Privacy, security, and third-party risk teams are familiar with the traditional review process, which often involves interviewing business users, working with vendors, or building new products. This can mean scheduling calls or asking for responses through lengthy questionnaires. Typically, findings are then documented in spreadsheets or documents, which can be hard to organize and review at scale.

With TerraTrue, this entire review process is streamlined into what we call a Launch. A Launch is the building block of TerraTrue. It brings together the intake process, the review process, and any needed remediation steps– all in one organized place. As you gather structured information in a Launch, TerraTrue automatically pushes it to reporting tools, giving you a real-time, dynamic view of your organization’s activities, always up to date and easy to track.

Launches are ideal for documenting and reviewing any initiative that may pose some kind of privacy or security risk to the business such as:

• A new product feature 
• A substantial change to an existing feature
• A prospective vendor (“third-party”) or service provider going through evaluation
• An HR initiative using employee data
• A marketing campaign that uses personal data

What does a launch consist of?

Out of the box, a standard TerraTrue launch contains 3 sections:

1. Intake: Intake is typically completed by a business user that captures the details of the initiative, campaign, or feature. This may include:
   • One or more Launch Summary Workflows (Screeners): A custom set of questions that an organization may enable to capture additional information about the launch as a first step of the intake.
   • A Data Spec: A flexible set of questions that susses out what data is being used, whose data it is, where they’re located, and why it’s being used. It will also ask if any third parties are accessing this data. 
2. Review: Review is typically completed by an reviewer (privacy, security, or third party expert) that captures the risk balancing. This may include:
   • A Privacy Worksheet: A dynamic worksheet that will change depending on the applicable regions, and guide privacy teams through a review of what was collected in the Data Spec. TerraTrue’s built-in modules for GDPR, CPRA, and more will flag region-specific concerns. Privacy Worksheets will also determine if a DPIA or LIA is needed, then guide you through the process of completing one directly inside the worksheet. 
   • One or more Assessments: Assessments such as DPIA, LIA, TIA, and AI Conformity can be added directly to a launch and may be triggered through various custom actions on workflows and the privacy worksheet. These assessments are linked to the ROPA.
   • One or more Launch Summary Workflows: A custom set of questions that adds more review processes and documents concerns about the launch. Launch summary workflows can be enabled by the organization on every launch or can be added manually to a single launch.
3. Third Party Invitations: Third party invitations link third party assessment responses to a launch so that it is easy to organize third party responses to a review. This may include:
   • A Third Party Assessment Invitation: Third party assessment invitations are third party assessment workflows (questionnaires) that are sent over to a third party. Points of contact at these third party vendors typically fill out the responses on the invitation, and the responses may be viewed and commented on. 

Launch Analytics

The Data Spec and the Privacy Worksheet combined result in a record, which gets added to your Record of Processing Activities and flows down to your reporting hub (Privacy Central) where you can easily see how data is being used across your organization. 

Who is supposed to create a launch?

TerraTrue is typically designed to work with your business users, and make it easy for them to create a launch anytime they need to flag something for a review. Your organization may create an integration with a third party such as Rally, Github, Slack, Jira, or Ironclad to automatically create or launch with a customized event or designate business users to create a launch within the TerraTrue app. Launches may also be created through use of the external APIs, to build a custom integration into a business system.

Once the launch is created, business users may be designated to complete the Screener and/or a Data Spec so that reviewers can have the details of what data they're using and how or review the details of prospective third party requests. Reviewers are then notified to begin their review by completing a Privacy Worksheet, Assessments, or any Launch Summary Workflow, and add any findings or feedback to the launch for the business user to act on. This is a collaborative process between reviewers and business users. 

Launch creation can be even more streamlined when leveraging one of our integrations, such as Jira or Ironclad. 

However, some review teams may prefer to own the end-to-end launch creation flow if their cross-functional partners aren’t ready to work with them in this way. Your Customer Success Manager will work with you to determine how TerraTrue can best adapt to your organization’s current processes and culture. 

---------------

That’s it for the introduction to TerraTrue! There’s much more to cover, such as:

• How to build your intake process to collect the information you need
• How to use launch types to organize your lanches
• How to configure your review teams
• How to send third party assessments
• How to assign tasks and remediation requests

But first, we’re going to dive deeper into what’s under the hood at TerraTrue, and that is your TerraTrue Taxonomy.