Glossary¶

A¶

API — Application Programming Interface. Programmatic way to interact with Dxtra using code.

APPI — Act on Protection of Personal Information. Japan's national data protection law regulating how organizations collect, use, store, and disclose personal information.

AI Regeneration — When regulations change or business context evolves, Dxtra's AI engine regenerates relevant compliance documents. Quota varies by plan.

Assurance — Verified compliance signals—documentation, audit trails, and demonstrations that your privacy practices meet legal and regulatory requirements.

Automated Decision-Making — Making decisions about individuals using algorithms or artificial intelligence without significant human involvement. Regulations like GDPR require disclosure when decisions are made automatically.

Accountability — The principle and practice of being responsible for demonstrating compliance through documentation, audit trails, and compliance monitoring.

B¶

BAA — Business Associate Agreement. HIPAA-compliant agreement for handling health information.

Backup — Automatic copy of data for disaster recovery purposes.

Behavioral Data — Information about how users interact with your service, including pages visited, features used, time spent, clickstreams, and engagement patterns. Often collected through analytics tools and cookies.

Biometric Data — Information derived from biological characteristics, such as fingerprints, facial recognition data, iris scans, and voice recognition patterns. Considered sensitive data under many regulations.

Browsing History — A record of websites and web pages a user has visited. Often collected through pixels, cookies, and analytics tools. Privacy-sensitive information under GDPR and CCPA.

C¶

CASL — Canada's Anti-Spam Legislation. Canadian email marketing law similar to CAN-SPAM.

CAN-SPAM — Controlling the Assault of Non-Solicited Pornography and Marketing Act. US email marketing law.

CCPA — California Consumer Privacy Act. California privacy law giving residents rights over their data.

CCH Axcess — Tax and accounting software for managing client data.

CCH iFirm — Tax and accounting practice management software.

Compliance Activities — Processing activities documented for regulatory compliance.

Compliance Calendar — Schedule of compliance deadlines, reviews, and audit dates.

Compliance — See Assurance. Dxtra uses the Assurance page to provide compliance scoring and status across 12 compliance areas.

Compliance Maturity — How well organized and documented your privacy program is.

Compliance Metrics — Measurements of compliance performance (DSRR response time, consent rates, etc.).

Compliance Report — Summary of compliance status for audit or executive reporting.

Compliance Status — Current state of your privacy compliance program.

Compliance Team — People responsible for managing privacy and compliance.

Conduit — Dxtra's webhook endpoint for receiving real-time events.

Consent — Affirmative permission from a user to process their personal data. Consent must be freely given, specific, informed, and unambiguous. One lawful basis for data processing under GDPR.

Consent Categories — Groupings of processing activities by consent type (analytics, marketing, etc.).

Cookie — A small text file stored on a user's device that remembers information across browsing sessions. Cookies can be essential (required for website function), functional (improve experience), or tracking cookies (for analytics or marketing).

Cryptography — Mathematical techniques for securing information by encrypting (converting to unreadable form) and decrypting data. AES-256 encryption protects data at rest; TLS encryption protects data in transit.

Consent Management — System for collecting, tracking, and respecting customer consent.

Consent Records — Evidence of what customers consented to and when.

Consent Tracking — Monitoring what consents customers have given over time.

Consent Withdrawal — Customer's right to remove their consent at any time.

Consumer Rights — Rights that consumers have under privacy laws (access, deletion, etc.).

Cookie Banner — Notice and consent request shown to website visitors.

CPRA — California Privacy Rights Act. Enhanced version of CCPA (2023+).

CRM — Customer Relationship Management system (e.g., Salesforce, HubSpot).

Cross-Border Data Transfer — Moving data between countries; requires safeguards under GDPR.

Custom Function — Serverless code that runs in Dxtra to process data or extend functionality.

Custom Integration — Integration with systems not in Dxtra's pre-built catalog.

Customer.io — Customer data and behavioral email marketing platform.

Customer Portal — Customer-facing interface for managing their data and preferences.

D¶

Dashboard — Central control panel for managing your Dxtra workspace.

Data Breach — Unauthorized access or disclosure of personal data.

