A
Access group
Access Groups are groups of TerraTrue users who have been granted access to one or more Products. When a TerraTrue admin assigns a Product to an Access Group, only members of that group will have access to that Product. Users who belong to an Access Group can always view every Product assigned to that group, and can view the summary information — like titles, descriptions, timelines, links, and comments — for each Launch associated with that Product. More advanced privileges — like editing, creating, or deleting Products, Launches, Privacy Worksheets, and Data Specs — will still be determined by each user’s role.
API user
An API User is not a human user, but is an identity that describes a form of access given to a program by TerraTrue's API. An API User cannot log into TerraTrue, but is given an API token that allows it to access certain specific, pre-defined information in TerraTrue. This access is what makes our integrations possible, and can help you automate and streamline certain functions in TerraTrue. Admins can view and manage API Users in Org Settings > API Users.
C
Cloud monitoring
TerraTrue’s cloud-monitoring feature regularly scans your cloud infrastructure inGoogle Cloud Platform and Amazon Web Services and will automatically create Launches when a change is detected.
Component
Components are groups of Launches that share common functionality or purpose. Components are defined by an admin in your org, and are a very flexible way of organizing Launches within TerraTrue.
CPA
The Colorado Privacy Act is a comprehensive data-privacy law that applies to legal entities conducting business or delivering products or services to Colorado residents. The CPA went into effect on July 1, 2023.
CPRA
The California Privacy Rights Act of 2020, or CPRA, is a consumer-privacy law passed as a ballot proposition by California voters on November 3, 2020. The CPRA took effect on January 1, 2023 and expanded on the rights and regulations specified in 2018’s California Consumer Privacy Act, or CCPA.
CTDPA
The Connecticut Data Privacy Act is a comprehensive data-privacy law that applies to legal entities conducting business or delivering products or services to Connecticut residents. The CTDPA went into on July 1, 2023.
Custom action
Custom actions are a feature of workflows that allow you to automate actions in TerraTrue based on Launch details or workflow responses. Custom actions can be configured in the workflow builder, and are a powerful way to streamline your privacy reviews. TerraTrue customers use custom actions for a huge range of automations — like automatically marking a Data Spec as not needed, marking a review team as required or not required, determining if additional reviews are needed, adding a launch summary workflow to the launch, or even screening new Launches directly from Jira.
D
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment, or DPIA, is a process designed to help you identify, analyze, and minimize risks related to processing personal data. A DPIA is typically required when the processing activity has the potential to pose a high risk, which can vary region-by-region.
Data Spec
The Data Spec is a five-minute workflow that helps PMs, engineers, dev directors, and other project stakeholders document at a high level how each Launch uses, shares, and retains data. TerraTrue learns how your org uses data and suggests answers based on information from prior Launches, so the Data Spec gets smarter and simpler the more you use it.
Data Spec Risk
Risk assessments estimate how much risk a Data Spec may have. TerraTrue evaluates information in completed Data Specs and automatically assigns high, medium, or low risk levels using TerraTrue’s default assessments of data types, data uses, and other taxonomy items. See Taxonomy risk for details on the risk assignment.
Data subject
A data subject is a taxonomy type in TerraTrue, and refers to any person or group of persons whose personal data is used or processed by a business (data use). Put another way, a data subject is anyone who can be linked, either or directly or indirectly, to a set of personal data.
Data transfer
A data transfer happens when data from one country is sent or processed in another. Examples include storing Europeans’ data on American servers or having American employees accessing information about European users’ preferences. Under the GDPR, a cross-border data transfer only takes place lawfully if there is a lawful mechanism to carry out the transfer. Lawful mechanisms include Standard Contractual Clauses, Binding Corporate Rules, and adequacy determinations.
Data type
A data type is one of TerraTrue’s default taxonomy types, and refers to a unit of data that a company might collect, use, and share — like a Social Security number, IP address, or marital status. TerraTrue’s default taxonomies contain hundreds of common data types, all organized into categories like Health Data, Payment & Financial Data, and Device Information. These categories reflect the common organizational practices of most data-privacy statutes. Data types are managed by your org’s admins in Org Settings > Customization > Data Types.
