03 · Compliance & Bookkeeping (Germany)

Verfahrensdokumentation: from a compliance MVP to a white-label SaaS, in two milestones.

Live since 2024, V1 to V2 shipped, V3 in progress. A German process-management consultant hired me solo to build the V1 MVP in 2024, then brought me back for the V2 full-product extension in 2025. V1 shipped the multi-tenant admin platform with the document layer, the role-based access, the merge-PDF download, and the quality-of-life features that made the compliance workflow usable. V2 extended that foundation with Bubble.io sub-apps so partner agencies can offer the product to their own clients under their own brand, a usage-based licence model, PDF Monkey + n8n for proper document generation, an AI integration that writes compliance language from plain answers, webhook orchestration, the IKS module, the Aenderungs-log audit surface, and row-field-level form version comparisons. Same product, same client, two milestones, V3 currently in development. Live at app.verfahrensdokumentation-digital.de.

Built by Anish Gandhi · Timeline 2024 to present, ongoing · Stack Bubble.io · AirDev Canvas · Sub-apps · PDF Monkey · n8n · OpenAI · Stripe
The Verfahrensdokumentation V1 admin portal Analytics dashboard showing User Signups, Total Users, and Active Users counters plus a User Signups by Week chart, the platform-admin surface that operators land on

A German compliance product, built in two milestones

A Verfahrensdokumentation is the process documentation that German SMBs and their tax advisors are required to maintain under GoBD, the Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form sowie zum Datenzugriff (in plain English: the German tax authority’s rules on how digital books, records, and documents must be kept and made available to auditors). GoBD is issued by the BMF (Bundesministerium der Finanzen); the version this product implements came into force on 1 April 2024 with the BMF letter of 11 March 2024. The Verfahrensdokumentation is the document that proves your business follows those rules. The document is not the point. The point is that on the day a Betriebspruefer (German tax auditor) walks in, the documentation matches what the business actually does, every change to a sensitive field has a name and a timestamp next to it (per the Unveränderbarkeit principle), and every form, attachment, and signature is part of a single coherent record. The product this case study describes ships that record as a workflow rather than a one-time PDF.

I came onto the project as a solo senior lead developer in early 2024. The client, a German process-management consultant, had a clear product vision and needed someone who could turn it into a working multi-tenant SaaS on Bubble.io. The V1 MVP shipped that year as the platform’s blue-branded admin portal serving end-client companies directly. In 2025 the same client brought me back for the V2 extension that turned the MVP into a partner-distributable white-label SaaS, with Bubble.io sub-apps that let partner agencies and collaborators offer the product to their own clients under their own brand and their own domain, a usage-based licence model, PDF Monkey, n8n for document merging, an AI integration that helps end users fill in compliance fields from plain-language answers, and the rebranded gold GoBD.ai customer surface with the audit workflow, the Aenderungs-log, and the IKS module. The V3 milestone is in progress in 2026 as the next chapter of the same engagement. The product is live at app.verfahrensdokumentation-digital.de.

Phase One · 2024 · V1 MVP

V1: the multi-tenant admin platform.

The V1 brief was to ship a working MVP of a multi-tenant compliance workflow platform that German SMBs could actually use. Not a questionnaire that produced a PDF; a tenant-aware SaaS where every customer ran their own document workflow against the same shared infrastructure. The V1 surface lives in the blue VD2 admin portal: tenant setup, user and role management, per-form access scoping, email templates, language preferences, audit history. The scope split across these pieces:

  1. Multi-tenant SaaS DB architecture and relation-based UI. Every customer's data isolated by tenant; within a tenant, every form, every field, every audit row tied back to the right company, the right user, and the right document version. The UI reads the schema directly; the relations between Tenant, Company, User, Form, Section, Field, Audit row are what the page-level workflows hang off.
  2. AirDev Canvas framework, with WU optimisation alongside. Canvas gave the time savings on the boring layers (auth, accounts, navigation). The Workload Units optimisation pass (server-side constraints, paginated repeating groups, scheduled workflows scoped to change windows) kept the app under control when Bubble moved its pricing model from capacity to WU.
  3. GoBD compliance as a structural property, with GDPR on top. GoBD's seven principles (Nachvollziehbarkeit, Vollständigkeit, Richtigkeit, zeitgerechte Buchungen, Ordnung, Unveränderbarkeit, and the §§146/146a AO data-access rules) shaped the schema, the audit log, the retention behaviour, and the export surface. GDPR sat on top: lawful basis per processing activity, data minimisation in the form design, right-to-erasure preserving the audit log integrity, processor agreement under Article 28, data-region pinning. Privacy Rules at the data type level so both compliance postures live in the database, not in a UI filter.
  4. CRUD documentation forms. Six form types per Verfahrensdokumentation (Document Storage, Company Data, Tax Data, Incoming Receipts, Outgoing and Internal Receipts, Papierbelege workflows). Each form has its own data shape, its own validation, its own role-permission scope. Same CRUD machinery underneath.
  5. Company-based access mechanism, built on company hierarchy. A parent company sees its children. A child sees only itself. Tax advisors and reviewers cut across the hierarchy with role-scoped permissions. The access matrix lives at the data type level via Privacy Rules; the UI just reflects what the database lets through.
  6. Document download with merge-PDF. V1 used Bubble's native page-to-PDF conversion to render the document for download. A merge step combined the rendered Verfahrensdokumentation with attached source files (uploaded PDFs from the form steps) into a single deliverable file. Mechanically fine for V1; replaced in V2 with a proper PDF generation pipeline.
  7. Comments with @mention for internal communication. Reviewers, owners, and advisors leave comments scoped to specific form sections. @mention pings the right user. Threaded inside the form so context never has to leave the document.
  8. Critical-area identification with smart email throttling. Not every change is worth an email. Critical fields (signers, legal entities, retention policies, IT-environment metadata) trigger immediate notifications to the right roles. Non-critical edits roll up into a daily digest. The throttling logic decides at workflow time whether the user gets a per-change email, a digest entry, or nothing.
The V1 admin portal Current Document Storage Document view listing All Forms (Document Storage, Company Data, Tax Data, Incoming Receipts, Outgoing and Internal Receipts) with per-form status badges and a Download DS Document button

The V1 admin portal showing the Current Document Storage view: every form in the Verfahrensdokumentation listed against one document version, with per-form status badges and a single download path for the merged document.

Multi-tenant SaaS DB architecture and relation-based UI.

The schema choice on a multi-tenant compliance product decides everything that follows. Tenant has Companies. Company has Users. User has Roles, scoped per Company. Company has Verfahrensdokumentation documents. Each document has Form instances. Each Form has Sections. Each Section has Fields. Each Field has a Type, a value, a chain of Audit-log rows.

The relation-based UI follows the schema directly. The forms list is a query over Form instances for the current tenant. The dashboard counters are aggregates over status fields. The audit log is a paginated read over Audit rows joined to Users and Forms. Privacy Rules at the data type level make the tenant boundary structural rather than reliant on UI filters.

This is the work that determines whether the product feels fast at fifty customers or whether it collapses at ten. Three weeks on the schema in V1 saved months of rewrite in V2.

The V1 admin portal Forms list view with Part 1 Admin Rights expanded and a side panel showing Person, Role, and Software detail fields, demonstrating how the schema surfaces directly in the UI

A form expanded inline in the V1 admin portal. The data type, the related entities, and the per-row controls all read directly from the schema. The UI is a thin layer over the database.

AirDev Canvas + Workload Units optimisation.

The client chose AirDev Canvas as the Bubble.io framework before I joined. Canvas ships the auth flow, the user-account structure, the navigation, and a set of design conventions out of the box. For a product that needs to be production-shaped on a deadline, the time it saves on the boring layers is the time you spend on the multi-tenant data model that actually defines the product.

The Workload Units pass came later, as Bubble migrated its pricing from capacity-based plans to metered WU consumption. The same workflow patterns that were comfortable on capacity could become surprisingly expensive on WU. Lazy database reads, ungrounded searches, unbounded scheduled workflows all show up in the WU bill in a way they did not show up in the capacity bill. I audited the application’s hot paths, replaced client-side filters with server-side constraints, swapped “all rows” lists for paginated repeating groups, scoped scheduled workflows to actual change windows, and applied Bubble’s search index where it actually helped. The app was ready for the pricing migration before the migration arrived, with the cost trajectory under control rather than discovered after the bill jumped.

The V1 admin portal Admin Rights form opened full-screen, showing two filled rows (Mike with Asana access, Ronin with Linear access) and a PDF upload area for supporting documentation

The same form opened full-screen for deep editing inside the V1 admin portal. Canvas gave the layout shell; the editable rows, the file upload, and the role-scoped controls are product-specific.

