Key concepts¶

This page explains the foundational concepts you'll encounter throughout Dxtra. Understanding these makes the rest of the documentation — and your privacy program — easier to navigate.

How the pieces fit together¶

flowchart LR
    DC[Data Controller\nyour organization] -->|defines| PA[Processing\nActivities]
    DC -->|configures| CC[Consent\nCategories]
    PA -->|documented in| TC[Transparency\nCenter]
    CC -->|enforced by| TM[Tag Manager]
    DS[Data Subject] -->|visits| TC
    DS -->|submits| DSRR[Rights\nRequest]
    DSRR -->|tracked by| DC
    AI[AI Engine] -->|generates docs for| DC
    DP[Data Processors] -->|process data for| DC

Data Controller¶

Your organization. The entity that determines how and why personal data is processed.

Under privacy laws like GDPR, CCPA, and LGPD, the data controller is legally responsible for personal data processing decisions: what data to collect, why it's needed, who receives it, how long it's kept, and how it's protected.

In Dxtra, your organization is registered as a Data Controller during the setup wizard. Your Data Controller profile — including your legal name, operating regions, industries, and company representatives — drives everything the AI generates.

Every Data Controller in Dxtra is assigned a Decentralized Identifier (DID) — a stable, pseudonymous identifier generated deterministically from the PostgreSQL UUID via SHA3-256. Your DID looks like did:dep:b2150543c51baeaf7c...af22a58 and uniquely identifies your organization without exposing internal database IDs. It is used for API authentication, webhook signature validation, and cross-system identity correlation.

Data Subject¶

Any identifiable person whose personal data you process. Your customers, website visitors, employees, newsletter subscribers, and app users are all data subjects.

Data subjects have rights under privacy laws — the specific rights depend on the applicable jurisdiction, but common ones include:

• Right of Access — See what data you have about them
• Right to Rectification — Correct inaccurate data
• Right to Erasure — Request deletion ("right to be forgotten")
• Right to Restriction — Limit how their data is used
• Right to Data Portability — Receive their data in a portable format
• Right to Object — Opt out of certain processing
• Right to Not Be Subject to Automated Decision-Making — Challenge algorithmic decisions

In Dxtra, data subjects interact with your Transparency Center — not the main dashboard. They can view your privacy practices, manage consent preferences, and submit rights requests through the Transparency Center portal.

Each data subject is identified by a Data Subject ID — a unique identifier in your system (user ID, customer number, or hashed email). Plan tiers are based on the total number of unique Data Subject IDs you manage: 50K on Start, 200K on Growth, 1M on Scale, and 100M on Enterprise.

Processing activities¶

A processing activity is any specific way your organization uses personal data. Every distinct business process that touches personal data counts as a processing activity and must be documented under GDPR Article 30.

Examples of processing activities:

• E-commerce order fulfillment — Collecting names, addresses, and payment details to ship orders
• Marketing emails — Sending promotional content to subscribers who consented
• Website analytics — Tracking page views and user behavior to improve the site
• Customer support — Collecting issue details and personal information to resolve tickets
• Employee payroll — Processing employee data for salary calculations
• Fraud detection — Analyzing transaction patterns to identify suspicious activity

Each processing activity is documented with a purpose (why), data categories (what personal data), legal basis (justification), recipients (who receives the data), retention period (how long), and security measures (how it's protected).

In Dxtra, the AI generates your initial processing activities based on your questionnaire answers and industry context. Each activity includes an AI-generated description and is associated with the applicable legal basis for each of your jurisdictions — consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Your processing activity inventory forms the foundation of your privacy notices, DPIAs, and compliance reports.

Consent categories¶

Consent categories define the types of data processing that require explicit consent from your data subjects. Dxtra uses four standard categories aligned with privacy regulations, plus support for custom categories:

Strictly Necessary

Processing required for the website or service to function. Always active — does not require consent. Examples: authentication, shopping cart, security.

Performance / Analytics

Site usage and performance measurement. Examples: page view tracking, load time monitoring, error logging.

Functional

Enhanced features and personalization. Examples: language preferences, saved settings, chat widgets.

Targeting / Marketing

Advertising and promotional targeting. Examples: ad tracking, email marketing, retargeting pixels.

Under GDPR and similar laws, you must obtain valid consent before processing personal data for non-essential purposes. Consent must be freely given, specific, informed, and unambiguous — and data subjects must be able to withdraw it as easily as they granted it.

