that you cannot create new projects or services beyond your new plan's limits until you reduce your usage.

Your account reverts to the Explore plan. All your data remains intact and accessible. You can continue using Readmodel® with Explore plan limits (1 project, 5 services). To unlock creation again, either reduce your usage to within Explore limits or resubscribe to a paid plan.

Yes, and you can export after downgrading too. Data export is always available regardless of your plan. Use the export buttons on any page, or download a full project export from the Export page.

All connections use HTTPS encryption. Passwords are hashed using bcrypt. Sessions use secure, httponly cookies with strict same-site policy. Brute-force protection is enabled on login. Data at rest is encrypted at the database level.

Yes. You can enable TOTP-based two-factor authentication (compatible with Google Authenticator, Authy, and similar apps) from your account settings. Backup codes are provided in case you lose access to your authenticator.

SSO (Single Sign-On) is available on the Enterprise plan. Your administrator configures the IdP (Identity Provider) connection in the admin panel under SSO Configuration. Once configured, users with matching email domains will be redirected to your IdP for authentication. SSO supports SAML 2.0 and works with providers like Azure AD, Okta, Google Workspace, and others.