Access groups are groups of TerraTrue users who have been granted access to one or more products. When a TerraTrue admin assigns a product to an access group, only members of that group will have access to that product. Users who belong to an access group can always view every product assigned to that group, and can view the summary information — like titles, descriptions, timelines, links, and comments — for each launch associated with that product. More advanced privileges — like editing, creating, or deleting products, launches, privacy worksheets, and Data Specs — will still be determined by each user’s role.
An API User is not a human user, but is an identity that describes a form of access given to a program by TerraTrue's API. An API User cannot log into TerraTrue, but is given an API token that allows it to access certain specific, pre-defined information in TerraTrue. This access is what makes our integrations possible, and can help you automate and streamline certain functions in TerraTrue. Admins can view and manage API Users in Org Settings > API Users.
Components are groups of launches that share common functionality or purpose. Components are defined by an admin in your org, and are a very flexible way of organizing launches within TerraTrue.
The Colorado Privacy Act is a comprehensive data-privacy law that applies to legal entities conducting business or delivering products or services to Colorado residents. The CPA was signed on July 8, 2021, and takes effect on July 1, 2023.
The California Privacy Rights Act of 2020, or CPRA, is a consumer-privacy law passed as a ballot proposition by California voters on November 3, 2020. The CPRA took effect on January 1, 2023, and expanded on the rights and regulations specified in the California Consumer Privacy Act, or CCPA, which passed in 2018.
The Connecticut Data Privacy Act is a comprehensive data-privacy law that applies to legal entities conducting business or delivering products or services to Connecticut residents. The CTDPA was signed on May 10, 2022 and takes effect on July 1, 2023.
Custom actions are a feature of custom workflows, and allow you to automate TerraTrue based on launch details or workflow responses. Custom actions can be configured in the workflow builder, and are a powerful way to streamline your privacy reviews. TerraTrue customers use custom actions for a huge range of automations — like automatically marking a Data Spec as not needed, marking a review team as required or not required, determining if additional reviews are needed, or even screening new launches directly from Jira.
☞ Custom workflows were formerly called custom questionnaires
TerraTrue lets you create and configure your own workflows to simplify and automate TerraTrue. Use custom workflows to gather and consolidate information, assign risk levels, or automate actions based on your users’ responses. Custom workflows support conditional logic, so you can configure them to surface when specific conditions are met — like when new launches are created, when a sensitive data type is used, or when a launch is associated with a particular product or component.
Data Protection Impact Assessment (DPIA)
A data protection impact assessment is an additional privacy-risk review designed to be answered by privacy professionals when your org is processing especially sensitive data. When completing a DPIA, you’ll be taken through a series of questions that ask you to identify possible downsides of the processing activity you’re proposing, and to weigh those downsides against any anticipated benefits. DPIAs also ask you to consider what steps can be taken to limit data-privacy risks. The DPIA helps you determine if your org is mitigating risks in a reasonable enough way to allow the planned data processing to proceed.
The Data Spec is a five-minute workflow that helps PMs, engineers, dev directors, and other project stakeholders document at a high level how each launch uses, shares, and retains data. TerraTrue learns how your org uses data and suggests answers based on information from prior launches, so the Data Spec gets smarter and simpler the more you use it.
A data subject is a taxonomy type in TerraTrue, and refers to any person or group of persons whose personal data is used or processed by a business as part of a data use. Put another way, a data subject is anyone who can be linked, either or directly or indirectly, to a set of personal data.
A data transfer happens when data from one country is viewed or stored in another. Examples include storing Europeans’ data on American servers, or having American employees accessing information about European users’ preferences. Under the GDPR, a cross-border data transfer only takes place lawfully if there is a lawful mechanism to carry out the transfer. Lawful mechanisms include Standard Contractual Clauses, Binding Corporate Rules, and adequacy determinations.
A data type is one of TerraTrue’s default taxonomy types, and refers to a unit of data that a company might collect, use, and share — like a Social Security number, IP address, or marital status. TerraTrue’s default taxonomies contain hundreds of common data types, all organized into categories like Health Data, Payment & Financial Data, and Device Information. These categories reflect the common organizational practices of most data-privacy statutes. Data types are managed by your org’s admins in Org Settings > Customization > Data Types.
A data use describes how or why your org uses or shares a data type. Your org may use a data type like an email address in order to register or maintain an account, enforce network security policies, provide a service requested by a user. All of these activities are examples of data uses. By default, TerraTrue’s taxonomies contain hundreds of common data uses, all of which can be customized by an admin in Org Settings > Customization > Data Uses.
The General Data Protection Regulation, or GDPR, is a regulation governing data protection and privacy in the member states of the European Union. The GDPR was adopted on April 14, 2016, and became enforceable on May 25, 2018.
This is a technical distinction, but an interactive user is any living, breathing human being in your org who has a TerraTrue account. Most users in your org are interactive users; we use this term primarily to distinguish human users from API Users.