Data Collection — Gathering personal information from customers.

Data Handling — How you collect, use, store, and delete customer data.

Data Handler — Person or system that processes data (synonym for Data Processor).

Data Minimization — Privacy principle of collecting only data you need.

Data Processing — Any operation performed on data (collection, use, storage, deletion).

Data Processing Agreement (DPA) — Legal agreement between data controller and processor.

Data Protection Authority (DPA) — Government agency enforcing privacy laws (e.g., ICO in UK).

Data Protection Impact Assessment (DPIA) — Risk analysis for high-risk data processing.

Data Retention — How long you keep customer data after collection.

Data Retention Policy — Document specifying retention periods for different data types.

Data Controller — An entity (person or organization) that determines the purposes and means of data processing. Under GDPR, the controller is responsible for data protection compliance and must respect individuals' rights.

Data Processor — An entity that processes data on behalf of a controller. A processor follows the controller's instructions and must implement appropriate security safeguards. Service providers like email platforms are typically processors.

Data Protection Officer (DPO) — Person responsible for monitoring data protection compliance within an organization. Mandatory for public authorities; recommended for large-scale data processing under GDPR.

Data Portability — A data subject's right to request their data in a structured, machine-readable format and transfer it to another service provider. Required under GDPR and CCPA.

Data Subject — An individual whose personal data is processed. In GDPR, data subjects have specific rights (access, deletion, correction, portability, etc.). Also called a "consumer" under CCPA or a "user" in common terminology.

Data Subject Rights — Legal rights that individuals have regarding their personal data. Common rights include access (right to know), deletion (right to be forgotten), correction (right to rectify), and portability. See DSRR for how to handle requests to exercise these rights.

Data Transfer — Moving data between systems or organizations.

Database Encryption — Encrypting data in your database at rest.

Deadline Tracking — Monitoring when DSRR responses must be delivered.

Deletion — Permanently removing customer data.

Deletion Request — Customer request to delete their personal data.

DID (Decentralized Identifier) — A W3C standard for a globally unique, self-sovereign identifier. Unlike traditional identifiers (email addresses, usernames) that are issued and controlled by a central authority, DIDs are created, owned, and controlled by the entity they identify. In Dxtra, every Data Controller and Data Subject receives a DID. A Data Controller DID looks like did:dep:b2150543c51baeaf7c95728434b4a776342b495cfa7449f42a60cb2f2af22a58. An Asset DID (for documents, policies, etc.) appends the asset ID after a slash. DIDs are generated via GraphQL mutations and used for API authentication, cross-system identity, and webhook signature validation. Your Data Controller DID appears on the Home page in the dashboard.

Digital Rights — Rights individuals have over their digital information and identity.

Disclosure — Revealing information about data practices to customers.

Disclosure Log — Record of all privacy disclosures provided to customers.

Data Transfer Mechanism — A legal framework authorizing transfer of personal data across borders (especially outside the EU). Includes Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and adequacy decisions.

DPA — See Data Protection Authority or Data Processing Agreement.

DPIA — See Data Protection Impact Assessment.

DSRR — Data Subject Rights Request. Dxtra's term for a formal request submitted by a data subject to exercise one of their privacy rights (access, rectification, erasure, restriction, portability, objection, or general enquiry). Also referred to as a DSAR (Data Subject Access Request) or DSR in other platforms.

DSR — See DSRR (Data Subject Rights Request).

Dxtra — AI-powered privacy compliance platform (this product).

E¶

Encryption — Mathematical process of converting readable data into a form that cannot be read without a cryptographic key. Essential for protecting sensitive personal data both in transit and at rest.

Enterprise — Large organization; often refers to enterprise plan.

Essential Cookies — Cookies required for a website to function properly, such as session cookies that keep you logged in. Users cannot opt out of essential cookies without losing website functionality.

Essential Data — Data needed to provide your service (cannot be deleted if still needed).

Event — Something that happens in Dxtra (DSRR submitted, consent given, data deleted).

Eventbrite — Event ticketing platform.

Explicit Consent — Clear, affirmative permission (e.g., checkbox) rather than assumed.