The V1 admin portal Emails screen listing transactional email templates including document storage PDF sent, email verification, new admin and user invites, and password reset, with a Language column and per-template Active toggles

The email-template admin in the V1 portal. One registry, every transactional message in the product driven from it, the smart throttling configured per template.

GoBD compliance, structurally. GDPR on top.

The reason this product exists is GoBD. The seven principles (Nachvollziehbarkeit and Nachprüfbarkeit, Vollständigkeit, Richtigkeit, Zeitgerechte Buchungen, Ordnung, Unveränderbarkeit, and the data-access rules from §§ 146 / 146a AO) are not aspirational; they are the test the product has to pass on the day a Betriebspruefer arrives. The April 2024 GoBD revision was already in force when V1 shipped, so V1 implemented the current rules from day one rather than retrofitting them later.

Each principle shows up as a structural property of the system. Nachvollziehbarkeit and Nachprüfbarkeit live in the audit log: every change to a sensitive field is traceable to a user, a timestamp, and a previous-value / current-value pair. Vollständigkeit lives in the schema: a Verfahrensdokumentation is incomplete until every required form is filled and every required attachment uploaded, and the dashboard enforces that visibly. Unveränderbarkeit lives in the change-tracking machinery: once a field is written, the prior value cannot be silently overwritten, it is preserved in the audit log and the new value is its own row. Zeitgerechte Buchungen lives in the workflow trigger order, with the timestamp on the record being the actual moment the user committed, not a backdated edit. The data-access rules live in the export surface: the system can produce a Z3-readable machine-readable export of the underlying data on demand, scoped to the auditor’s request.

GDPR sits on top of all of this. Lawful basis per processing activity, declared in the data model so deletion or anonymisation can be applied per activity rather than per record. Data minimisation in the form design: every field justified against what GoBD actually requires, no nice-to-have personal data sneaking into a compliance form. Right-to-erasure that preserves the audit log integrity (the deletion writes a tombstone with the timestamp, the actor scrubbed but the value-change retained, so the GoBD Unveränderbarkeit posture survives the GDPR-mandated deletion). Processor agreement under Article 28, data-region pinning for EU-hosted Bubble infrastructure.

Under both regulations sit Privacy Rules at the data type level, scoped to tenant and role. The compliance posture lives in the database, not in a UI filter. The 10-year retention period mandated by §147 AO and HGB §257 is enforced at the schema level as well: a record cannot be deleted before its retention window closes, even by a tenant administrator.

The V1 admin portal User Rights Comparison screen with two timestamps and an accordion of Parts 1 through 5, showing what changed between two versions of a user's access permissions

The User Rights Comparison surface in the V1 portal. Permission changes are themselves versioned and diffable, so an auditor can see exactly what access a user had at a given time, per the Nachvollziehbarkeit principle.

The V1 admin portal Account Settings Preferences panel with the Preferred language dropdown open, showing English (US) selected with a checkmark and German as the second option, with a Save changes button

Bilingual by construction. Every screen, every email template, every generated document renders in English or German from the same content store. The language is a per-user preference scoped per tenant.

CRUD documentation forms and company-hierarchy access.

The CRUD layer is the surface customers spend the most time in. Six form types per Verfahrensdokumentation, each with its own field schema, its own validation, its own role-permission scope. Same machinery underneath: every form reads its definition from the database, every save writes through a workflow that respects the Privacy Rules.

Company-hierarchy access is where the multi-tenant model meets the customer’s organisational structure. A parent company sees the documents of its children. A child sees only its own. Tax advisors and external reviewers cut across the hierarchy with role-scoped permissions: an advisor might have read-mode access on every child of a parent but edit rights on none. The hierarchy is a data type. The access decisions are Privacy Rules joined to the hierarchy at read time. Adding a new child company is a data row, not a code change.

V1 admin portal per-form access management modal labeled Manage Document Storage Access with a user search autocomplete suggesting the German name Nadine Rauss, overlaid on the Access tab showing all forms with their per-form access controls

Per-form access management in the V1 portal. Access is scoped per form, not per app. A tenant admin can hold rights on Document Storage without ever seeing the IKS module, and vice versa.