Data use
A data use describes how your org uses or shares a data type. You may also here these data uses referred to as “processing activities.” Your org may use a data type like an email address in order to register or maintain an account, enforce network security policies, provide a service requested by a user. All of these activities are examples of data uses. By default, TerraTrue’s taxonomies contain hundreds of common data uses, all of which can be customized by an admin in Org Settings > Customization > Data Uses.
G
EU AI Act Conformity Assessment
The EU AI Act Conformity Assessment refers to the formal process required for evaluating high-risk AI systems to ensure compliance with the requirements outlined in the European Union Artificial Intelligence Act (EU AI Act). This process verifies that an AI system meets safety, transparency, fairness, and other obligations before being deployed in the EU market.
EU AI Reduced Risk Assessment
The Reduced Risk Assessment is a streamlined evaluation process under Article 6(4) of the EU AI Act to help you document why you believe that a system that would ordinarily be considered high risk should be considered lower risk.
E
GDPR
The General Data Protection Regulation, or GDPR, is a regulation governing data protection and privacy in the European Union. The GDPR was adopted on April 14, 2016 and became enforceable on May 25, 2018.
I
Internal survey
Internal surveys are powerful, customizable workflows that help you gather information from people inside your org. Use them to learn about your teams’ data and privacy practices — like what types of data a team is collecting or which cookies your org is using across web pages. Like third-party assessments, internal surveys are invitation workflows — meaning they’re accessed through a secure invitation link sent directly to a user or group of users. You can create, view, and manage your internal surveys at the internal surveys page.
J
Jira integration
TerraTrue’s Jira integration opens a two-way line of communication between Jira and TerraTrue, and uses powerful automations to help your privacy reviewers keep an eye on work being tracked and managed in Jira.
L
Label
Labels are tools for organizing and filtering Launches across TerraTrue. Labels are created by your org’s admins and are assigned to a Label group. For example, your org might create a Product Team Label group containing Labels for individual teams within your org, like Marketing and Growth. You can search for Launches using these filters or create Launchpad filters to show only information relevant to your team. Labels are also useful for sifting through data in Privacy Central. You can add Labels when you create a Launch or by visiting the Labels section of the Launch summary page. Only users with the Admin role can create and manage Labels.
Launchpad
The Launchpad is TerraTrue’s homepage, where you can view key details about your Launches at a glance. The Launchpad on default has two views — All Launches, which displays all of the Launches you have access to, and My Launches, which displays only the Launches you’ve created or been assigned to. You may add additional views with additional saved preferences (i.e. filters and column views). Access the Launchpad by clicking the rocket ship in the main navigation menu.
Launch
Launches are the atomic units of TerraTrue, and the primary way to track Products, features, and processes that need review. Launches work like tickets and alert your privacy team of an upcoming project to help them plan and track reviews from start to finish. Launches take only a few seconds to create — either directly in TerraTrue or through our integrations with Slack, Jira, email and more. Launches may be also typed via Launch types, with third party Launches associating specifically to a third party taxonomy. Learn more about Launch associations such as parent-child Launches, Launch linking, and Launch cloning here.
Launch intake
Launch intake consists of the Screener (Launch Creation Workflow) and Data Spec that the business end user is typically responsible for. The reviewer will review the Launch intake to conduct their reviews.
Launch review
Launch review refers to the section of the launch in the launch details (or summary) view that includes the Privacy Worksheet (for privacy related reviews) and Launch summary workflows (that are more specific to other areas) conducted by the reviewer.
Launch status
Launch statuses are determined by various factors:
- Not Screened:
- Launch Creation Workflow (Screener) is required and has not been completed
- Required Labels have not been completed
- The Third Party is not set on a Third Party Launch
- Ready for Review:
- Launch Creation Workflow (Screener) is complete
- Required Labels selected
- Third parties on a Third Party Launch set
- No review team status changed
- In Progress:
- Any review team status is updated
- If a single team is not needed then Launch is in progress
- Complete:
- All Review Teams marked as complete or not needed
- Rejected:
- One or more review team marked as rejected
Launch creation workflow
A Launch creation workflow is a screener: the kind of workflow that surfaces when a user is creating a Launch. Launch creation workflows give you ways to gather high-level information about how a Launch uses data or whether a Launch is using data in new or different ways, helping you understand the scope and needs of new Launches even as they’re being created. These workflows can be customized with conditional logic to surface only in specific scenarios — like when a certain Product or Label is used. They're also a powerful way to automate TerraTrue, since they can be used to trigger a range of custom actions — like automatically assigning review teams, marking a Launch as not needed, or pre-populating fields in the Data Spec.
