As a leader in privacy and data governance, the TrustArc Platform helps to automate and simplify end-to-end compliance management for organizations worldwide.
PrivacyCentral is designed to aid Customers in complying with privacy and security frameworks, as well as a variety of local, national, and global standards and laws — and gives Customers real-time, actionable insights on how to comply. PrivacyCentral continuously scans for applicable new laws related to a Customers’ company profile and evaluates a Customers progress towards compliance with each law to allow Customers to build off the work already completed with contextual questions that account for existing evidence and efforts. Use of any “AI-Assisted” capabilities (e.g., AI-Assisted Upload) within PrivacyCentral, which are optional, is subject to the TrustArc Terms of Use for AI Features available here.
PrivacyCentral includes:
- Privacy Library – A central place to keep track of an organization’s policies, procedures, processes, checklists, and other program documentation that maps Customer documents to the TrustArc Framework and relevant standards in PrivacyCentral.
- Operational Templates – Key templates, handbooks, and other resources to help Customers build out their policies, procedures, processes, checklists, and other program documentation.
TrustArc also offers PrivacyCentral Expert+ which includes everything from PrivacyCentral, as well as 18 hours of activities or open-door sessions*: activities may include framework selection and management, program document upload, framework training sessions, privacy program setup, executive presentation draft, re-assessments, and reviews of new legislation. Open-door sessions allow Customers to choose the data privacy topic for discussion.
*Total hours must be used within a twelve (12) month period and cannot be rolled over to a new year. The expertise provided does not, and is not intended to, constitute legal advice.
Assessment Manager provides comprehensive and collaborative workflows for compliance assessments and includes pre-built assessment templates (e.g., AI Risk Assessment, Vendor Assessment, PIAs, DPIAs, TIAs, etc.). Assessment Manager lets Customers easily customize the assessment templates to meet unique requirements, collaboration, and workflow needs. Automated scoring for high risks and remediations within a common workflow enables clients to further streamline assessment workflows and manage their risk requirements.
Assessment Manager includes:
- Assessment templates
- Compliance controls
- Rules and questions
- Response selections
- Compliance tasks
- Reporting
Data Inventory Hub enables Customers to create, manage, and maintain an inventory of third parties, IT systems, company entities, and business processes. Capabilities include mapping, creation, reporting analytics, and on-demand regulator reports for compliance requirements under GDPR (e.g., Article 30) and other privacy and data protection laws.
TrustArc also offers Data Inventory Hub Expert+ with additional features such as reporting to support records of processing compliance requirements under GDPR (e.g., Article 30), and data inventory, notification, and registration requirements under other applicable privacy and data protection laws, as well as business process summary reports. Also includes 18 hours of activities or open-door sessions*: activities include inventory build approach, collection templates assistance, process identification assistance, and draft policies/content assistance. Open-door sessions allow Customers to choose the data privacy topic for discussion.
*Total hours must be used within a twelve (12) month period and cannot be rolled over to a new year. The expertise provided does not, and is not intended to, constitute legal advice.
Risk Profile is designed to help organizations understand, prioritize, manage, and mitigate their privacy risks and third-party privacy risks (including partners, vendors, service providers, and third party systems) through the use of visual and dynamic reporting of company and third party risks. Leverage automatic detection of privacy and data protection risks across all systems and business process records for enhanced visibility and risk posture management. Automated risk evaluation includes linked impact assessments to calculate inherent and residual risks.
Integration with TrustArc’s Assessment Manager allows Customers to leverage pre-built risk assessments relevant to demonstrating compliance, control effectiveness, and risk mitigation over time. Includes access to the following assessments: DPIA and PIA, Legitimate Interests, Consent, International Data Transfers, and Third Parties.
Risk Profile subscriptions require concurrent technology licenses to the Data Inventory Hub and Assessment Manager.
IRM provides: (a) transparent, structured, and configurable management of data subject requests (“DSRs”) to support compliance with individual rights requirements under GDPR, CCPA, HIPAA and other privacy and data protection laws and frameworks; (b) a request management portal to track requests and related timing obligations, enable logic-based intake templates, automatically route requests, automatically log audit trails for each request, and automate email notification with requester; and (c) email identity verification to verify requesters.