V1 admin portal Add user modal on a tenant called One Plus with a Role dropdown set to Standard or Manager, first name and last name fields, and an email field, sitting over the company's user list

Each tenant (an end-client company) manages its own users and roles inside the V1 portal. The Standard / Manager role choice scopes which forms and actions the new user can reach across the company hierarchy.

V1 admin portal Tenant Account Settings page showing the Company Profile tab with company name, avatar, and email fields, plus sidebar tabs for Preferences, Account, Payments, and Notifications

Per-tenant company profile in the V1 portal. Branding, billing, notification preferences all live in one place per end-client tenant, the foundation V2’s sub-apps would later wrap at the partner layer.

Quality of life: @mention comments and smart email throttling.

A compliance workflow lives or dies on the seams. The headline features (the schema, the forms, the access control) are necessary but not sufficient. What separates a compliance product reviewers actually use from one they tolerate is the set of quality-of-life features around the edges. V1 shipped two of them; the audit log and the in-app walkthroughs came later, in V2.

Comments with @mention scoped to form sections. The mention triggers a notification to the named user; the comment thread lives inside the form so the context never has to leave the document. The same workflow that writes the comment fires the notification, so collaborators are surfaced to each other inside the work, not in a separate Slack channel.

Critical-area identification with smart email throttling: not every change is worth a notification. Critical fields (signers, legal entities, retention policies, IT-environment metadata) trigger immediate emails to the right roles. Non-critical edits roll up into a daily digest. The decision happens at workflow time, scoped per field, so the user does not get a per-keystroke spam stream. The email templates that carry those notifications live in the V1 admin portal’s Emails registry, with per-template language and active-state toggles.

Phase Two · 2025 · V2 full product

V2: from MVP to white-label SaaS, plus the IKS module.

The V2 brief was to take the V1 MVP and turn it into a partner-distributable white-label SaaS, with the IKS module as the headline functional addition and the gold GoBD.ai customer-facing surface as the new visual identity. IKS is the Internes Kontrollsystem (Internal Control System), the companion artifact GoBD expects alongside the Verfahrensdokumentation. Where the Verfahrensdokumentation documents what the business does with its records, the IKS documents how the business controls and verifies those processes. A complete GoBD compliance posture needs both. V1 shipped the Verfahrensdokumentation administration; V2 added the IKS module so the same product serves the full compliance picture. The product topology also expanded: V1 served end-client companies directly as tenants in one shared admin portal; V2 added a partner layer above that, so a process-consulting firm or a Steuerberater (tax advisor) practice can resell the product under their own brand to their own clients, each on their own Bubble sub-app, each with their own multi-tenant pool of end-client companies underneath.

