Skip to content
Last updated: 2026-04-03

Frequently Asked Questions

For privacy professionals

What does GDPR compliance with Dxtra look like?

Dxtra helps you meet GDPR requirements by:

  • Transparency (Article 13/14) — Transparency Center explains data practices
  • Consent Management — Record and respect customer consent
  • Right of Access — Respond to access requests with complete data exports
  • Right to Erasure — Delete customer data on request
  • Data Breach Notification — Track and document breaches
  • Vendor Agreements — Dxtra provides DPA for compliance with processor requirements

Timeline: Most organizations are audit-ready within 4 weeks of setup.

Is Dxtra GDPR compliant?

Yes. Dxtra itself is:

  • Subject to GDPR (processes EU resident data)
  • Compliant with all GDPR requirements
  • Provides DPA for customers
  • Uses AES-256 encryption at rest and TLS 1.2+ in transit
  • SOC 2 Type II and ISO 27001 certifications are on the roadmap

Note: Even with Dxtra, you must ensure your own practices are GDPR compliant.

What's the difference between GDPR and CCPA?

GDPR (EU):

  • Requires explicit consent for most data processing
  • Applies to all EU residents
  • 30-day DSRR response deadline
  • Right to erasure applies broadly
  • Higher fines (4% of revenue or 20M euros)

CCPA (California):

  • Opt-in for sales/sharing; opt-out for tracking
  • Applies to California residents (even non-CA companies)
  • 45-day DSRR response deadline
  • Right to delete has exceptions
  • Fines are per violation

Simple rule: If you have EU customers, do GDPR. If you have CA customers, do CCPA. Many companies do both.

How long should we keep customer data?

Minimum: As long as needed to serve the customer.

General guidance:

  • Necessary for service — As long as customer is active
  • Legal obligations — Per requirement (usually 3-7 years)
  • Marketing — 18-24 months of inactivity then delete
  • Analytics — 26 months (Google's recommendation)
  • Backups — 30 days maximum

Set your own policy based on your business. Document it in your privacy policy and processing activities.

GDPR allows six legal bases:

  1. Consent — Customer explicitly agrees
  2. Contract — Needed to fulfill agreement with customer
  3. Legal Obligation — Required by law
  4. Vital Interests — Protect someone's health/safety
  5. Public Task — Government/official purpose
  6. Legitimate Interest — Organization has valid business reason

Most companies use: Consent (marketing), Contract (accounts), Legal Obligation (taxes).

How do we handle deletion requests if we need to keep records?

You can delete most data while keeping what's legally necessary:

  • Delete customer profile, but keep order history for tax purposes (if required)
  • Delete communications, but keep transaction records
  • Pseudonymize data (replace names with codes)
  • Aggregate data (keep statistics but not individual records)

Document your policy clearly in DSRR responses.

What should our Transparency Center explain?

At minimum, explain:

  1. What data you collect — Be specific (email, name, purchase history, etc.)
  2. Why you collect it — (service delivery, analytics, marketing, etc.)
  3. Who you share it with — List processors and service providers
  4. How long you keep it — Retention periods
  5. Customer rights — Access, deletion, objection, etc.
  6. How to exercise rights — Contact email, web form, link to Dxtra

Make it clear and customer-friendly. Avoid legal jargon.

For support teams

How do we handle a customer who requests their data?

  1. Acknowledge — Confirm you received their request
  2. Verify Identity — Send verification code via email
  3. Collect Data — Dxtra queries all your systems automatically
  4. Prepare — Review data for completeness and redactions
  5. Export — Format as requested (CSV, PDF, JSON)
  6. Deliver — Send securely to customer
  7. Confirm — Ask customer to confirm receipt
  8. Document — Log everything in Dxtra

Timeline: Should take 2-5 business days for most requests.

What if a customer requests a data subject rights response?

Dxtra handles GDPR access requests with a one-month DSRR response deadline (extendable to three months). CCPA requests have a 45-day DSRR deadline (extendable to 90 days). Track the deadline in the Rights Management dashboard.

What if customer asks to delete their account?