F¶

Fair Use — Legal doctrine allowing limited use of copyrighted material without permission. In privacy context, fair use applies to public domain data and non-commercial educational use.

FIDO2 — Standard for passwordless authentication using security keys.

Functional Cookies — Cookies that remember user preferences and enhance experience (language selection, theme preference, account settings) without tracking across sites.

Flesch Reading Ease — Readability score for text; higher = easier to read.

G¶

GDPR — General Data Protection Regulation. European Union regulation effective May 25, 2018. The world's most comprehensive data protection law, giving EU residents extensive rights over their personal data and imposing strict obligations on organizations.

Glossary — List of defined terms (this page).

Google Ads — Google's advertising platform.

Google Analytics — Google's website and app analytics platform.

Google Drive — Cloud storage service by Google.

Graceful Degradation — System continues working even if some parts fail.

GraphQL — Query language for APIs; used by Dxtra.

H¶

Hash / Hashing — One-way mathematical function that converts data into a fixed-length string. Hashing secures data by making it irreversible while allowing verification. Unlike encryption, hashing cannot be reversed.

Hasura — Managed GraphQL backend that Dxtra uses.

Data Subject Support (Help Center) — Self-service knowledge base for customer privacy questions. In the Dxtra sidebar, this feature appears as "Data Subject Support."

HIPAA — Health Insurance Portability and Accountability Act (US health privacy law).

HMAC-SHA256 — Cryptographic signature algorithm used for webhooks.

HubSpot — CRM and marketing automation platform.

I¶

Identifier — Any data that can be used to identify an individual, either directly (name, email) or indirectly (IP address, device ID, account number).

Identity Verification — The process of confirming that someone is who they claim to be. Methods include email verification, security questions, two-factor authentication, and government ID verification.

IP Address (Internet Protocol Address) — A unique numerical identifier assigned to a device on the internet. Can be used to identify or track individuals, especially when combined with other data. Considered personal data under GDPR.

Incident Response — Procedures for handling security breaches or privacy violations.

Integrations — Connections between Dxtra and other business tools.

Intake — Process of receiving and logging a DSRR or other request.

Interaction History — Record of all communications with a customer.

ISO 27001 — International standard for information security management.

J¶

JWT — JSON Web Token. Authentication token format used by Dxtra API.

K¶

Klaviyo — E-commerce email and SMS marketing platform.

L¶

Label — Tag applied to requests, documents, or contacts for organization.

Lawful Basis — Legal justification for processing data under GDPR. Six lawful bases include: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Legitimate Interests — A lawful basis for data processing under GDPR that allows organizations to process data when they have a valid business interest that outweighs individuals' privacy rights. Must be balanced against user privacy.

Legal Basis — See Lawful Basis.

Liability — Legal responsibility for violations or harms. Under GDPR, organizations can face fines (up to 4% of global revenue) and lawsuits for privacy violations. Under CCPA, statutory penalties and private right of action exist.

LGPD — Lei Geral de Proteção de Dados (Brazil's General Data Protection Law), effective August 14, 2020. Covers data protection and privacy for Brazilian residents and organizations operating in Brazil. Similar in structure to GDPR.

Lifecycle — Stages a request goes through (created, verified, processed, completed).

M¶

Magic Link — Email-based authentication method; customer clicks link to log in.

Mailchimp — Email marketing platform.

Marketing Cookies — Cookies used to track users across websites for advertising and retargeting purposes. Users must typically opt in to marketing cookies in most jurisdictions.

Marketing — Processing personal data for promotional communications.

Merchant Data — Personal data your organization collects directly from individuals (as opposed to inferring data through observation). Examples include name, email, and payment information entered during signup.

Meta / Facebook Ads — Facebook and Instagram advertising platform.

Migration — Moving from one system to another.

Milestone — Important date or target in your compliance program.

MPA — Master Privacy Agreement (same as DPA).

MFA / Multi-Factor Authentication — Security requiring multiple forms of authentication.

N¶

NetSuite — Enterprise resource planning and financial management software.

Notification — Alert sent to user about events or deadlines.

O¶

OAuth — Authentication standard allowing delegation to third parties (Google, GitHub, etc.).