Launch summary workflow
A Launch Summary Workflow is a supplemental workflow that can be added to a Launch manually, automatically, or via custom action. Launch Summary Workflows give you ways to gather more specific information across various review tracks.
Launch goal
Launch goals are a taxonomy item that let you show what the purpose of a Launch is. Launch goals are one of TerraTrue’s default taxonomy types, and can be customized by admins in Org Settings > Customization > Launch Goals.
Legitimate Interest Assessment (LIA)
A Legitimate Interest Assessment is a systematic process that organizations undertake to determine whether they can lawfully process personal data based on their legitimate interests under data protection laws such as the General Data Protection Regulation (GDPR). It involves balancing the organization's interests with the fundamental rights and freedoms of the individuals whose data is being processed.
M
Module
Modules are suites of features that help your privacy program prepare for and respond to different data-privacy and security laws like the GDPR, CPRA, and VCDPA. Enabling a module will change the questions you see in the privacy worksheet and the recommendations you receive throughout TerraTrue. Modules are controlled and managed by admins in Org Settings > Privacy > Modules.
O
Org
In TerraTrue, an org (short for "organization") refers to your company, or to a unit within your company. Some TerraTrue customers have multiple orgs, each using its own instance of TerraTrue.
Org settings
TerraTrue uses your org settings to know more about how your organization works and what your data-privacy and security practices are. Org settings govern everything from integrations and customizations to user profiles and permissions. We use this information to auto-fill answers on Launches and Privacy Worksheets, to determine who has access to which parts of TerraTrue, and to customize TerraTrue for your org’s needs. Most org settings are visible only to TerraTrue users with elevated privileges. You can find the org settings in TerraTrue’s primary navigation bar, under the gear icon.
P
Privacy-by-Design
A principle requiring that privacy is integrated into the design and operation of systems, products, or services from the outset, ensuring data protection is a default feature.
Privacy assessment
Privacy assessments are supplemental workflows that appear automatically in the privacy workflow based on each Launch's data practices or manually added to a Launch. Privacy managers use these assessments to understand the risks and requirements that arise under special scenarios. Some examples of privacy assessments in TerraTrue are: DPIAs, LIAs, TIAs, EU AI Act Conformity Assessment, and EU AI Act Reduced Risk Assessment. Privacy managers use privacy assessments to understand the finer points of their org's regulatory needs.
Privacy Central
Privacy Central is a visual overview of your privacy program. TerraTrue offers a range of widgets and graphs that each user can personalize to get at-a-glance information about Launch statuses, data practices, completion rates, and other patterns in your program. Privacy Central is unique to each user, so adding, removing, or customizing widgets will not affect other users.
Privacy Impact Assessment (PIA)
A Privacy Impact Assessment is a process designed to identify and mitigate privacy risks related to the collection, use, storage, or sharing of personal data, typically focusing on compliance with organizational privacy policies or regional privacy regulations. The terms Privacy Impact Assessment (PIA) and Data Protection Impact Assessment (DPIA) are often used interchangeably but may have distinct differences depending on the context and applicable laws.
Privacy worksheet
The Privacy Worksheet is an out-of-the-box Workflow designed to help your Org document information related to privacy compliance and deliver relevant recommendations. Each Privacy Worksheet generates a custom list of questions for each Launch based on information gathered from the Data Spec, your org settings, and your Launch history. TerraTrue learns from each completed Privacy Worksheet, so they'll get faster and smarter the more you use them.
Processing activity
A processing activity is any operation or set of operations performed on personal data. A processing activity can be automated or manual, and can encompass a range of activities, from accessing, collecting, and organizing data to structuring, sharing, or selling it.
Product
TerraTrue Products are groups of Launches that help TerraTrue admins control access to sensitive information. Instead of granting a user access on a Launch-by-Launch basis, an administrator can grant access to an entire Product, allowing the user to view all Launches associated with that Product. Each user’s ability to modify or manage a Launch will still be governed by their permissions. Admins can also assign an entire Access Group to a Product, allowing all members to access Launches within that Product.