TrustArc also offers Individual Rights Expert+ that includes 18 hours of activities or open-door sessions such as: organizational approach reviews, overviews of legal requirements, request workflows, outline of actions for requests, and drafting of policies/content. Open-door sessions allow Customers to choose the data privacy topic for discussion and consultation.
*Total hours must be used within a twelve (12) month period and cannot be rolled over to a new year. The expertise provided does not, and is not intended to, constitute legal advice.
CPM enables Customers to meet legal and compliance requirements via the collection, syncing, and processing of customer choices and first-party data across their marketing and vendor ecosystem within one repository, including opt-ins and opt-outs (e.g., targeted advertising, tracking, geolocation tracking, or profiling) across third-party marketing platforms (email, web, connected TV, mobile app, email). It allows Customers to organize and manage data subject consent and data in one place and compiles the history of consent and audit trails for compliance.
CCM enables organizations to manage cookie and tracker consent for compliance, in a manner designed to deliver a secure, personalized browsing experience with automated tracker management and website scanning features.
- CCM – Professional
Key Features:
- Tag management integration with standard and zero-tracker load
- Custom branding
- IP-based geo-detection
- Configurable cookie list and disclosures
- Multi-language support and browser language detection
- Global Privacy Control signal support (also known as “GPC signal support”)
- Do Not Track signal support
- Deep Website Scanning (e.g., scanning behind login)
- Supports Google Consent Mode
- Dynamic tracker display
- Control trackers using auto-block and API
- Reporting
- CCM – Professional with Technical Account Manager (“TAM”) Support
The same Key Features as CCM Professional but with TAM Support. TrustArc’s TAM resource serves as project manager for CCM Professional subscription.
- A designated TAM is the point of contact for onboarding, implementation, and support for maintenance tasks for CCM.
- The TAM coordinates with TrustArc Product and Engineering organizations for feature requests and complex issues.
- The TAM provides guidance based on deployment preferences, performs regular audit scans to ensure trackers are firing compliantly, and supports tag management implementing or country-specific requirements and use cases.
- CCM – Advanced
CCM – Advanced includes a designated TAM (defined above) resource who will help define, configure, and provide implementation support for CCM – Advanced implementation and includes:
- Integrated Do Not Sell/Do Not Share workflow support
- AdChoices publisher
- Implementation and ongoing support
- Supports Google Consent Mode
- Control trackers using auto-block and API
- Consent resolution
- Integration with Shopify and other platforms using event listeners
- Website Monitoring Manager (also known as “WMM”)
- Financial incentive and known user consent (cross-device)
- Manual scan that requires a step-by-step process (shopping cart, web apps, etc.)
- Supports IAB TCF 2.2 Framework
Mobile App Consent is designed to help businesses that develop mobile apps to address consumer privacy concerns by providing: (a) transparency into which third parties collect data from the app, what data is collected, and how it will be used; (b) mobile app users with the ability to update or change their consent over time; (c) scanning of mobile applications to support identification of third party technologies accessing the app; and (d) the ability to adjust how consent notices are displayed based on end-user geo-location and end user’s language settings. The Mobile App Consent SDKs are available for Android, MAC, and React Native.
Mobile App Consent subscription includes a designated TAM (defined above) to assist in Mobile App Consent integration onboarding, set up, and implementation support.
Digital Advertising Alliance (“DAA”) compliant advertising notice and preference management technology Solution, includes the following features or capabilities:
- Attachment on or near advertisements (audio-visual video ads and banner or text ads, as applicable) of the AdChoices Icon trademark adopted by the DAA, and licensed by Customer (the “Icon”) desktop and/or mobile integration of the recognizable, clickable Icon for consumers to know when information about their interests may be collected or used for interest-based advertising.
- Single design DAA-compliant ad notice for consumers interacting with the Icon.