  1. Explain what happens — Account and data deleted (unless kept for legal reasons)
  2. Verify identity — Confirm it's really them
  3. Get confirmation — Make sure they understand what's being deleted
  4. Execute deletion — Dxtra handles this across all systems
  5. Confirm completion — Send email confirming deletion
  6. Document — Create audit log entry

Note: You can keep transaction history for accounting/tax purposes even if account is deleted.

How do we respond if customer disputes their data?

  1. Listen — Understand what they're disputing
  2. Verify — Check if data is actually accurate
  3. If accurate — Explain source and accuracy
  4. If inaccurate — Correct it immediately and confirm the fix
  5. If disputed — Attach customer's dispute statement to record

Maintain objectivity. Document your process.

What if we can't find some of their data?

Be honest:

  1. Explain — "We couldn't locate data in [system] because..."
  2. Reasons — (deleted in retention process, not customer of that system, etc.)
  3. Options — (search other systems, wait and retry, accept partial response)
  4. Timeline — If still searching, give customer update

Better to respond with some data than delay trying to find everything.

For developers

How do I authenticate API calls?

Use JWT tokens:

  1. Get a Personal Access Token (PAT) — From the Developers page in your dashboard
  2. Request a JWT — POST to auth.dxtra.ai/v1/signin/pat with your PAT
  3. Receive JWT — Token is valid for 15 minutes
  4. Use the JWT — Include in Authorization: Bearer <token> header along with X-Hasura-Role: user on all API requests
  5. Renew — When the token expires, re-authenticate with your PAT to get a new JWT

Full authentication guide →

How do I query a customer's data via API?

Use a GraphQL query:

GraphQL
query GetSubjectData($controllerId: uuid!, $email: String!) {
  dataSubjects(
    where: {
      _and: [
        { dataControllerId: { _eq: $controllerId } },
        { email: { _eq: $email } }
      ]
    }
    limit: 1
  ) {
    id
    did
    dataSubjectConsentFormValues {
      values
      createdAt
    }
  }
}

See query examples →

How do I create a DSRR request programmatically?

Use a GraphQL mutation:

GraphQL
mutation CreateDSRR($object: dataSubjectsRightsRequests_insert_input!) {
  insertDataSubjectsRightsRequest(object: $object) {
    id
    type
    status
    createdAt
  }
}

With variables:

JSON
{
  "object": {
    "type": "ACCESS",
    "dataSubjectEmail": "user@example.com",
    "dataSubjectName": "Jane Doe",
    "dataControllerId": "your-controller-uuid"
  }
}

See mutation reference →

How do I set up webhooks to receive Dxtra events?

  1. Create endpoint — HTTPS endpoint on your server that accepts POST requests
  2. Register in Dxtra — Settings → Webhooks → Add Endpoint
  3. Verify signatures — Validate the HMAC-SHA256 signature on each request
  4. Process events — Handle events like DSRR created, consent granted, etc.
  5. Return 200 — Confirm receipt with 200 OK status

Webhook events are sent to conduit.dxtra.ai. See the webhook guide → for signature validation examples.

What's the rate limit for API calls?

  • GraphQL API: 100 requests per minute per API key
  • Authentication: 10 requests per 5 minutes per IP
  • Webhooks: 1,000 deliveries per minute per workspace

Implement exponential backoff for rate limit errors. See response headers for remaining quota.

Error handling →

How do I write a Custom Function?

Create serverless code in Dxtra:

JavaScript
module.exports = async function(input, context) {
  // Query Dxtra
  const result = await context.dxtra.query('...');

  // Call external API
  const data = await context.fetch('https://api.example.com/...');

  // Log
  context.log.info('Done', { result });

  return { success: true };
};

Custom Functions guide →

For executives

How much does Dxtra cost?

Pricing depends on:

Dxtra includes all 16 capabilities in every plan:

  • Start — $10/month, 1 domain, up to 50K data subject IDs
  • Growth — $25/month, 1 domain, up to 200K data subject IDs
  • Scale — $100/month, 1 domain, up to 1M data subject IDs
  • Enterprise — $1,000/month, 10 domains, up to 100M data subject IDs

The Start plan includes a 14-day money-back guarantee. For details, see pricing or email support@dxtra.ai for an Enterprise quote.

What's the ROI of using Dxtra?