Internal surveys are powerful, customizable workflows that help you gather information from people inside your org. Use them to learn about your teams’ data and privacy practices — like what types of data a team is collecting, or which cookies your org is using across web pages. Like third-party assessments, internal surveys are invitation workflows — meaning they’re accessed through a secure invitation link sent directly to a user or group of users. You can create, view, and manage your internal surveys at the internal surveys page.
Most workflows are accessed through individual launches, but you can also invite people to fill out a workflow when you need information that might not be directly related to a specific launch. We call these invitation workflows, and we offer two kinds: third-party assessments, which are sent to people outside your org, and internal surveys for people inside your org.
TerraTrue’s Jira integration opens a two-way line of communication between Jira and TerraTrue, and uses powerful automations to help your privacy reviewers keep an eye on work being tracked and managed in Jira.
Labels are tools for organizing and filtering launches across TerraTrue. Labels are created by your org’s admins and are assigned to a label group. For example, your org might create a Product Team label group containing labels for individual teams within your org, like Marketing and Growth. You can search for launches using these filters, or create Launchpad filters to show only information relevant to your team. Labels are also useful for sifting through data in Privacy Central. You can add labels when you create a launch, or by visiting the Labels section of the launch summary page. Only users with the Admin role can create and manage labels.
Launches are the atomic units of TerraTrue, and the primary way to track products, features, and processes that need review. Launches work like tickets, and alert your privacy team of an upcoming project to help them plan and track a security and privacy review from start to finish. Launches take only a few seconds to create — either directly in TerraTrue, or through our integrations with Slack, Jira, and email.
A launch-creation workflow is a kind of custom workflow that surfaces when a user is creating a launch. Launch-creation workflows give you ways to gather high-level information about how a launch uses data or whether a launch is using data in new or different ways, helping you understand the scope and needs of new launches even as they’re being created. These workflows can be customized with conditional logic to surface only in specific scenarios — like when a certain product or label is used. They're also a powerful way to automate TerraTrue, since they can be used to trigger a range of custom actions — like automatically assigning review teams, marking a launch as not needed, or pre-populating fields in the Data Spec.
Launch goals are a taxonomy item that let you show what the purpose of a launch is. Launch goals are one of TerraTrue’s default taxonomy types, and can be customized by admins in Org Settings > Customization > Launch Goals.
The Launchpad is TerraTrue’s homepage, where you can view key details about your launches at a glance. The Launchpad has two views — All Launches, which displays all of the launches you have access to, and My Launches, which displays only the launches you’ve created or been assigned to. Access the Launchpad by clicking the rocket ship in the main navigation menu.
Modules are suites of features that help your privacy program prepare for and respond to different data-privacy and security laws like the GDPR, CPRA, and VCDPA. Enabling a module will change the questions you see in the privacy worksheet and the recommendations you receive throughout TerraTrue. Modules are controlled and managed by admins in Org Settings > Privacy > Modules.
In TerraTrue, an org (short for "organization") refers to your company, or to a unit within your company. Some TerraTrue customers have multiple orgs, each using its own instance of TerraTrue.
TerraTrue uses your org settings to know more about how your organization works and what your data-privacy and security practices are. Org settings govern everything from integrations and customizations to user profiles and permissions. We use this information to auto-fill answers on launches and privacy worksheets, to determine who has access to which parts of TerraTrue, and to customize TerraTrue for your org’s needs. Most org settings are visible only to TerraTrue users with elevated privileges. You can find the org settings in TerraTrue’s primary navigation bar, under the gear icon.
Privacy assessments are supplemental workflows that appear automatically in the privacy workflow based on each launch's data practices. Privacy managers use these assessments to understand the risks and requirements that arise under special scenarios. If a launch uses a special category of data, TerraTrue will ask you to complete a Data Privacy Impact Assessment. Privacy managers use privacy assessments to understand the finer points of their org's regulatory needs.
Privacy Central is a visual overview of your privacy program. TerraTrue offers a range of widgets and graphs that each user can personalize to get at-a-glance information about launch statuses, data practices, completion rates, and other patterns in your program. Privacy Central is unique to each user, so adding, removing, or customizing widgets will not affect other users.
The privacy worksheet is an expanded question-and-answer interface that helps privacy managers evaluate and document how each launch uses data. Each privacy worksheet generates a custom list of questions for each launch based on information gathered from the Data Spec, your org settings, and your launch history. When the privacy worksheet is complete, TerraTrue provides the privacy manager with a list of recommended actions. TerraTrue learns from your privacy worksheet, so they'll get faster and smarter the more you use them.
In privacy law, a processing activity refers to an operation or set of operations performed on personal data. A processing activity can be automated or manual, and can encompass a range of activities, from accessing, collecting, and organizing data to structuring, sharing, or selling it.
TerraTrue products are groups of launches that help TerraTrue admins control access to sensitive information. Instead of granting a user access on a launch-by-launch basis, an administrator can grant access to an entire product, allowing the user to view all launches associated with that product. Each user’s ability to modify or manage a launch will still be governed by their permissions. Admins can also assign an entire access group to a product, allowing all members to access launches within that product.