Objection — Customer's right to object to processing based on legitimate interests or for direct marketing purposes. Right to object doesn't require reason but limits organization's ability to process.

Opt-In — User explicitly agrees to something (checking a box, clicking a button). Required for non-essential cookies and in some regulations for consent to processing. Stronger protection than opt-out.

Opt-Out — User explicitly refuses something or a system that defaults to allowing something unless the user takes action to stop it. Generally weaker protection than opt-in; some regulations require opt-in instead.

P¶

Partial Fulfillment — Fulfilling part of DSRR because part cannot be completed.

Passkey — FIDO2/WebAuthn credential for passwordless authentication.

PCI DSS — Payment Card Industry Data Security Standard (payment security).

PDPA — Personal Data Protection Act (Singapore's data protection law). Regulates how organizations in Singapore and those with Singapore-based customers collect, use, disclose, and store personal data.

Personal Data — Any information relating to an identified or identifiable natural person. Includes names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.

PII — Personally Identifiable Information. Data that can identify an individual.

PIPEDA — Personal Information Protection and Electronic Documents Act. Canada's federal privacy law regulating how personal information is collected, used, disclosed, and retained by private sector organizations in Canada.

POPIA — Protection of Personal Information Act. South Africa's privacy law effective July 1, 2021.

Privacy Impact Assessment (PIA) — An evaluation of how a system, process, or initiative affects privacy. Similar to DPIA in scope. Used to identify privacy risks and mitigation strategies.

Privacy Notice — A document explaining how an organization collects, uses, shares, and protects personal data. Required by law in most jurisdictions. Also called privacy policy or privacy statement.

Privacy Preserving — Techniques and practices designed to protect user privacy while still allowing necessary operations. Examples include anonymization, encryption, differential privacy, and privacy-by-design principles.

Processing — Any operation performed on personal data, including collection, storage, use, analysis, deletion, or disclosure. Organizations must have a lawful basis for each processing activity.

Portability — Customer's right to receive their data in machine-readable format.

Preference Center — Place where customers manage their communication and data preferences.

Privacy Center — See Transparency Center.

Privacy Officer — Person responsible for privacy compliance in organization.

Privacy Policy — Legal document explaining data practices.

Privacy Practices — How an organization handles personal data.

Privacy Program — Entire system of policies, procedures, and practices for privacy.

Processor — See Data Processor.

Pseudonymization — Technique for processing data using a reference number or identifier instead of the person's name or directly identifying information. Data can be re-identified with additional information.

Processing Activity — Documented instance of data processing (what, why, who, how long).

Processing Activities Registry — Catalog of all your data processing activities.

Q¶

QuickBooks — Accounting and invoicing software.

Query — Request for data from API (read-only operation).

R¶

RBAC — Role-Based Access Control. Assigning permissions based on user roles.

Record of Processing Activities (RoPA) — A comprehensive inventory of all data processing activities, including what data is collected, for what purposes, from what sources, how long it's retained, and with whom it's shared. Required by GDPR.

Rectification — Customer's right to correct inaccurate data.

Right of Access — Data subject's right to request and receive a copy of all personal data an organization holds about them. One of the most important data subject rights under GDPR and CCPA.

Right to be Forgotten — Data subject's right to request deletion of their personal data, subject to exceptions. Formally called "right to erasure" in GDPR. Sometimes called "right to deletion" in other regulations.

Right to Correct — Data subject's right to request correction of inaccurate or incomplete personal data. Also called "rectification" under GDPR or "right to correct" under CCPA/CPRA.

Right to Data Portability — Data subject's right to request personal data in a structured, machine-readable format and transfer to another provider. Required under GDPR and CCPA/CPRA for most data.

Right to Object — Data subject's right to object to certain types of processing, particularly processing based on legitimate interests or for direct marketing. Right to object doesn't require reason but limits organization's ability to process.

Right to Opt-Out — Similar to right to object; allows individuals to request an organization stop processing their data for specific purposes. Used in CCPA for opting out of data sales/sharing.

Request for Proposal (RFP) — Invitation to vendors to bid on services.

Response Rate — Percentage of DSRRs completed on time.