Typical benefits:

  • DSRR handling: Dxtra automates much of the manual work involved in handling data subject requests, significantly reducing per-request costs
  • Compliance staff: Reduces time spent on manual compliance tasks by automating routine processes
  • Risk reduction: Reduces compliance risk by maintaining documented, auditable processes
  • Efficiency: Dramatically speeds up request fulfillment through automated data collection and processing

Payback: Most organizations recover investment through efficiency gains within the first few months.

How long does implementation take?

Most organizations are ready for live DSRR requests in:

  • 2 weeks — Basic setup + first request response
  • 4 weeks — Full setup + transparency center + team training
  • 8 weeks — Comprehensive program with all integrations

Depends on complexity and team availability.

Can we use Dxtra for other compliance programs?

Dxtra is designed for privacy/DSRR, but can support:

  • Data governance — Map data flows and document processing
  • Audit readiness — Maintain compliance documentation
  • Privacy program — Organize policies and procedures
  • Customer trust — Transparency center and help center

Other compliance programs (SOC 2, ISO 27001, etc.) need additional tools.

What's our liability if we use Dxtra?

Dxtra provides:

  • DPA — Data Processing Agreement for GDPR compliance
  • AES-256 encryption — Data encrypted at rest and in transit (TLS 1.2+)

SOC 2 Type II and ISO 27001 certifications are on the roadmap. Review Dxtra's Security & Architecture page for full details.

But you remain responsible for:

  • Accuracy of data
  • Legitimacy of data processing
  • Your privacy policy compliance
  • Responding to requests timely

See Security & Trust →

General questions

Can we integrate Dxtra with our existing systems?

Yes. Dxtra integrates with:

  • E-Commerce: Shopify, WooCommerce
  • CRM: Salesforce, HubSpot
  • Email: Mailchimp, Klaviyo, Customer.io
  • Payments: Stripe, QuickBooks, Xero
  • Analytics: Google Analytics, Google Ads
  • Custom: Via API, webhooks, or Custom Functions

See all integrations →

Is my data secure with Dxtra?

Yes. Dxtra provides:

  • AES-256 encryption — At rest
  • TLS 1.2+ — In transit
  • Multi-region deployment — Infrastructure redundancy
  • SOC 2 Type II and ISO 27001 — On the roadmap

Security details →

Can we have multiple workspaces?

Yes. Create separate workspaces for:

  • Different brands/subsidiaries
  • Different regions
  • Different products
  • Testing vs. production

Switch between workspaces with dropdown menu.

How do we get support?

  • In-app chat — 9am-5pm PT weekdays
  • Email — support@dxtra.ai (24 hour response)
  • Status page — See system health at dxtra.instatus.com

Is there a money-back guarantee?

Yes. The Start plan includes a 14-day money-back guarantee. You get full access to all 16 capabilities from day one. If Dxtra is not the right fit, contact support@dxtra.ai within 14 days for a full refund.

What payment methods do you accept?

Dxtra accepts all major credit cards (Visa, Mastercard, American Express). Invoiced billing is available for enterprise customers. Contact our sales team for custom payment arrangements.

Can I change my billing plan?

Yes. Go to Account Settings > Billing & Plans and select "Upgrade," "Downgrade," or "Cancel." Changes take effect on your next billing cycle. If you upgrade mid-cycle, you'll be charged a prorated amount.

What happens if my payment fails?

We'll attempt to charge your card up to 3 times over 10 days. If all attempts fail, your account access is suspended until payment is resolved. You'll receive email notifications with instructions to update your payment method.

How can I get an invoice?

Invoices are automatically generated and emailed to your billing contact on the renewal date. You can also download previous invoices from Account Settings > Billing & Invoices.

Setup and configuration questions

How do I generate my first privacy notice?

  1. Log in to your dashboard
  2. Click Notices in the left menu
  3. Click Create New Notice
  4. Select Guided Mode or Template Mode
  5. Complete the setup wizard answering questions about your business
  6. Dxtra generates your notice with all required sections for your jurisdictions
  7. Review and customize as needed
  8. Click Publish

What regulations does Dxtra support?