☞ For detailed description of question-types, see Creating and managing questions.
Question-types are the different ways a question and its responses can be configured in a custom workflow. TerraTrue's custom workflows are built on nine question-types: checkbox, radio, text area, text field, yes/no, data, file upload, alert, and taxonomy.
In TerraTrue, recommendations are insights and suggested actions for your privacy program. We combine all of the information your org provides to TerraTrue — from your org settings, modules, and cloud infrastructure to your third-party assessments, Data Specs, and other workflows — to determine the best nest steps to suggest to your privacy program. We also use recommendations to keep you informed about relevant changes to statutes and case law. Recommendations are not legal advice, and serve as suggestions for how to build and maintain your privacy program.
A data retention period is the exact or estimated amount of time that an organization intends to store data. Retention periods can vary substantially across orgs, industries, data types, or data uses, and can range from a few months to a decade.
Review status indicates the degree of approval that a reviewer has given to a launch. When a reviewer is assigned to a launch, they can mark the launch with one of six review statuses: Not Started, In Progress, Rejected, Blocked, Not Needed, or Complete. Launches are considered complete when all assigned reviewers have marked their review status as either Complete or Not Needed.
A review team is a group of reviewers who can be assigned to act as gatekeepers for a launch. Review teams are a quick and efficient way to ensure that each of your launches receives the right level of visibility and obtains the correct approvals before being marked as complete. Review teams are created and populated by admins in your org, and can represent any review interests your org may have — from larger teams like product or marketing to more specific interests like privacy counsel, vendor security, and security engineering.
TerraTrue allows you to auto-assign a specific member of each review team to serve as that team’s default reviewer. Each time a review team is assigned to a launch, the designated default reviewer will automatically be assigned as that team’s reviewer for that launch. (The default reviewer can always assign a different member of their review team to serve as the reviewer on a given launch.)
A reviewer is anyone who has been assigned to a review team. Reviewers represent the interests of their review team and act as gatekeepers for launches. Reviewers are expected to mark a launch with a review status. A launch will not be considered complete until all reviewers assigned to the launch have marked their review status as either Complete or Not Needed.
Risk assessments estimate how much risk a Data Spec may have. TerraTrue evaluates information in completed Data Specs and automatically assigns high, medium, or low risk levels using TerraTrue’s default assessments of data types, data uses, and other taxonomy items.
Taxonomies in TerraTrue are databases that help you describe how your organization collects, uses, and shares data. Taxonomies are organized into seven taxonomy types: data types, data uses, third parties, launch goals, data subjects, retention periods, and data transfers. Questions on the Data Spec and other workflows will occasionally ask you to select from these taxonomies to help privacy managers understand what data you’re using and how you’re using it. TerraTrue robust default taxonomies, but admins can add their own taxonomy items or customize existing items by visiting Org Settings > Customization.
A taxonomy item refers to any single entry in TerraTrue’s taxonomies. A taxonomy item might be a data type, data use, launch goal, or any other taxonomy type, and may be either a default item created by TerraTrue or a custom item created or modified by your org’s administrators.
Taxonomy types are the primary categories of taxonomy items in TerraTrue. By default, Terra True’s taxonomies are organized into seven taxonomy types: data types, data uses, third parties, launch goals, data subjects, retention periods, and data transfers.
In TerraTrue, a third party is any external organization with whom you exchange data — from data brokers like Acxiom and Verisk to eCommerce operations like Square and ApplePay.
Third party assessment
☞ Third party assessments were formerly called external questionnaires
Third party assessments are a type of workflow and are intended to be shared with vendors, contractors, and other external partners to help you understand how their data and privacy practices affect your org. Third party assessments use access-controlled invitations and are simple to customize, so you can ask the right questions to the right users in a secure environment. TerraTrue learns from each response to streamline your launches and update your recommendations.
The Virginia Consumer Data Privacy Act, or VCDPA, is a consumer-privacy and data-security law. The VCDPA was signed into Virginia law on March 2, 2022.
Workflows are TerraTrue’s frontline tools for gathering and documenting information about how your org uses data. Built on a simple question-and-answer interface, workflows live inside launches and can be assigned to stakeholders and reviewers to give you a full view of your privacy needs at each stage of your development lifecycle. By default, TerraTrue’s out-of-the-box workflows — like the Data Spec, privacy worksheets, and privacy impact assessments — are available on every launch. You can simplify and automate TerraTrue by designing your own custom workflows. Use custom workflows to gather and consolidate information, assign risk levels, or automate actions based on your users’ responses. All workflows support conditional logic, so you can configure them to surface when specific conditions are met — like when new launches are created, when a sensitive data type is used, or when a launch is associated with a particular product or component.
TerraTrue’s workflow builder allows you to create and edit custom workflows. In most cases, elevated permissions are required to enter the workflow builder.