- A link to and management of the TrustArc Preferences Manager tool to capture consumers opt-out indication to cease tracking activity (i.e., “opt-out”) for interest-based advertising purposes.
- Note: If Customer has not licensed the Icon, TrustArc will provide an advertising icon to Customer that supports the same functionality.
- Monthly reports, which include metrics (icon impressions, icon clicks, click-through rate, opt-outs, opt-out rate), cuts (by day, week, month, advertiser, campaign, creative size), and compliance reports.
DAA compliant advertising notice and preference management technology Solution, includes the following features or capabilities:
- HTML insert to embed the DAA AdChoices Icon, licensed by Customer, on any page within Customer’s website or mobile application.
- Desktop and/or mobile integration of the recognizable, clickable Icon for consumers to know when information about their interests may be collected or used for interest-based advertising.
- A link to, and management of, a TrustArc Preferences Manager tool by which consumers can express an indication to have a tracking activity cease to occur (i.e., “opt-out”) for interest-based advertising purposes.
- Reporting metrics covering opt-outs and related information.
Note: If Customer has not licensed the AdChoices Icon from the DAA, TrustArc will provide an alternate advertising icon to Customer that supports the same functionality.
TrustArc’s WMM is a comprehensive website monitoring Solution designed to identify and monitor cookies and other tracking technologies, conduct cookie audits, and manage trackers, to allow organizations to gain a comprehensive understanding of their website’s tracking behavior.
Nymity Research helps organizations stay abreast of the privacy landscape with a continuously updated privacy knowledge product. Content within Nymity Research includes legal summaries, full-text law analysis, updates to regulatory developments, and privacy guidance provided by dedicated in-house legal and privacy subject matter experts. Nymity Research is designed to minimize time-consuming legal and privacy research by providing contextualized and structured privacy knowledge.
Nymity Research includes:
- Law Comparisons: Web-based privacy law rules engine covering numerous global privacy laws and regulations; updated routinely to add new laws and regulations. This module includes the ability to: (i) compare various legal requirements across laws; (ii) map accountability to compliance; (iii) create rationalized rule sets; and (iv) build tables to understand compliance obligations.
- Operational Templates: Access to a comprehensive repository of pre-built operational templates, designed to help organizations operationalize and manage their privacy programs more effectively.
- Legal Summaries: Leverage Nymity content and Morrison Foerster’s comprehensive ‘Notes’, for summaries and analysis of various privacy laws, including multi-jurisdictional comparisons. Customers will be able to: (i) generate custom reports with summary analysis of privacy laws; and (ii) analyze Customer’s obligations through multi-jurisdictional reporting.
- NymityAI: Get privacy and legal answers in near-real-time, reducing research time. This AI chatbot includes reference citations and past chats anywhere in the TrustArc Platform and includes thirty (30) questions per day per user. Use of NymityAI is subject to the TrustArc Terms of Use for AI Features available here.
Awareness Tracker is an automated email alert service that provides privacy knowledge and awareness capabilities through the Nymity platform for specified employees across an organization. The weekly email alert can be tailored to an end-user’s liking or based on job function. Awareness Tracker is designed to empower privacy champions across every business function, fostering a culture of privacy engagement, knowledge, and accountability that is relevant and appropriate for an employee’s respective role.
Manage status, keep records, plan, and report on privacy management through the organization and generate progress, status, compliance, ownership, and maintenance reports.
- Single Sign On (SSO)
Applicable to any of our platform Solutions, SSO is an additional TrustArc Solution that can be set up to add additional security and aid in managing user authentication for the TrustArc Platform.
- API integrations
API integrations can be set up as an additional TrustArc Solution to integrate our Solution with supported third-party customer systems or services.
The following are Solutions for managing ongoing privacy program management obligations provided by TrustArc’s third-party partners:
- IDology Integration (IRM Subscription Required) – IDology ExpectID Solutions with a per request cost and are governed by additional terms set forth in Exhibits included in the PSO.