Dxtra supports GDPR, CCPA/CPRA, PDPA, LGPD, APPI, PIPEDA, and other regional data protection laws. During setup, select which regulations apply to your business, and Dxtra includes all required disclosures.

Can I create separate notices for different regions?

Yes. Create multiple notices and configure different ones for different regions or products. Use Dxtra's URL routing to automatically show the correct notice based on user location, or manually link to the appropriate notice.

How do I customize my privacy notice after creation?

Click Notices in the dashboard, select your notice, and click Edit. You can modify any section. Changes are saved as drafts until you click Publish, which creates a new version.

Can I have multiple people editing my account?

Yes. Go to Account Settings > Team Members and click Invite Member. You can assign roles (Admin, Editor, Viewer) with appropriate permissions.

How do I add my logo to documents?

  1. Go to Account Settings > Branding
  2. Upload your logo (PNG, JPG, SVG, up to 5MB)
  3. Select where to display it (header, footer, both)
  4. Your logo appears on all published documents and forms

Can I use custom colors and fonts?

Yes. In Account Settings > Branding, select your primary and secondary colors and choose a typography style. Your branding applies to all privacy notices, forms, and transparency centers.

Integration questions

How do I connect Dxtra to my website?

You have several options:

  1. Embed code: Copy the embed code snippet and paste it into your website HTML
  2. Custom domain: Set up a CNAME record to use your own domain
  3. Link: Simply link to your hosted Dxtra URL
  4. Webhook: Integrate with your existing systems

Can Dxtra integrate with Shopify/WooCommerce?

Yes! Dxtra provides direct integrations for Shopify. For WooCommerce and Magento, you can: - Embed Dxtra forms and notices as code on your site - Use webhooks to connect with your e-commerce platform - Link to your Dxtra-hosted transparency center

Can I receive notifications about Dxtra events in other tools?

Yes. Use Dxtra's webhook system to send real-time event notifications to any tool that accepts HTTP POST requests. You can connect to Slack, Microsoft Teams, or any other tool by creating a webhook endpoint or using a workflow automation platform like Zapier.

See the webhook guide → for setup instructions.

Can I send DSRR responses to a custom email address?

Yes. When configuring your DSRR form:

  1. Go to DSRR Forms > [Form] > Settings
  2. Under "Response Configuration," select Email
  3. Enter the email addresses where responses should be sent
  4. You can add multiple recipients

Can I integrate Dxtra with my CRM?

Through custom webhooks, yes. See our integration documentation for setup instructions.

DSRR processing questions

Deadlines vary by regulation: - GDPR: 1 month, extendable by a further 2 months for complex requests (3 months total) - CCPA/CPRA: 45 calendar days, extendable by a further 45 days - PDPA: 30 days - LGPD: 15 business days

Dxtra tracks deadlines and alerts you when approaching the deadline.

How do I verify a requester's identity?

Dxtra supports multiple verification methods:

  • Email verification: Send a verification link; requester clicks to confirm
  • Security question: Ask a question you know the answer to (set during form config)
  • Two-factor authentication: If they have 2FA on their account, require it
  • Government ID: Request photo of government-issued ID

Use stronger verification (ID + 2FA) for sensitive requests like deletion.

What if someone requests data about someone else?

Most regulations allow authorized representatives to request data. In your DSRR form settings:

  1. Enable "Allow representative requests"
  2. Require the representative to upload proof of authorization (notarized letter, power of attorney, etc.)
  3. Store documentation with the request for audit trail

Verify the representation is legitimate before providing data.

How do I gather personal data to respond to a DSRR?

  1. Identify data sources: Account database, analytics, email, etc.
  2. Extract relevant data: Pull all data about this person
  3. Review for relevance: Only include actually collected data
  4. Format for delivery: PDF, CSV, or other format the person can use
  5. Securely deliver: Use Dxtra's secure delivery or send via secure link

Dxtra's dashboard provides request management tools to track the process.

Can I deny a data subject rights request?

Yes, in limited circumstances:

  • No legitimate request: If you doubt the person is who they say, verify harder or deny
  • Frivolous requests: Excessive or manifestly unfounded requests can be refused
  • Business impact: If the request would significantly harm others' rights
  • Legal exemptions: Some data (law enforcement, national security) has exemptions

If you deny a request, you must respond in writing explaining your reasoning.