  1. White-labelling via Bubble.io sub-apps, for partners. Each partner agency or reseller gets their own Bubble sub-app with their own database, their own users, their own domain, and their own brand. The partner's end clients sign up inside the partner's sub-app, not the parent app, and never see the platform vendor's brand. The editor design, the workflows, and the data type schemas are pushed from the parent app, so a product feature ships once and lands across every partner's instance. The complexity is the parent-child sync discipline, the per-partner domain DNS, the data-driven branding layer that survives parent pushes, and the per-sub-app API keys a parent push resets.
  2. Partner licence model. Partners take a recurring licence to operate their own branded instance of the platform. The partner runs the day-to-day customer relationship with their own clients under their own brand; the platform vendor licenses the product, ships the upgrades, and handles the underlying infrastructure. Partner pricing is set at the licence level (not metered per end-client action), so partners can build a predictable margin into the rate they charge their own customers.
  3. PDF Monkey for properly designed document generation. V1 used Bubble's native page-to-PDF for the document download. V2 replaced that with PDF Monkey, a templated PDF generation service. The output is a designed compliance document with consistent typography, page breaks, headers, footers, and table layouts that the page-to-PDF approach could not reach. The Bubble.io app sends the structured form data; PDF Monkey returns a rendered PDF.
  4. n8n for merging the generated PDF with attached source files. A complete Verfahrensdokumentation download is the rendered document plus every supporting attachment uploaded against the forms. PDF Monkey gives the rendered document; n8n orchestrates the merge: it picks up the PDF Monkey output, pulls the attachments from Bubble, runs the merge, and posts the single deliverable PDF back into Bubble for download. The whole pipeline runs server-side without the user waiting on a long Bubble workflow.
  5. AI integration: plain answers to compliance language. The hardest part of filling in a compliance form is the language. A small-business owner knows what they do; they do not know how to phrase it in compliance-officer-speak. The AI integration lets a user answer a simple plain-language question and writes the compliance-specific answer into the form for them. The user reviews and edits before saving; the AI is a first-draft assistant, not an autonomous filler.
  6. Webhook setup for inbound and outbound events. PDF Monkey, n8n, Stripe (for usage billing), and the white-label sub-apps all communicate with the parent app through webhooks. The receiver workflows validate signatures, dispatch to the right handler based on event type, and write status rows for observability.
  7. Compliance form version comparisons, on a row-and-field basis. When a form is in Korrektur Modus, every field renders as a previous-value / current-value pair with red highlighting on the change. The diff is computed per row of every repeating section, not per form as a whole, so a reviewer can accept or reject changes at the granularity they were made.
  8. The Aenderungs-log audit surface. Every edit to a sensitive field across every form lands in a paginated log with the previous value, the current value, the user, and the timestamp. The log is also the substrate the right-to-erasure workflow has to preserve through GDPR-mandated deletions: rows are written with the actor identifier scrubbed but the value-change retained, so the audit trail does not become unverifiable. V1 built the schema for this; V2 built the surface that makes it useful.
  9. In-app YouTube walkthroughs alongside the forms. Embedded video walkthroughs live next to the forms they explain on the customer-facing surface. A new reviewer joining a customer team can learn the workflow without a separate training call. The walkthroughs are scoped per form so the relevant context is one click away from the work itself.
  10. The IKS module, the second GoBD artifact. Internes Kontrollsystem forms (IKS Firmendaten, IKS IT Umgebung, IKS Eingangsbelege, and others) added alongside the Verfahrensdokumentation forms in the customer-facing GoBD.ai surface. Same multi-tenant schema, same role-based access, new audit log surface above, new form definitions and new audit-mode workflow on top.
  11. Role-based access mechanism, extended for multi-company hierarchy. V1 had role-based access for a single-company tenant. V2 extended it to the multi-company hierarchy that a holding or a multi-entity group needs: an advisor can have Audit-mode rights on every child of a parent, an Anpassen scope limited to one child, and a Korrektur scope across two. The access matrix lives at the data type via Privacy Rules joined to the hierarchy.

White-labelling via Bubble.io sub-apps, for the partner channel.

The partner channel was the headline V2 work. Those partners (process-consulting firms, Steuerberater practices, compliance agencies) needed to resell the platform under their own brand to their own clients. A Bubble.io sub-app is the right primitive for that: a separate app instance spawned from a parent app, with its own database, its own users, its own Privacy Rules, its own media uploads, and its own custom domain. Each partner gets one sub-app. The partner’s clients sign up and work inside that sub-app, on the partner’s domain, under the partner’s branding, never touching the parent.

The editor design, the workflows, and the data type schemas are pushed from parent to child on every release, so the product logic stays in one place while every partner’s instance gets its own client-facing surface. A new feature ships once at the parent and lands across every partner. A schema change at the parent propagates to every child. The partner-specific layer (logo, colours, copy, feature flags, billing posture) lives as data inside each sub-app’s own database, so a parent push does not overwrite the partner’s brand.

The complexity is rarely in the sub-app creation itself; it is in living with sub-apps over time. The parent-child sync discipline (what gets pushed, what stays in the child, what survives a push, what gets overwritten). The per-partner domain DNS (each partner points their custom domain at the child via CNAME, with Bubble’s domain configuration done in the parent). The data-driven branding layer (so a parent-push does not wipe each partner’s customisation). The per-sub-app API keys (the API Connector’s private keys are part of the pushed configuration, with no per-sub-app override, so any sub-app that needs its own keys has them overwritten on every parent push and they have to be re-entered by hand).

The deep dive on this lives on the writing side of the site at How to use sub-apps in Bubble for white-label apps. The short version: sub-apps are the right answer for a partner-channel white-label on Bubble.io if you are willing to design for the parent-child sync model from day one.

The V2 GoBD.ai customer-facing Welcome dashboard with Status der Formulare counters showing forms in Korrektur and Überprüfen und Anpassen, an Audit Modus section with three forms (Steuerliche Daten, Benutzerrechte, IT Umgebung), and a Genehmigt section with approved form cards

The V2 GoBD.ai client-facing dashboard mid-audit. The gold rebrand carries the new end-user surface; the per-partner sub-app means each partner’s clients see this dashboard at the partner’s own domain under the partner’s brand.