Product hierarchy
The Product hierarchy in TerraTrue is a structured, multi-tiered metadata framework designed to align TerraTrue's metadata system with a customer's classification needs. This hierarchy supports entities above and below the "Product" tier, enabling seamless integration with external work classification systems.
R
Recommendation
In TerraTrue, recommendations are insights and suggested actions for your privacy program. We combine all of the information your org provides to TerraTrue — from your org settings, modules, and cloud infrastructure to your third-party assessments, Data Specs, and other workflows — to determine the best next steps to suggest to your privacy program. We also use recommendations to keep you informed about relevant changes to statutes and case law. Recommendations are not legal advice, and serve as suggestions for how to build and maintain your privacy program.
Records of Processing Activity (ROPA)
A detailed log of how an organization processes personal data, required under regulations like the GDPR. It typically includes the purposes of processing, data categories, data subjects, and security measures.
Retention period
A data retention period is the exact or estimated amount of time that an organization intends to store data. Retention periods can vary substantially across orgs, industries, data types, or data uses, and can range from a few months to a decade.
Review team
A review team is a group of reviewers who can be assigned to act as gatekeepers for a Launch. Review teams are a quick and efficient way to ensure that each of your Launches receives the right level of visibility and obtains the correct approvals before being marked as complete. Review teams are created and populated by admins in your org, and can represent any review interests your org may have — from larger teams like Product or marketing to more specific interests like privacy counsel, vendor security, and security engineering.
TerraTrue allows you to auto-assign a specific member of each review team to serve as that team’s default reviewer. Each time a review team is assigned to a Launch, the designated default reviewer will automatically be assigned as that team’s reviewer for that Launch. (The default reviewer can always assign a different member of their review team to serve as the reviewer on a given Launch.)
Review team status
Review team status indicates the degree of approval that a reviewer has given to a Launch. When a reviewer is assigned to a Launch, they can mark the Launch with one of six review statuses: Not Started, In Progress, Rejected, Blocked, Not Needed, or Complete.
Reviewer
A reviewer is anyone who has been assigned to a review team. Reviewers represent the interests of their review team and act as gatekeepers for Launches. Reviewers are expected to mark a Launch with a review status. A Launch will not be considered complete until all reviewers assigned to the Launch have marked their review status as either Complete, Rejected, Not Required or Not Needed.
S
Stakeholder
Stakeholders in TerraTrue allow for users to document users that have a stake in the Launch. Any listed stakeholders on a Launch are not notified of any changes on a Launch but rather serve for documentation purposes only.
T
Taxonomy
Taxonomies in TerraTrue are collections of metadata that help you describe how your organization collects, uses, and shares data. Taxonomies are organized into seven taxonomy types: data types, data uses, third parties, launch goals, data subjects, retention periods, and regions (data transfers in settings). Questions on the Data Spec and other workflows will occasionally ask you to select from these taxonomies to help privacy managers understand what data you’re using and how you’re using it. TerraTrue robust default taxonomies, but admins can add their own taxonomy items or customize existing items by visiting Org Settings > Customization.
Taxonomy item
A taxonomy item refers to any single entry in TerraTrue’s taxonomies. A taxonomy item might be a data type, data use, launch goal, or any other taxonomy type, and may be either a default item created by TerraTrue or a custom item created or modified by your org’s administrators.
Taxonomy type
Taxonomy types are the primary categories of taxonomy items in TerraTrue. By default, Terra True’s taxonomies are organized into seven taxonomy types: data types, data uses, third parties, launch goals, data subjects, retention periods, and regions (data transfers in settings).
Taxonomy risk
Data types, data uses, launch goals, regions (data transfers in settings), and Third Parties can be assigned a risk value of High, Medium or Low. A completed Data Spec can be configured to automatically reflect an overall risk based on the risk values of the taxonomy selected within.
TDPSA
The Texas Data Privacy and Security Act, or TDPSA, is a comprehensive privacy and data-security law that went into effect on July 1, 2024.