How do I document DSRR processing for compliance?

Dxtra automatically creates audit trails showing: - When request was received - How requester was verified - What data was collected - When data was delivered - Any interactions or decisions

These export for compliance audits. Keep records for at least 3 years.

Compliance questions

How do I become GDPR compliant?

GDPR compliance is complex, but Dxtra helps with several components:

  1. Privacy notice: Publish detailed privacy disclosures
  2. Data subject rights: Set up forms to handle access, deletion, etc.
  3. Legal basis: Document your lawful basis for processing
  4. Consent: Manage user consent where required
  5. Records: Maintain detailed records of processing
  6. Data processing agreements: Use DPA templates for vendors
  7. Privacy impact assessment: Conduct PIAs for high-risk processing

You may need legal counsel for your specific situation.

What about CCPA/CPRA compliance?

CCPA and CPRA require:

  1. Privacy notice: Disclose data collection and use
  2. Data subject rights: Honor access, deletion, correction, portability requests
  3. Opt-out mechanisms: Allow users to opt out of data sales/sharing
  4. Consumer rights response: Respond within 45 days
  5. Sensitive data handling: Get consent before selling/sharing sensitive data
  6. Right to limit: Honor "Do Not Share My Sensitive Personal Information"

Dxtra helps you build all these features.

What if I operate in multiple countries?

You must comply with all applicable regulations where you operate:

  1. Identify jurisdictions where your users are located
  2. Research requirements for each jurisdiction
  3. Publish jurisdiction-specific notices (use Dxtra's multi-language feature)
  4. Set up appropriate safeguards for local requirements
  5. Consult local counsel if you operate in new countries

Dxtra supports notices in multiple languages and regulatory frameworks.

How do I demonstrate compliance in an audit?

Keep records of: - Privacy notices and versions (with publication dates) - Data subject rights requests and responses - Consent records - Data processing agreements - Security measures - Staff training records - Audit logs from Dxtra

Dxtra's dashboard provides audit exports in standard formats (PDF, CSV).

Security and account questions

Is Dxtra secure?

Yes. Dxtra uses AES-256 encryption for data at rest, TLS 1.2+ for data in transit, and complies with GDPR data protection standards. SOC 2 Type II and ISO 27001 certifications are on the roadmap.

Where is my data stored?

Dxtra operates a multi-region deployment. Enterprise customers can discuss regional data residency requirements with the Dxtra team.

Can I download my data?

Yes. Go to Account Settings > Data Export and select what to export (notices, responses, audit logs, etc.). Exports are available in PDF, CSV, and JSON formats.

How do I update my company name?

Go to Account Settings > Organization and update your company name. Changes apply to all new documents published after the update.

Can I delete my account?

Yes, but deleting your account deletes all data (notices, forms, responses) and cannot be undone.

Before deleting: 1. Export all data from Account Settings > Data Export 2. Contact support if you have questions

To delete: Go to Account Settings > Danger Zone > Delete Account.

Support and getting help

How do I get support?

  • Live chat: Click the chat icon in your dashboard
  • Email: support@dxtra.ai
  • Knowledge base: Search docs.dxtra.ai Response Times by Plan:
  • Start / Growth: 4 hours for critical issues
  • Scale: 2 hours for critical issues
  • Enterprise: 1 hour for critical issues, 4 hours for high-priority issues

Do you offer training?

Yes. We offer: - Webinars: Monthly free webinars on privacy topics - Documentation: Comprehensive guides and tutorials

How often do you release updates?

We release new features and improvements continuously. Major releases happen monthly. Security patches are deployed immediately. You're always on the latest version—no upgrades needed.

Can I request a feature?

Yes! Go to Help > Feature Requests or email support@dxtra.ai. We review all requests and prioritize based on customer demand.

What is your uptime SLA?

Dxtra targets high availability across all plans. For current system status and uptime information, see the Status Page.

Beta

Specific SLA terms are being finalized as Dxtra moves from Beta to general availability.

Can't find your question? Email support@dxtra.ai.

Not legal advice

AI-generated content does not constitute legal advice. Consult a qualified legal professional for advice specific to your jurisdiction and business context.