The V2 GoBD.ai Welcome dashboard in its initial state, showing 1st Version 1 with Einige Formulare noch offen and six form cards (Firmendaten, Steuerliche Daten, Eingehende Belege, Ausgehende und interne Belege, Papiervernichtung, Hardware und Software) all in Bearbeitung with Zugriffserlaubnis avatar stacks

The same dashboard on first open in a partner’s sub-app, before any audit cycle has started. Each partner agency hosts their own client pool inside their sub-app; the parent never touches the partner’s data.

The V2 IKS Firmendaten form with an Allgemeine Daten und verbundene Unternehmen modal open showing related companies (two entries with Unternehmen, Gewinnermittlungsart, and Umsatzversteuerung fields) and a Hinzufügen button for adding more

The multi-company modal inside an IKS form. A Verfahrensdokumentation for a holding or a multi-entity group links children into one document, the V2-extended hierarchy that sub-apps and tenant-level access both build on.

The partner licence model.

V1 served end-client companies directly on a flat per-instance licence. V2 added the partner layer: a partner agency or a Steuerberater practice takes a recurring licence to operate their own branded instance of the platform (their own Bubble sub-app), and serves their own clients inside that instance.

The partner runs the day-to-day customer relationship under their own brand. The platform vendor licenses the product to the partner, ships the upgrades to every partner’s sub-app through the parent push mechanism, and handles the underlying infrastructure that all partners share. Partner pricing is set at the licence level (a recurring rate to operate the instance, not metered per end-client action), so partners can build a predictable margin into the rate they charge their own customers without watching a usage counter.

The engineering shape this asks for is mostly the partner-onboarding workflow (spin up the sub-app, configure the partner’s domain, seed the branding layer, set up the partner’s first admin user) plus the parent-side licence record that gates partner access and binds the recurring billing. The rest of the partner’s experience is the same product the parent ships, wearing the partner’s brand on the partner’s domain.

The V2 GoBD.ai Welcome dashboard mid-audit cycle, with 1st Version 1, audit started 2 days ago, Status der Formulare counters showing audit progress, and three form cards (Firmendaten, Eingehende Belege, Papiervernichtung) in different audit states

The client-facing dashboard partway through an audit cycle, inside a partner’s sub-app. Every state transition (Korrektur start, Anpassen accept, Genehmigt commit) is logged in the Aenderungs-log and reflected in the dashboard’s status counters.

The V2 customer-facing forms inventory with a YouTube video walkthrough modal labeled 1 Arbeitsbereich Formulare open over the form list, showing how a new reviewer learns the workflow inside the app without leaving for a separate training

The V2 forms inventory with the in-app YouTube walkthrough modal open. End-user onboarding inside the partner’s sub-app, so a new reviewer learns the workflow without leaving the work.

PDF Monkey + n8n + AI: the document pipeline.

V1 generated the downloadable Verfahrensdokumentation through Bubble.io’s native page-to-PDF conversion. It worked. It did not produce the kind of designed compliance document that customers wanted to hand to an auditor. V2 replaced the entire pipeline.

PDF Monkey took over document rendering. The Bubble.io app sends the structured form data; PDF Monkey returns a properly typeset PDF with consistent headers, footers, table layouts, page breaks, and typography. The template lives in PDF Monkey; the data lives in Bubble; the boundary between them is a single API call.

n8n took over document assembly. A complete Verfahrensdokumentation download is the rendered PDF Monkey document plus every supporting attachment the customer uploaded against the forms. n8n picks up the PDF Monkey output, pulls the attachments from Bubble through the API, merges the files, and posts the single deliverable PDF back into Bubble for download. The merge runs server-side; the user does not wait on a long Bubble workflow.

The AI integration is the surface that turned filling in a compliance form from a chore into a guided conversation. A small-business owner knows what they do; they do not know how to phrase it in compliance-officer-language. The AI integration accepts a plain-language answer to a simple question and writes the compliance-specific paragraph into the form. The user reviews and edits before saving; the AI is a first-draft assistant for the field’s natural-language paragraphs, not an autonomous filler of structured data.