Retention Period — How long data is kept before deletion.

Right to Erasure — Customer's right to request deletion.

Right to Rectification — Customer's right to correct their data.

Right to Be Forgotten — See Right to Erasure.

Roles — Assigned responsibilities and permissions (admin, privacy officer, etc.).

RTO/RPO — Recovery Time Objective / Recovery Point Objective. Disaster recovery targets.

S¶

Salesforce — Enterprise CRM platform.

SAR — Subject Access Request. See DSRR (Data Subject Rights Request). Dxtra uses the term DSRR rather than SAR.

Sensitive Data — Personal information that warrants extra protection, including racial/ethnic information, political opinions, religious beliefs, genetic data, health data, and biometric data. Usually requires explicit consent to process.

Service Provider — An organization that processes data on behalf of another organization (controller). For example, email platforms, analytics providers, and payment processors are service providers.

Standard Contractual Clauses (SCCs) — EU-approved contract language that permits international data transfers while maintaining GDPR compliance. Organizations transferring EU personal data outside the EU should use SCCs.

SLA — Service Level Agreement. Guaranteed uptime and support standards.

SAML — Security Assertion Markup Language. Enterprise authentication standard.

Sandbox — Testing environment separate from production.

Scope — What a request applies to (which data, which systems).

SEC — Securities and Exchange Commission.

Security Key — Physical device for two-factor authentication (FIDO2).

Self-Regulatory Organization (SRO) — Industry body that sets standards.

Serverless — Computing model where infrastructure is managed automatically.

Session — Period during which a user is logged in.

SOC 2 — Service Organization Control 2. Security and compliance audit standard.

Sole Proprietor — Individual business owner.

Source System — System from which data is collected for DSRR response.

Stripe — Payment processing platform.

Subject Access Request — Customer request for copy of their data.

SurveyMonkey — Online survey platform.

T¶

Tag — A label or identifier used in web analytics to track user behavior. Tags collect data when website events occur (page load, button click, form submission). Must be disclosed in privacy notices.

Tax ID — Identification number for tax purposes (VAT, EIN, etc.).

Temporary Data — Data kept only for processing a specific request.

Transparency Center — A unified privacy hub consolidating privacy notice, cookie policy, DSRR forms, opt-out mechanisms, contact information, and FAQs. Offered by Dxtra as a complete no-code solution.

Tenure — How long someone has been with organization.

Terms of Service — Legal agreement governing use of a service.

Third Party — External organization separate from yours and your customer.

Threshold — Limit that triggers action (e.g., spend threshold, error rate threshold).

TLS — Transport Layer Security. Encryption protocol for data in transit.

Token — Authentication credential proving identity.

Transparency — Being open about data practices.

Transfer — Moving data between systems or locations.

TRUSTe — Privacy certification program.

U¶

UK GDPR — GDPR as applied in United Kingdom (post-Brexit), now operating alongside UK Data Protection Act with UK-specific national exemptions.

Unstructured Data — Personal data that isn't organized in a database or spreadsheet (e.g., emails, documents, chat logs). Harder to locate and provide for data subject requests; organizations should inventory this data.

Uptime — Percentage of time system is available and working.

User — Person using Dxtra (team member, not customer).

User Rights — See Data Subject Rights.

V¶

Validation — Checking that data is correct and complete.

Verification — Confirming identity before fulfilling DSRR.

Version Control — Tracking changes to documents over time.

Visa — Credit card payment network.

W¶

WAF — Web Application Firewall. Protects against web attacks.

Webhook — An HTTP callback that sends data from one application to another when a specific event occurs. Dxtra webhooks can notify external systems when DSRR requests are submitted.

Whitelist — A list of allowed items (domains, email addresses, IP addresses) that are permitted to access a resource. The opposite of a blacklist.

WebAuthn — Standard for passwordless authentication using biometrics or security keys.

WooCommerce — WordPress e-commerce plugin.

Workflow — Step-by-step process for handling DSRRs or other tasks.

X¶

Xero — Cloud-based accounting software.

Z¶

Zero Trust — Security model trusting nothing by default.

Need to add more terms? Let us know at support@dxtra.ai