- Optacy (IRM Subscription Required) – Integration with TrustArc IRM with a yearly subscription cost including SSO access from IRM to Optacy (access to trustarc.optacy.com to be governed via SSO for users who are validly logged into the TrustArc IRM dashboard). The Optacy Solutions is governed by additional terms set forth in Exhibits included in the PSO.
TrustArc Assurance Services allow organizations to demonstrate accountability and adherence to recognized privacy regulations and standards including, but not limited to APEC CBPR, DPF, and EDAA. Customer’s participation in any of these Assurance Services is subject to the Assurance Services Addendum.
Customer’s eligibility and ongoing participation in the TRUSTe Responsible AI Certification is subject to the applicable assessment criteria. Subscription to, and participation in, the Responsible AI Certification includes:
Customer’s eligibility and ongoing participation in the TRUSTe’s Enterprise Privacy Certification Program is subject to the applicable program requirements and assessment criteria. Subscription to, and participation in, the Enterprise Privacy Certification includes:
TRUSTe’s Data Privacy Framework Verification Program aligns with the requirements of the EU-U.S. Data Privacy Framework, the UK extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework. If verified, Customer may list TRUSTe as the Verification Agent in its listing on the dataprivacyframework.gov site. Additionally, Customer may list TRUSTe as its Independent Recourse Mechanism for non-HR data on the dataprivacyframework.gov site. Subscription to, and participation in, the Data Privacy Framework Verification program includes:
TRUSTe’s International Privacy Verification Program is based on the principles laid out in the EU-U.S. Data Privacy Framework. Subscription to, and participation in, this program includes:
- Technology License: A basic level license to use TrustArc’s PrivacyCentral platform solution to document compliance with the International Privacy Verification Program Assessment Criteria;
- Gap Analysis: Gap analysis will identify areas where remediation is necessary to meet the requirements of the International Privacy Verification Program Assessment Criteria;
- Compliance Verification: TRUSTe independent compliance verification pursuant to International Privacy Verification Program Assessment Criteria and Assurance Program Governance Standards;
- Report: TRUSTe compliance verification report;
- Letter of Attestation: TRUSTe letter of attestation upon certification;
- Seal: Upon verification of compliance, authorization to display the TRUSTe International Privacy Verified seal on in-scope digital properties;
- Annual Review: TRUSTe annual verification review; and
- Dispute Resolution: TRUSTe dispute resolution services for privacy practices in the scope of Verification on behalf of the Customer.
TRUSTe’s APEC CBPR Certification Program uses the program requirements set forth in the APEC CBPR System Program Requirements. Certified organizations will be listed in the compliance directory available at cbprs.org. Subscription to, and participation in, the APEC CBPR program includes:
- Technology License: A basic level license to use TrustArc’s PrivacyCentral platform solution to document compliance with the APEC CBPR System Program Requirements;
- Gap Analysis: Gap analysis will identify areas where remediation is necessary to meet the requirements of the APEC CBPR System Program Requirements;
- Certification: TRUSTe certification pursuant to the APEC CBPR System Program Requirements and Assurance Program Governance Standards;
- Report: TRUSTe compliance assessment report;
- Letter of Attestation: TRUSTe letter of attestation upon certification;
- Seal: Upon certification, authorization to display the TRUSTe APEC Privacy seal on in-scope digital properties;
- Annual Review: TRUSTe annual certification review; and
- Dispute Resolution: TRUSTe will provide dispute resolution for privacy practices in the scope of Certification on behalf of the Customer.
TRUSTe’s APEC PRP Certification Program uses the program requirements set forth in the APEC PRP Intake Questionnaire. Certification participants will be listed in the compliance directory available at cbprs.org. Subscription to, and participation in, the APEC PRP program includes:
- Technology License: A basic level license to use TrustArc’s Privacy Central to document compliance with the APEC PRP Intake Questionnaire;
- Gap Analysis: Gap analysis will identify areas where remediation is necessary to meet the requirements of the APEC PRP Intake Questionnaire;
- Certification: TRUSTe certification pursuant to the its APEC PRP Intake Questionnaire and Assurance Program Governance Standards;
- Report: TRUSTe compliance assessment report;
- Letter of Attestation: TRUSTe letter of attestation upon certification;
- Seal: Upon certification, authorization to display the TRUSTe APEC Processor seal on in scope digital properties;
- Annual Review: TRUSTe annual certification review.