The V2 Firmendaten form filled in with company master data fields including Firmenname, Firmenadresse, Unterzeichner, and a Verbundene Unternehmen oder Tochterunternehmen section with related-company entries and a PDF upload area for supporting documentation

Firmendaten, the company master-data form in the V2 customer surface. Fields tied to the schema, attachments uploaded against the form, AI-assisted plain-language drafting for the long-form fields, PDF Monkey rendering for the final document.

The V2 Aenderungs-log change log view for Steuerliche Daten, showing rows of edits with Vorheriger Eintrag and Aktueller Eintrag columns, file attachment indicators, per-row user and timestamp metadata, and pagination controls

The audit log for one form in the V2 customer surface. Every sensitive-field edit lands here with a previous-value / current-value pair, the user, and the timestamp. The rendered PDF Monkey document carries this history forward; n8n merges any attached source files into a single deliverable PDF.

Webhooks, row-field version comparisons, and the IKS audit workflow.

The webhook layer is what holds the V2 architecture together. PDF Monkey posts back when a render completes. n8n posts back when a merge completes. Stripe posts the usage events that drive the licence calculation. Each white-label sub-app exchanges events with the parent through signed webhooks. Every receiver workflow validates the signature first, dispatches by event type second, and writes a status row for observability third. The pattern is the same across providers; the validation is what makes the receivers safe.

The row-field-level form version comparison is the visible surface of the change-tracking machinery. Korrektur Modus renders every field as a Vorheriger Wert / Aktueller Wert pair with red highlighting on the change. Repeating sections diff per row, not per form, so an auditor can accept or reject changes at the granularity they were made. The data model behind this is a change-set table joined to the form record, with the per-field history assembled at read time.

The IKS forms (IKS Firmendaten, IKS IT Umgebung, IKS Eingangsbelege, and the rest) plug into the same Korrektur / Audit / Anpassen workflow the Verfahrensdokumentation forms already used in V1’s schema. The audit mode lets a Steuerberater review each section, the Korrektur mode lets the owner propose changes, the diff surface shows both sides, and acceptance flows the change into the audit log on transition. The IKS module did not need a new workflow engine; it needed new form definitions and the IKS forms to plug into the existing one.

The V2 IKS Firmendaten form in Korrektur Modus showing the Standorte section with Vorheriger Wert and Aktueller Wert columns side by side, red-bordered diff cards on file uploads, and reviewer accept-reject controls per row

Inside a flagged IKS form, every field renders as a previous-value / current-value diff per row. The red borders show what the reviewer flagged; the reviewer accepts or rejects per row, not per form.

The V2 IKS Eingangsbelege Korrektur form showing per-field propose-a-change controls with Vorheriger Wert and Aktueller Wert columns, a red-highlighted Transport von Papierbelegen field where the auditor flagged a change, and a Korrektur Modus Kommentare des Auditors section at the bottom

IKS Eingangsbelege in Korrektur Modus. Every field is a proposed change against the live record, the auditor comments thread underneath, the accepted changes land in the audit log on transition.

The V2 IKS IT Umgebung form opened in Audit mode showing a Datenschutzfrage section with Vorheriger Wert and Aktueller Wert text-area columns side by side, reviewer comment fields, and Korrektur Modus controls for the auditor

The IT Umgebung IKS form in Audit mode. Long-form fields diff just like the structured ones; auditor comments attach per field for the next round of Korrektur.

What changed

Engagement Ongoing 2024 to present, V1 → V2 → V3
Role Solo lead senior lead dev, both milestones
Status Live app.verfahrensdokumentation-digital.de

The product is live and serving German SMBs and their tax advisors through both the direct channel and partner agencies. V1 shipped the blue-branded multi-tenant admin platform with the schema, the role-based access, and the quality-of-life features that made the workflow usable. V2 added the gold-branded GoBD.ai client-facing surface with the IKS module, the Aenderungs-log audit log, in-app walkthroughs, partner-channel Bubble.io sub-apps so process-consulting firms and Steuerberater practices can resell the product under their own brand, a PDF Monkey + n8n document pipeline, an AI integration that writes compliance language from plain-language inputs, webhook orchestration across the toolchain, and row-field-level form version comparisons. The V3 milestone is currently in development in 2026 as the next chapter of the same engagement, with me continuing as the lead developer.

The pattern of the engagement is the part I would do again. Take the MVP scope seriously enough that the schema can carry the next milestone. Carry the same product through V1, V2, and V3 as the same Bubble.io app rather than a rewrite. Let the trust compound over a long-arc client relationship rather than chasing the next short engagement.