Third party
In TerraTrue, a third party is any external organization with whom you exchange data — from data brokers like Acxiom and Verisk to eCommerce operations like Square and ApplePay.
Third party assessment
☞ Third party assessments were formerly called external questionnaires
Third-party assessments are a type of workflow that are intended to be shared with vendors, contractors, and other external partners to help you understand how their data and privacy practices affect your org. Third-party assessments use access-controlled invitations and are simple to customize, so you can ask the right questions to the right users in a secure environment. TerraTrue learns from each response to streamline your Launches and update your recommendations.
Third party risk management (TPRM)
The process of assessing and managing privacy, security, and compliance risks associated with vendors or partners that process personal data.
Transfer Impact Assessment (TIA)
A Transfer Impact Assessment is a process required under the GDPR for evaluating the risks of transferring personal data from the EU to countries that lack an adequacy decision. It involves assessing how the receiving country's data protection laws compare to GDPR standards and ensuring that personal data remains protected during and after the transfer.
In TerraTrue, the TIA is a questionnaire completed by the data exporter (the entity sending the data) or the data importer (the entity receiving the data). The assessment identifies:
- Potential risks to data subjects' privacy.
- Measures to mitigate risks, such as supplementary safeguards (e.g., encryption, contractual obligations).
- The impact on stakeholders and the broader data management ecosystem.
The goal of a TIA is to ensure compliance with data protection laws and maintain the integrity and security of personal data throughout the transfer process.
U
User
This is a technical distinction, but an user is any living, breathing human being in your org who has a TerraTrue account. Most users in your org are users; we use this term primarily to distinguish human users from API Users.
V
VCDPA
The Virginia Consumer Data Privacy Act, or VCDPA, is a consumer privacy and data security law that went into effect on March 2, 2022.
W
Workflow
☞ Workflows were formerly called custom questionnaires
Workflows are TerraTrue’s powerful "no-code" tools for gathering and documenting information about how your org uses data. Built on a simple yet flexible question-and-answer interface, workflows live inside Launches. They can be assigned to users and reviewers to give you a full view of your privacy needs at each stage of your development lifecycle. By default, TerraTrue’s out-of-the-box workflows — like the Data Spec, Privacy Worksheets, and Privacy Assessments — are available on every Launch. You can simplify and automate TerraTrue by designing your own workflows. Use workflows to gather and consolidate information, assign risk levels, or automate actions based on your users’ responses.
TerraTrue lets you create and configure your own workflows to simplify and automate the use of TerraTrue at different points in your review lifecycle via Launch Creation Workflows (Screeners) and Launch Summary Workflows. Use workflows to gather and consolidate information, assign risk levels, or automate actions based on your users’ responses. Workflows support conditional logic, so you can configure them to surface when specific conditions are met — like when new Launches are created, when a sensitive data type is used, or when a Launch is associated with a particular Product or Component.
Workflow builder
TerraTrue’s workflow builder allows you to create and edit workflows. In most cases, elevated permissions are required to enter the workflow builder.
Workflow question type
☞ For detailed description of question-types, see Creating and managing questions.
Workflow question types are the different ways a question and its responses can be configured in a workflow. TerraTrue's workflows are built on ten question-types:
- Checkbox: Checkbox allows a user to select multiple values from a defined list of values.
- Radio: Radio allows a user to select a single value from a defined list of values.
- Text area: Text area allows a user to enter a large amount of free form characters.
- Text field: Text field allows a user to enter a single line of free form characters.
- Yes/no: Yes/no allows a user to select from a binary yes or no select toggle.
- Date: Date allows a user to select a date value from a calendar selection.
- File upload: File upload allows a user to upload a file as a response value.
- Alert: Alert question types show an alert banner instead of a question.
- Taxonomy: Taxonomy question types allow a user to select the org defined taxonomy value that includes Data Type, Data Use, Launch Goals, Data Subjects, Third Party, Region (Data Transfers), and Retention Periods.
- Product: Product allows a user to select an org defined Product value.
Workflow risk scoring
Risk scoring on a workflow allows for customization of risk assignment based on response values, for all workflows except Data Spec and Privacy Assessments. Each question response can each be assigned a risk score, and the cumulative risk score for all the risk scored questions can be mapped to a risk threshold for that workflow.