A license to the TRUSTe GDPR Validation Solution(s) includes the following components:
- Technology License: A basic level license to use TrustArc’s PrivacyCentral platform solution to document compliance with the GDPR Privacy Program and Privacy Practices Validation Requirements (accessible via PrivacyCentral);
- Gap Analysis: Gap analysis will identify areas where remediation is necessary to meet the requirements of the GDPR Privacy Program and Privacy Practices Validation Requirements;
- Compliance Validation: TRUSTe compliance validation pursuant to its GDPR Privacy Program and Privacy Practices Validation Requirements;
- Report: TRUSTe compliance validation report; and
- Findings Letter: TRUSTe findings letter, and a summary thereof; letter to cover the period from date of validation to the earlier of: (i) end of subscription term; or (ii) in the case of a subscription term longer than one year, the first anniversary of the Effective Date of the applicable order.
A license to the TRUSTe CCPA Validation Solution(s) includes the following components:
- Technology License: A basic level license to use TrustArc’s PrivacyCentral platform solution to document compliance with the CCPA Validation Requirements (accessible via PrivacyCentral);
- Gap Analysis: Gap analysis will identify areas where remediation is necessary to meet the requirements of the CCPA Validation Requirements;
- Compliance Validation: TRUSTe compliance validation pursuant to the CCPA Validation Requirements;
- Report: TRUSTe compliance validation report; and
- Findings Letter: TRUSTe findings letter, and a summary thereof; letter to cover the period from date of validation to the earlier of: (i) end of subscription term; or (ii) in the case of a subscription term longer than one year, the first anniversary of the Effective Date of the applicable order.
TRUSTe’s EDAA Certification includes certification services against the Self-Certification Criteria for Companies Participating in the European Self-Regulatory Programme on Online Behavioral Advertising:
TRUSTe’s DAA AMI Validation is based on the Policy Framework for Addressable Media Identifiers administered by the DAA. Subscription to, and participation in this program includes:
TRUSTe’s Data Collection Certification is a certification designed to enable organizations who have a role in the optimization or serving of an online advertisement to demonstrate privacy and data governance practices for the collection and use of data for online behavioral advertising, complies with the Data Collection Certification Assessment Criteria. Subscription to, and participation in, this program includes:
- Technology License: A basic level license to TrustArc’s PrivacyCentral platform solution to document compliance with the TRUSTe Data Collection Certification Assessment Criteria;
- Gap Analysis: Gap analysis will identify areas where remediation is necessary to meet the requirements of the Data Collection Certification Assessment Criteria;
- Certification: TRUSTe certification pursuant to the TRUSTe Data Collection Assessment Criteria and Assurance Program Governance Standards;
- Report: TRUSTe compliance assessment report;
- Letter of Attestation: TRUSTe letter of attestation upon certification;
- Seal: Upon certification, authorization to display TRUSTe Trusted Data seal on in scope digital properties; and
- Annual Review: TRUSTe annual certification review.
- Dispute Resolution: TRUSTe will provide dispute resolution for privacy practices in the scope of Certification on behalf of the Customer.
TRUSTe’s Dispute Resolution is an independent dispute resolution service to help organizations address complaints from consumers, business partners, or end-users to help minimize risk of escalation to an enforcement agency or media. The TRUSTe Dispute Resolution offering:
TrustArc’s Consulting Services, provided by a team of expert consultants, are designed to help organizations expand their internal capacity and capabilities through external TrustArc resources. Services include guidance and support to build a privacy program, to understand global data privacy laws, to set up privacy operations, and to demonstrate privacy compliance.
TrustArc Consulting Managed Services is a subscription-based privacy office managed services as detailed in a Statement of Work, which may include:
- Assessments
- Data inventory development
- Build a privacy program
- Project management
- Custom packages
Last Updated: May, 2024