In Dxtra, consent categories are enforced through the Tag Manager (which only fires tracking for consented categories) and recorded through the consent management system. Consent grants and withdrawals are logged with timestamps for audit purposes.

Transparency Center¶

Your public-facing privacy portal where data subjects view your privacy practices, manage their consent preferences, and submit rights requests.

The Transparency Center is a key differentiator of Dxtra — it goes beyond a static privacy policy page by providing an interactive, auto-updated portal that gives data subjects real control over their data. It includes:

• Your privacy notices (full, overview, and quick-look formats)
• A breakdown of your processing activities in plain language
• Data retention schedules
• A list of your data processors and what data they access
• A self-service rights request form (access, erasure, rectification, portability, objection)
• An AI-powered help center for data subject questions
• Your contact information for privacy inquiries

The Transparency Center is built as an Atomico web component and can be deployed three ways:

1. Hosted URL — Available at transparencycenter.dxtra.ai/yourdomain.com
2. Custom subdomain — Configure privacy.yourdomain.com with a CNAME record
3. Embedded web component — Drop <transparency-center> into any page on your site

Content auto-updates whenever you regenerate your privacy program or approve changes to your processing activities, ensuring your public-facing information stays in sync with your actual practices.

AI Regeneration¶

When regulations change, your business context evolves, or you update your processing activities, Dxtra's AI engine regenerates the affected compliance documents to keep your program current.

What gets regenerated¶

The AI reviews your current organization profile, processing activities, data processors, and jurisdictions, then regenerates:

• Privacy notices (all three formats)
• Cookie policies
• Data Protection Impact Assessments
• Data processing agreements
• Retention policies
• Breach response procedures
• Transparency Center content

Quality gates¶

Every regenerated document passes a five-point quality gate before it's presented for your review: word count verification, required section checks, completeness scoring, placeholder detection, and structural analysis. Documents that don't pass are flagged for manual review.

Human approval required¶

Regenerated content is never published automatically. You review each document, make edits where needed, and explicitly approve before it goes live. This ensures you maintain full control over what represents your business.

Regeneration quota by plan¶

Regeneration is also triggered manually when you make significant changes — adding new processing activities, onboarding new data processors, or expanding into new jurisdictions.

Data processors¶

Third parties who process personal data on your behalf. If you use Stripe for payments, Mailchimp for email marketing, or Google Analytics for web tracking, those services are data processors under privacy law.

As the data controller, you're responsible for ensuring your processors handle personal data appropriately. This requires a Data Processing Agreement (DPA) with each processor that specifies what data they access, how they protect it, and how long they retain it.

Dxtra includes pre-built integrations for common processors: Shopify, WooCommerce, Stripe, QuickBooks, Xero, Mailchimp, Klaviyo, Customer.io, HubSpot, Salesforce, Google Analytics, Google Ads, Meta/Facebook, Google Drive, and many more. Pre-built integrations support identity mapping, DSRR automation, data discovery, and preference propagation.

For services not in the integration library, you can add custom processors and configure data sharing details manually. Webhooks and Dxtra Custom Functions enable custom integrations with any system.

Decentralized Identifiers (DIDs)¶

Every Data Controller and Data Subject in Dxtra is assigned a DID (Decentralized Identifier) — a stable, pseudonymous identifier derived from the entity's PostgreSQL UUID using a SHA3-256 hash. DIDs provide a consistent way to reference entities across systems without exposing internal database IDs.

A Data Controller DID looks like: did:dep:b2150543c51baeaf7c95728434b4a776342b495cfa7449f42a60cb2f2af22a58

An Asset DID (for documents, policies, and other resources) appends the asset ID after a slash: did:dep:b2150543c51...af22a58/35b98698f4c7596149b8420ae51fbe9e3291279ecc994dba52fdffee243314d2

DIDs are generated deterministically and are used for API authentication, cross-system identity correlation, webhook signature validation, and secure data exchange. Your Data Controller DID appears on the Home page in the dashboard and is required when making authenticated API requests.

Next steps¶

Now that you understand the key concepts, choose your quickstart:

• Business Owner Quickstart — Set up your privacy program in 10 minutes
• Developer Quickstart — Integrate the API, Tag Manager, and Transparency Center
• DPO Quickstart — Configure compliance workflows and assessments
• Agency Quickstart — Manage multiple client privacy programs

For definitions of additional terms (GDPR, CCPA, DSRR, DPIA, Article 30, etc.), see the Glossary.